Analysis
-
max time kernel
70s -
max time network
197s -
platform
windows11-21h2_x64 -
resource
win11-20231222-en -
resource tags
arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system -
submitted
12-01-2024 13:33
Static task
static1
Behavioral task
behavioral1
Sample
Tr Tools PRO 1.0.5.2.exe
Resource
win11-20231222-en
General
-
Target
Tr Tools PRO 1.0.5.2.exe
-
Size
179.1MB
-
MD5
64039454302ba8946380b2876075212a
-
SHA1
ee3694cbfceab3ce074558de3b432159dd816cb2
-
SHA256
c3f16db95779b1a4cf0d3861ed9c4a477f65023fa57940a204247dabefc68a74
-
SHA512
7a6d943993a0a2ac0ab45a12deb463dcefc525226812532183bd0a57b04229eb99801091a64a0da4e260d34c19ad430add2f6c9784849988ddd9d5ba0d5b80ff
-
SSDEEP
3145728:6gEXvze4cOXhxBroP4P4rzmSAsX56AqO7M4CJsEW19ERkrpbAOOm:UbeFuPwrzmdsX5PqOQxJuukB
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3572 Tr Tools PRO 1.0.5.2.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Tr Tools PRO\Tr Tools PRO.exe Tr Tools PRO 1.0.5.2.tmp File created C:\Program Files (x86)\Tr Tools PRO\unins000.dat Tr Tools PRO 1.0.5.2.tmp File created C:\Program Files (x86)\Tr Tools PRO\is-26U77.tmp Tr Tools PRO 1.0.5.2.tmp File created C:\Program Files (x86)\Tr Tools PRO\is-KUU8B.tmp Tr Tools PRO 1.0.5.2.tmp File opened for modification C:\Program Files (x86)\Tr Tools PRO\unins000.dat Tr Tools PRO 1.0.5.2.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3572 Tr Tools PRO 1.0.5.2.tmp 3572 Tr Tools PRO 1.0.5.2.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3572 Tr Tools PRO 1.0.5.2.tmp -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2368 wrote to memory of 3572 2368 Tr Tools PRO 1.0.5.2.exe 81 PID 2368 wrote to memory of 3572 2368 Tr Tools PRO 1.0.5.2.exe 81 PID 2368 wrote to memory of 3572 2368 Tr Tools PRO 1.0.5.2.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tr Tools PRO 1.0.5.2.exe"C:\Users\Admin\AppData\Local\Temp\Tr Tools PRO 1.0.5.2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\is-SUVAS.tmp\Tr Tools PRO 1.0.5.2.tmp"C:\Users\Admin\AppData\Local\Temp\is-SUVAS.tmp\Tr Tools PRO 1.0.5.2.tmp" /SL5="$E0052,186960161,884736,C:\Users\Admin\AppData\Local\Temp\Tr Tools PRO 1.0.5.2.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\VCRedistInstaller (2021).exe"C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\VCRedistInstaller (2021).exe" -s3⤵PID:1324
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\install_all.bat" "4⤵PID:764
-
C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2005_x64.exevcredist2005_x64.exe /q5⤵PID:2592
-
C:\Windows\SysWOW64\msiexec.exemsiexec /i vcredist.msi6⤵PID:4996
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2008_x86.exevcredist2008_x86.exe /qb5⤵PID:3180
-
\??\f:\3fdc88b7fc3078f88fcdbd19b17a4384\install.exef:\3fdc88b7fc3078f88fcdbd19b17a4384\.\install.exe /qb6⤵PID:4936
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2008_x64.exevcredist2008_x64.exe /qb5⤵PID:1520
-
\??\f:\133f289838f280f503b46563\install.exef:\133f289838f280f503b46563\.\install.exe /qb6⤵PID:1228
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2010_x86.exevcredist2010_x86.exe /passive /norestart5⤵PID:3824
-
\??\f:\058dccb2d4e5f4de37ad20ce0876\Setup.exef:\058dccb2d4e5f4de37ad20ce0876\Setup.exe /passive /norestart6⤵PID:5000
