Analysis
-
max time kernel
1471s -
max time network
1501s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 00:54
Static task
static1
Behavioral task
behavioral1
Sample
ttd_scam_tool_api.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
ttd_scam_tool_api.exe
Resource
win10v2004-20231215-en
General
-
Target
ttd_scam_tool_api.exe
-
Size
134.0MB
-
MD5
6ae4dad56fcd74438d8af1757d7f33eb
-
SHA1
f7ebe503c1946803f4ab1396e633bfffdce75c39
-
SHA256
7407aaf1912fe74b954790db86481e9f71b69d9ceb5da210366052c64cdf295a
-
SHA512
3a86f8f1b9e8e5629a1f6097b8ca25905676cabd6083116e5c3a545b728e37ffe53f25571c86ca97f9727cebd5bf9a33250027af703728c3b94beb5de7a508dc
-
SSDEEP
1536:nfEMGNYm3LveC4lOJqrkbH4HMAa7n6wBmMOQbY:8zGplOYrkbHj3sMOQk
Malware Config
Extracted
xworm
147.185.221.16:40164
-
install_file
tmp.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral2/memory/2192-90-0x000000001A700000-0x000000001A70E000-memory.dmp disable_win_def -
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2192-0-0x00000000000E0000-0x00000000000F4000-memory.dmp family_xworm -
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ttd_scam_tool_api.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation ttd_scam_tool_api.exe -
Executes dropped EXE 2 IoCs
Processes:
Builder.exeBuilder.exepid process 4448 Builder.exe 4756 Builder.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 3708 powershell.exe 3708 powershell.exe 4364 powershell.exe 4364 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
ttd_scam_tool_api.exepid process 2192 ttd_scam_tool_api.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
ttd_scam_tool_api.exepowershell.exepowershell.exe7zG.exedescription pid process Token: SeDebugPrivilege 2192 ttd_scam_tool_api.exe Token: SeDebugPrivilege 3708 powershell.exe Token: SeDebugPrivilege 4364 powershell.exe Token: SeRestorePrivilege 4344 7zG.exe Token: 35 4344 7zG.exe Token: SeSecurityPrivilege 4344 7zG.exe Token: SeSecurityPrivilege 4344 7zG.exe Token: SeShutdownPrivilege 2192 ttd_scam_tool_api.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
7zG.exeNOTEPAD.EXEpid process 4344 7zG.exe 4268 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
ttd_scam_tool_api.exedescription pid process target process PID 2192 wrote to memory of 3708 2192 ttd_scam_tool_api.exe powershell.exe PID 2192 wrote to memory of 3708 2192 ttd_scam_tool_api.exe powershell.exe PID 2192 wrote to memory of 4364 2192 ttd_scam_tool_api.exe powershell.exe PID 2192 wrote to memory of 4364 2192 ttd_scam_tool_api.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe"C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe"1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3708 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ttd_scam_tool_api.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4364
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap28960:78:7zEvent52091⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4344
-
C:\Users\Admin\Desktop\Builder.exe"C:\Users\Admin\Desktop\Builder.exe"1⤵
- Executes dropped EXE
PID:4448
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt1⤵PID:5088
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt1⤵PID:2336
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt1⤵
- Suspicious use of FindShellTrayWindow
PID:4268
-
C:\Users\Admin\Desktop\Builder.exe"C:\Users\Admin\Desktop\Builder.exe"1⤵
- Executes dropped EXE
PID:4756
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1460
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5440cb38dbee06645cc8b74d51f6e5f71
SHA1d7e61da91dc4502e9ae83281b88c1e48584edb7c
SHA2568ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe
SHA5123aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6
