Analysis
-
max time kernel
426s -
max time network
447s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 01:43
Static task
static1
Behavioral task
behavioral1
Sample
ttd_scam_tool_api.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ttd_scam_tool_api.exe
Resource
win10v2004-20231215-en
General
-
Target
ttd_scam_tool_api.exe
-
Size
134.0MB
-
MD5
6ae4dad56fcd74438d8af1757d7f33eb
-
SHA1
f7ebe503c1946803f4ab1396e633bfffdce75c39
-
SHA256
7407aaf1912fe74b954790db86481e9f71b69d9ceb5da210366052c64cdf295a
-
SHA512
3a86f8f1b9e8e5629a1f6097b8ca25905676cabd6083116e5c3a545b728e37ffe53f25571c86ca97f9727cebd5bf9a33250027af703728c3b94beb5de7a508dc
-
SSDEEP
1536:nfEMGNYm3LveC4lOJqrkbH4HMAa7n6wBmMOQbY:8zGplOYrkbHj3sMOQk
Malware Config
Extracted
xworm
147.185.221.16:40164
-
install_file
tmp.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2072-0-0x0000000000A50000-0x0000000000A64000-memory.dmp family_xworm -
Obfuscated with Agile.Net obfuscator 17 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/2788-136-0x0000000000540000-0x0000000000560000-memory.dmp agile_net behavioral1/memory/2788-150-0x00000000005A0000-0x00000000005BE000-memory.dmp agile_net behavioral1/memory/2788-152-0x000000001B400000-0x000000001B54A000-memory.dmp agile_net C:\Users\Admin\Desktop\Bunifu.Licensing.dll agile_net C:\Users\Admin\Desktop\Bunifu.UI.WinForms.BunifuCheckBox.dll agile_net behavioral1/memory/2788-148-0x0000000000590000-0x00000000005A0000-memory.dmp agile_net C:\Users\Admin\Desktop\Bunifu.UI.WinForms.BunifuShadowPanel.dll agile_net behavioral1/memory/2788-146-0x0000000001F00000-0x0000000001F5A000-memory.dmp agile_net behavioral1/memory/2788-155-0x000000001B090000-0x000000001B110000-memory.dmp agile_net C:\Users\Admin\Desktop\Bunifu.UI.WinForms.1.5.3.dll agile_net behavioral1/memory/2788-144-0x0000000000580000-0x000000000058E000-memory.dmp agile_net C:\Users\Admin\Desktop\Bunifu.UI.WinForms.BunifuColorTransition.dll agile_net behavioral1/memory/2788-142-0x000000001A580000-0x000000001A5EE000-memory.dmp agile_net C:\Users\Admin\Desktop\Bunifu.UI.WinForms.BunifuLabel.dll agile_net behavioral1/memory/2788-139-0x0000000000560000-0x0000000000580000-memory.dmp agile_net C:\Users\Admin\Desktop\Bunifu.UI.WinForms.BunifuTextBox.dll agile_net C:\Users\Admin\Desktop\Bunifu.UI.WinForms.BunifuButton.dll agile_net -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2760 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 1960 powershell.exe 3064 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
ttd_scam_tool_api.exepowershell.exepowershell.exe7zG.exedescription pid process Token: SeDebugPrivilege 2072 ttd_scam_tool_api.exe Token: SeDebugPrivilege 1960 powershell.exe Token: SeDebugPrivilege 3064 powershell.exe Token: SeRestorePrivilege 1712 7zG.exe Token: 35 1712 7zG.exe Token: SeSecurityPrivilege 1712 7zG.exe Token: SeSecurityPrivilege 1712 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7zG.exepid process 1712 7zG.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ttd_scam_tool_api.exedescription pid process target process PID 2072 wrote to memory of 1960 2072 ttd_scam_tool_api.exe powershell.exe PID 2072 wrote to memory of 1960 2072 ttd_scam_tool_api.exe powershell.exe PID 2072 wrote to memory of 1960 2072 ttd_scam_tool_api.exe powershell.exe PID 2072 wrote to memory of 3064 2072 ttd_scam_tool_api.exe powershell.exe PID 2072 wrote to memory of 3064 2072 ttd_scam_tool_api.exe powershell.exe PID 2072 wrote to memory of 3064 2072 ttd_scam_tool_api.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe"C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ttd_scam_tool_api.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap29248:86:7zEvent134851⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1712
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\blank.txt1⤵
- Opens file in notepad (likely ransom note)
PID:2760
-
C:\Users\Admin\Desktop\Umbral.builder.exe"C:\Users\Admin\Desktop\Umbral.builder.exe"1⤵PID:2788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U3KADOMZQCQZU4GJ3A7B.temp