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2010_x64.exevcredist2010_x64.exe /passive /norestart5⤵PID:840
-
\??\f:\579dcf307298e8847daacaba37717e60\Setup.exef:\579dcf307298e8847daacaba37717e60\Setup.exe /passive /norestart6⤵PID:2236
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2012_x86.exevcredist2012_x86.exe /passive /norestart5⤵PID:3036
-
C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2012_x86.exe"C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2012_x86.exe" /passive /norestart -burn.unelevated BurnPipe.{D3353168-AF76-428A-92F4-F41760945F7C} {10CFF1C5-8B38-4341-AEEB-FC2C3A43BD73} 30366⤵PID:2076
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2012_x64.exevcredist2012_x64.exe /passive /norestart5⤵PID:1800
-
C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2012_x64.exe"C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2012_x64.exe" /passive /norestart -burn.unelevated BurnPipe.{796B0363-9DF8-4F01-9506-96849B7DA64E} {8DD7ECE2-97FA-417F-BD29-5A6E52CB9885} 18006⤵PID:3216
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2013_x86.exevcredist2013_x86.exe /passive /norestart5⤵PID:1740
-
C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2013_x86.exe"C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2013_x86.exe" /passive /norestart -burn.unelevated BurnPipe.{E4B77225-D512-4D4D-85D0-901C6CC716B8} {A1B9AEDD-89DA-4C32-A509-60D571E41BD7} 17406⤵PID:4708
-
-
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe"C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={9dff3540-fc85-4ed5-ac84-9e3c7fd8bece} -burn.embedded BurnPipe.{CB283081-27FC-4E90-87DA-BDA0D0FD5917} {B8724963-7CAB-4690-9690-CCC114F1F8B1} 17406⤵PID:2648
-
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe"C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={9dff3540-fc85-4ed5-ac84-9e3c7fd8bece} -burn.embedded BurnPipe.{CB283081-27FC-4E90-87DA-BDA0D0FD5917} {B8724963-7CAB-4690-9690-CCC114F1F8B1} 1740 -burn.unelevated BurnPipe.{06C49572-0D9B-458E-A8BC-2BE70FE8BC31} {5E986F47-6306-47B7-9D91-0A31778D2534} 26487⤵PID:3148
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2013_x64.exevcredist2013_x64.exe /passive /norestart5⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2013_x64.exe"C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2013_x64.exe" /passive /norestart -burn.unelevated BurnPipe.{B707319C-E8E4-4C20-A2D0-C87EC40E8586} {CA0B4D9D-287D-46BE-A129-E76E8772C64F} 46166⤵PID:4044
-
-
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe"C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={042d26ef-3dbe-4c25-95d3-4c1b11b235a7} -burn.embedded BurnPipe.{53D74E02-256A-4723-8FE7-68DEC131A9D0} {1A3DAABF-62A1-445E-9775-4CF763FAA3F0} 46166⤵PID:768
-
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe"C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={042d26ef-3dbe-4c25-95d3-4c1b11b235a7} -burn.embedded BurnPipe.{53D74E02-256A-4723-8FE7-68DEC131A9D0} {1A3DAABF-62A1-445E-9775-4CF763FAA3F0} 4616 -burn.unelevated BurnPipe.{6F915EBB-B699-4238-B3D7-7D4BC6819D42} {076A5A80-9FDD-4F38-9971-2DE6E69FB799} 7687⤵PID:1080
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2015_2017_2019_2022_x86.exevcredist2015_2017_2019_2022_x86.exe /passive /norestart5⤵PID:4444
-