-
Filesize
944B
MD54d8567f2d1c8a09bbfe613145bf78577
SHA1f2af10d629e6d7d2ecec76c34bd755ecf61be931
SHA2567437b098af4618fbcefe7522942c862aeaf39a0b82ce05b0797185c552f22a3c
SHA51289130e5c514e33f5108e308f300614dc63989f3e6a4e762a12982af341ab1c5748dd93fd185698dcf6d3a1ea7234228d04ad962e4ee0a15a683e988f115a84ea
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5KB
MD5d41bff259e1ebb625fc788fa681377ad
SHA1b5c8b7725d6f885db30e9237682abfec72aa65be
SHA256d6a04809c3737f76818082a2caf9b80ac7f0e14bc73b2fabdea2df46d9e25a52
SHA5128aaed8b1b2e40c5a631753789fcf34dadf95a4aab29f852a98ecb3dc30dc5c1df11d69081fb17282c78e0310e65567ab7339bc58efba6fc7b6f729f31fc040e3
-
Filesize
216KB
MD541dd506cd0525197e69d9c8592aed2a7
SHA15d04b134c8f1800fbcd664898d34dee8d10d8fa8
SHA256dcd0162524ce4ae11f5c5e9b496e35ce6a096e5dea8e63b45fa835069737f87c
SHA51216ba073d871eb9a244b8e733c101e9fec98699d881440e0dfa661e9f331fda0789f232e4abd70dcff3649a5428049590461da83ab7f0078e3ed9c7fc2fbfb28b
-
Filesize
146KB
MD56c898b9e5467f6d3442a579b7856bdaf
SHA19522f2f219deaf4bb52262c2a5d23393037ec35f
SHA2568bf6beb962bf051de009059554aa265012342bd6ec841abd2aa94ba1335a333f
SHA512df35d776b2df079a9440ac1b0435e0fe9e4f1c17ee0790b1057ede8f146d90889c1fe727cd5112b27b2f4e96903c83f8ef7d61bc359aa762b708d17ad7676c41
-
Filesize
253B
MD524e4653829de1022d01cd7ddd26e2f22
SHA19160a009cb381e044ba4c63e4435da6bfeb9dc6d
SHA256ded3aeb5856a11db0b654a785574490cab55839ebfb17efe9e39b89618fc5b91
SHA512efd4bbba1baec0b47003831510e3aa539db9ef468e0f06ba9d7ba6d0b3800035f7c818d7d90171bfd377ec97d08c4617555bcff635dd83efceb412b1a9cca820
-
Filesize
351KB
MD56d8d43c5d7dbe36ec01ff8b951cf1e0a
SHA1d6b8214419870770e1ce398ca06a6a9f0e9e62a3
SHA2569c2908709da6761e9b5b9d4d46102d65851145bac987787d6c5a05ffe5689487
SHA512221955b05d83513fadcb79721c96fd467ea871cfa401b279dc8ade426c88df4cadc884dae7a9c418c1012af202263f31ce8b63ca919e1f725eb7c7e8008c3a57
-
Filesize
123B
MD54f10bf483c9fe7cb6834229399b10573
SHA121665c74392b32fda4931d621c84530046f0d624
SHA256e8f023aa53cd2f329d30b87a1a4b255b4fcec776d58b9399edffb28370f04105
SHA51260d2042b9131a22c355f683733cfba008a69cdf96ae89473e7452eb1a88cf5a44e96973b365ef2b5c7f75c2fe172498e620ea76010b0bfd20f0e675177d66048
-
Filesize
1.7MB
MD5523dced95fcb0120698fc194b159a5cd
SHA19f6e4c7269caaf2e09b6961551102b1ec16e60a0
SHA2560d19e3bc90153b7d0360360422355daa569209180dd1e4337f2431148d1d7219
SHA512325c9c3a316852ea6156a07317a64e369048dc7cfea21e9ea87f8723cf37515f0dfc0a31ab3bf07155ea27938d426c9832c1fcba1ab6c96573cc44eacfa05255
-
Filesize
16KB
MD5099edbe28aaacada8a7a12a414a1d68b
SHA10cc1b8ed4448f4c7246dc859a6359fda20c2d927
SHA25652fef316879f90a3897ec33b8a6ca955bd720c8fe53b4479be01b70fcb7d26ee
SHA51207995720bc9e5d3b253b5cbe3f2700978950a81819d5064c25fbb6fe860c1cd1b32379136a390ab85f4612d82d4b256ba2d8c46cccdf9de04aab16135c2d6fe5
-
Filesize
693KB
MD546684228e7c345a3368e8a475ec573b7
SHA1aef278fbd7b3f6a65227c7b6b64eb6d88f6cc433
SHA256b9617847d85b8efe32d07c4c28f1d16cadd4bfe45a09fd1e24eb82505f913257
SHA512ce3ca4c8250bca3e97713d4047d0d874b3b6430014fbc3078b34a9f701a9eaa4b5e990ff99864c19b41eba1dfad74e0f6f1a464bef7b3d5ad825dfcb91b3da31
-
Filesize
2.8MB
MD5c956487c81dc16555e9232408efbe44d
SHA19272088c2dc913b3c6e779a091755b07e7fa3050
SHA25649d8c623abc37dff7af7d7ea15fa66b27504f166b5bf7a2d486c41ce7923a722
SHA5121d1f77372991544e502bf6076a2e5c9cea0d80e2afc00a0f4efe97ebf9b74bb18e1b52b3ec02dd3de441fe3114dd3aa15f21fc421ddf93204571acd7b56af64c
-
Filesize
1.6MB
MD56627adf7167ee571e8fd6c8b1a0e8ae3
SHA103b9112660ee73c59d84e219f15bf24ae9df48db
SHA2566c5935bcddaa1d4f809487f66db758e892cc0a7fd7704d138904bc879644ea1f
SHA512e05896a6e0d09d4dafeb2467395ca06ae1e728a4aa079041dea82940caeb71646984604fdeea482748423b10257b8462db4f573682f9f719939143fdb5691c60