Filesize7KB
MD5836305a37453aaec21ef04c593da2a0b
SHA1efeda13e302a6226cefabdb24a26ace7490f20bd
SHA256481382a7c2c1771c2438ef2e4d62445bb87d33ebb1a57d6aeeeb23d8a44c9e89
SHA512ac26807b8f8199461ff7b1fe855e7ddf53478c6f4cf5dac533fa6efa8f667d1d64d52e8707901c53d2d58c1f5f4667ca37fdf0d3f78dda2d29300bb69c8aa5f3
-
Filesize
355KB
MD542aa8513af781468cfec62f71a16d678
SHA1a94efb7b524cc053a1662464580dc66f144805ad
SHA25619e293b1ced37a7e42d03c892cc8e5c4cd580a7e00301c674451905a4e57991c
SHA5120d143f51a8f8ea4793b8e6548e95f35ddb7665635559b6766c27ffc92997ba896b423f1c52c97d4f2ba6028b425583a4f45f0494d92d945b73e06b88330acc41
-
Filesize
342KB
MD541c216d27c71a227774e680e95e99f31
SHA10a2a93d4ecbf4bbec2faf110066c6b4472b0dbf5
SHA256012d717b4ac00c3686a772757f49c1908e223624e3974314cdb9fc9291073305
SHA512e355ba11e41b668e4459f709e87c3e212c8986ea894791d9155791ea9d7315372fb51531eb69204ed2ee38e242de7629e4a2f090c05bf9deeea9ea965ffaf651
-
Filesize
107KB
MD521f999e5ac72a16077511d41590822de
SHA1d8bb1a8a291f73cdf2b5658b2b65736c87db19dd
SHA2562a62c78f1f0db2e3258135b50f7885e6734c31c74a8f2f5782f285aa268c2f71
SHA512e04fe31870f266d772829053a6bb210a9513ff5c8c0f9a3a267ddbe1875125496caa602baf44a4e241ef84d933bd55b79af43d5871ed10c81711adecee78b8e3
-
Filesize
102KB
MD5ef11f59a9381df17d7ab94434f79f260
SHA1ec11e46a636fe3927fd5fa7c30be65b958853ef0
SHA256390252aeb6fd76a954a03853c3d883e0360dc8b3f2cf8cfed5ba94e4e5a24da4
SHA512612b1b0f9204c605ff5e9b91816e674cdaea71fa69f81a5a7f475bf1cc8d5e12687deb1b0118b07b3d7e4764adede0576f8fc799f8155a65a70e5dafff50f73d
-
Filesize
38KB
MD5539d803013c0b1592d0e17a740d72687
SHA1b0ce15e0f096d027b1d1482afa9d93bafd160f7a
SHA256500adece1fba76dfb2fa628de9886a2661ed1a4e58a7717a5fee607206bb1d81
SHA51277d8ab7a949db41a79371cf2ebd5d67bd4a38dd040de0073c878f50b2a6409fae2dc5db7cbf375fbc1bc571838b0a6d4848bdecc1420d91633b878585c94b9dd
-
Filesize
419KB
MD5aab3c7e66fef3d991a5de0d33f3db9a4
SHA15f70bd9b6a975f7f743511cf13d4f8a40cd11687
SHA256a9704c8aa965a9a13eba9ec0933046bc3f9c276e2ded942225bdae7607ca7cf8
SHA512e3e27de898ad816993130c6ad9fd116211c082836012d54bfb5be2800d1df9784e5f3a762dfe8d0568ebd00f52cf624d32a6aa23366666c2c1e09eb09b5b4ad4
-
Filesize
45KB
MD5ebaf1a6efa8c7a04d174be7e0df602a7
SHA1ce08c80e52b6cf3f62ba82408d8f32ae6bcef0d8
SHA2561858b16074d7f9b73f462e3adcc77309800594fa96f2e0904c810eda4eaf5e86
SHA5124ffd5dcb59a4a03273c4e88047c7d398f098302b9485d07cf5549ca0d72467102aafa69298e248250df154a8b09f7560e634cca9cb1af2838baf3965aa645b31
-
Filesize
112KB
MD5fd2042c49df3e74e096b8cee8cc9fe43
SHA14ccdb0e13c24fb71f502d50e34f00c39bcacf307
SHA2564569393e1aad7498c6a7c8a84f79d0cd7a1d0656e912d0ddb607b61163673976
SHA512c93ad9cb411c311b0feeefdf2089c0c13098c7d2bab56345f4e9a7fc515965a3893c613d494adbbb066801eeb3dc32237a8322f7a5f876284a06b447efdad641
-
Filesize
3.3MB
MD5f355889db3ff6bae624f80f41a52e619
SHA147f7916272a81d313e70808270c3c351207b890f
SHA2568e95865efd39220dfc4abebc27141d9eae288a11981e43f09cbee6bf90347fe0
SHA512bff7636f6cc0fadfd6f027e2ebda9e80fd5c64d551b2c666929b2d990509af73b082d739f14bb1497be292eafe703ebd5d7188493e2cc34b73d249fe901820eb
-
Filesize
114KB
MD5d91fb6867df7e4303d98b5e90faae73c
SHA1496f53ad8cd9381f1c1b577a73e978081002c1db
SHA256bb19b002df31e1196b4e6530cf54c449e9cf1383d3adc5334a0442fa96b36344
SHA5125dbcfe9bf567c6f1e18027950726af1835ab8b363ba8b040fd379b4cfe94b0894bc969b3c04fa4f1964b441a7b894bd4d37f3aabe3ea31396687a6ca093cfdc9
-
Filesize
163B
MD5dccd44fb11b8e4ebdfb822e809a54b6f
SHA11889d5ae8c7c70c051cbde104af6e0f31f8c1b63
SHA2566862b25736259f7bfd344e43eea10a703885be381eee2a745ceb12916b01a158
SHA512dadffe41bdadfc3a79cb34369c9a8b37ce4833aee18058b02dcb13d64007f022b80b63ab404572c60278937cf83b06b00712ff9ee302e725b9d5c7fe14bd5f50
-
Filesize
123B
MD54f10bf483c9fe7cb6834229399b10573
SHA121665c74392b32fda4931d621c84530046f0d624
SHA256e8f023aa53cd2f329d30b87a1a4b255b4fcec776d58b9399edffb28370f04105
SHA51260d2042b9131a22c355f683733cfba008a69cdf96ae89473e7452eb1a88cf5a44e96973b365ef2b5c7f75c2fe172498e620ea76010b0bfd20f0e675177d66048