C:\Windows\Temp\{D331DFBA-B9FB-4864-A9A3-921E1A05F3B2}\.cr\vcredist2015_2017_2019_2022_x86.exe"C:\Windows\Temp\{D331DFBA-B9FB-4864-A9A3-921E1A05F3B2}\.cr\vcredist2015_2017_2019_2022_x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2015_2017_2019_2022_x86.exe" -burn.filehandle.attached=576 -burn.filehandle.self=584 /passive /norestart6⤵PID:3452
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2015_2017_2019_2022_x64.exevcredist2015_2017_2019_2022_x64.exe /passive /norestart5⤵PID:632
-
C:\Windows\Temp\{DA2E8DC2-4D3F-4573-926E-33963E436C14}\.cr\vcredist2015_2017_2019_2022_x64.exe"C:\Windows\Temp\{DA2E8DC2-4D3F-4573-926E-33963E436C14}\.cr\vcredist2015_2017_2019_2022_x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2015_2017_2019_2022_x64.exe" -burn.filehandle.attached=568 -burn.filehandle.self=576 /passive /norestart6⤵PID:1444
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\LibUsb.exe"C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\LibUsb.exe" /VERYSILENT3⤵PID:1180
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2005_x86.exevcredist2005_x86.exe /q1⤵PID:4828
-
C:\Windows\SysWOW64\msiexec.exemsiexec /i vcredist.msi2⤵PID:2012
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵PID:1072
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:1692
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F8CDECD2AC29CB4D51788FB70BD26C402⤵PID:988
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 52BC520083C2EF16C414D32F66ECE3292⤵PID:1864
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:3792
-
C:\Users\Admin\AppData\Local\Temp\is-J9447.tmp\LibUsb.tmp"C:\Users\Admin\AppData\Local\Temp\is-J9447.tmp\LibUsb.tmp" /SL5="$70066,1110214,831488,C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\LibUsb.exe" /VERYSILENT1⤵PID:4396
-
C:\Program Files (x86)\Tr Tools PRO\Tr Tools PRO.exe"C:\Program Files (x86)\Tr Tools PRO\Tr Tools PRO.exe"1⤵PID:1128
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5a706eeb80394065ae1e0cd010fb9a382
SHA16be76600a2291ba5fad7aabfa09dbdda50b8c533
SHA2561c860b91cd4a67c9beaa4dacac1f58c35e638fe266d891cfb85ae6f4c6805e68
SHA5120b3409290e88c0e8a0f4342d4c30e9032a7be4672797ae09bddfb8ee213f3f00850dc2c3b5c09bbc635a09b03017756bf03b6375db4d14ec51b8c2d0472c04d2
-
Filesize
381KB
MD52be8990180ca60e860ea3887299a12eb
SHA143830c28aa6dcf2de882b73976d0a87a49aa80c0
SHA256ca538fe5159a7a89f96fe6c100bdab2d271e8b27ba559cc8ed79b542c2228287
SHA5121973792a5d41ae810b5e6032a60e42802079ceec0342bfff916a2f3d451385e11ffdb84355844b61f1a760e394b7c6e87db8c508e9e9e9b643f65cd1d1ed6cc2
-
Filesize
382KB
MD597b71d2891aeb94fe4c31253da1f07c6
SHA1afc36fcb596b6a14b9bed49816ba68ef07c670fb
SHA256e5a7e8a7cb7b0c185529a9dccbe8966b794c0399c269da5814cfa36af021a01c
SHA5124b25b82db3199379c6f25ad6a981fe0967dbd300b575d84dccb01cffa06ae2a475cbf8b6ba7d29c2068bef8a1a0baf4f32c842ddd60e7506bf9cf5aa804610fe
-
Filesize
859KB
MD5f001f7763578a2e2302f572ec3dd88bf
SHA14662c1c3f3aa4768064e7c2535aebe67fb2a2811
SHA2561ea812ede7b239d840a2a437b926fc23adeea2592b8138d2274fae0bbf91ef89
SHA512d0d85557546eaefb55954e885164737dabe3dc2f499be07015692be20c8e066b59a1f6f58fe1690fc13772966f6bb22e3d479b321c8731791ad4f6a9f19dedb2
-
Filesize
893KB
MD5f439034d7f3e92be1c0b0b4a3df586c6
SHA1c989e610074dae4cddae396b099bf744b547e427
SHA256c41aa08e9310ddcfaddb735c1fdef033d740d25478a02f44a30be36f21eca0ae
SHA512dff6e377b47386b3281982d960aca22ae654f3fe7b167dc37bcdbfbb7757d39c17e3d1c907559616f0d8034e97d34fac52399a1ea45112208ffaef7df36040ea
-
Filesize
1KB
MD5bdf5623cd38ba457dce96477bd0f5db1
SHA1193ee62aca481445362c468b387ce925217628b3
SHA256d3761e4427522c01e4020c1f00040978ff5761b0ee7fa1a9f7d9abfc9f38e8d1
SHA5126717a44834e43762b572055bd1e56d87e0c91400c1e6bd84dd3242df457d9e74f9dcbd81637f0507957672395eed8698a064c16fcc1d7fc83e3a92ca777a344c
-
Filesize
91KB
MD5edd086f6132521f83cbe4fdd52a2ee25
SHA1b5dcde3dbfec5be49f5770423e1af047171fd474
SHA2569032ce296cca9db0e57ee608d899d082c1823cb340e234cb91ae1c4bb0d890cf
SHA5123da516529bf98671fc33d257e1ee061fe7f2e911bf6a90303ce01a342f3e5be82cbddb96ade0b9ae066cd0aca36ff9994386497ea12d3ae671a579e45bd3cebc
-
Filesize
381KB
MD5d12a1c3924145ca09ca86b8dcb80d82e
SHA1c6c4e3ee10f292a1c38bd77acdfa5c608b4465f0
SHA2569dbdf3c11873627f164efa1e56672ee565cd95db8ec04b9ff2aaa69d6a25dd7f
SHA512bf5e39f5072c3ab31b7bd12e9b27a7413e6414cc6c0e911818dddb06c870a98f5316c80ec920a9ae8b21759fbbfc5204eb8c509900284be392e9ab3ac9670bef
-
Filesize
92KB
MD5a31308b0b1d96710544208a3d31e210d
SHA16655548a5350ac1f6a4277a5b632b26ab2099966
SHA2564a71e579c302bf7b4fba7e01c53713c90272540576a41a1c5c12351fd35e70d0
SHA512b4b3d021485a0db64cb81b93e43cd220102d7762b1367ab6b5b8324050b5cf3d84962581b021498a76725d821fe4ebe04955156ee54476bbc251bee5cbb7b4dc
-
Filesize
1.1MB
MD5305b687809e4a805f882638880257277
SHA1953fa4da79541d85e73696c3ce34c39437efd834
SHA256987dcd7f1c22fd0b0f05c168f4d4db78bae80577d37a1c324b42bb86cd0734b1
SHA512e0e8162cbdc677d6e70f10853e2e0a5476937e94aa0d6efb6d66364198b2634f63648d46e10496fac05093dc2f22ab24a7ac967701c54e626f46cea158375495
-
Filesize
819KB
MD51f77fc74016aff06d69e2588a3d443ed
SHA18320d0682a4904c05513aacaa65a6113e562d8c1
SHA256d52f4a1a711a8d3957b302b3ee32fccc33ade0233192fb117886b68faab20f6d
SHA51218be6217f77c56c6966fd91cce6f2b514c2f8edee5bf016f195ad08b900a24f108f74ae6c0cd9fb2b050c9f601a159b47933ef15b8d81948dd63d76f26f13dbb
-
Filesize
28KB
MD585221b3bcba8dbe4b4a46581aa49f760
SHA1746645c92594bfc739f77812d67cfd85f4b92474
SHA256f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f
SHA512060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d
-
Filesize
547KB
MD54138c31964fbcb3b7418e086933324c3
SHA197cc6f58fb064ab6c4a2f02fb665fef77d30532f
SHA256b72056fc3df6f46069294c243fe5006879bf4a9d8eef388369a590ca41745f29
SHA51240cf2f35c3a944fca93d58d66465f0308197f5485381ff07d3065e0f59e94fc3834313068e4e5e5da395413ff2d3d1c3ff6fa050f2256e118972bf21a5643557
-
\??\Volume{6d8be5d0-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{26a668c3-8727-4790-a26f-394e0c9753c1}_OnDiskSnapshotProp
Filesize6KB
MD5a92ee035791f82aeec5b65e45bfe0565
SHA1affcdbf7fa40d3a464204d02bf2b728a05395ad1
SHA2565cd58b3beb37b5ed38418ba8091b4ea3cad7c8be2eab2a04575ddb8c7275433c
SHA5125cc7d3bbe26101fdc3d8b4f3207a3d0a766152737817655066210d7b09bf6924370ccf7bc6134fa22d92b9fc5486f9e3cdfb99603eb21c4790f2d1f262309104
-
Filesize
381KB
MD512dac352f69040cc5c03e3de3fde6a59
SHA18fddfdcb060fe7cf296013e2a8325aec137ce675
SHA256ddb96873f2c0a0e251140a58fb129aafc36671c5c6d96b16fa61937015353a12
SHA512830f732ae641e90ba8c1259e9100950d47d2c27cbcfeaff4fb4329394aa1998484232f6661e1d33f0f834898b2ce6910a5122080a789fded8e5f40282aedc588