Analysis
-
max time kernel
300s -
max time network
340s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 01:43
Static task
static1
Behavioral task
behavioral1
Sample
ttd_scam_tool_api.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ttd_scam_tool_api.exe
Resource
win10v2004-20231215-en
General
-
Target
ttd_scam_tool_api.exe
-
Size
134.0MB
-
MD5
6ae4dad56fcd74438d8af1757d7f33eb
-
SHA1
f7ebe503c1946803f4ab1396e633bfffdce75c39
-
SHA256
7407aaf1912fe74b954790db86481e9f71b69d9ceb5da210366052c64cdf295a
-
SHA512
3a86f8f1b9e8e5629a1f6097b8ca25905676cabd6083116e5c3a545b728e37ffe53f25571c86ca97f9727cebd5bf9a33250027af703728c3b94beb5de7a508dc
-
SSDEEP
1536:nfEMGNYm3LveC4lOJqrkbH4HMAa7n6wBmMOQbY:8zGplOYrkbHj3sMOQk
Malware Config
Extracted
xworm
147.185.221.16:40164
-
install_file
tmp.exe
Extracted
stealerium
https://discord.com/api/webhooks/1199882194563375134/BlKFjcskSdc3YJCarURg3NxHYwpdgZephikS_4FJIYtsxPHFWDTBNDilXJMy9dpmwpTu
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral2/memory/1864-87-0x0000000000B20000-0x0000000000B2E000-memory.dmp disable_win_def -
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1864-0-0x00000000002C0000-0x00000000002D4000-memory.dmp family_xworm -
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ttd_scam_tool_api.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation ttd_scam_tool_api.exe -
Executes dropped EXE 1 IoCs
Processes:
Builder.exepid process 5000 Builder.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 1616 powershell.exe 1616 powershell.exe 1368 powershell.exe 1368 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
ttd_scam_tool_api.exepowershell.exepowershell.exe7zG.exedescription pid process Token: SeDebugPrivilege 1864 ttd_scam_tool_api.exe Token: SeDebugPrivilege 1616 powershell.exe Token: SeDebugPrivilege 1368 powershell.exe Token: SeRestorePrivilege 4764 7zG.exe Token: 35 4764 7zG.exe Token: SeSecurityPrivilege 4764 7zG.exe Token: SeSecurityPrivilege 4764 7zG.exe Token: SeShutdownPrivilege 1864 ttd_scam_tool_api.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7zG.exepid process 4764 7zG.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
ttd_scam_tool_api.exedescription pid process target process PID 1864 wrote to memory of 1616 1864 ttd_scam_tool_api.exe powershell.exe PID 1864 wrote to memory of 1616 1864 ttd_scam_tool_api.exe powershell.exe PID 1864 wrote to memory of 1368 1864 ttd_scam_tool_api.exe powershell.exe PID 1864 wrote to memory of 1368 1864 ttd_scam_tool_api.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe"C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ttd_scam_tool_api.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1368
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap31003:78:7zEvent102031⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4764
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt1⤵PID:2868
-
C:\Users\Admin\Desktop\Builder.exe"C:\Users\Admin\Desktop\Builder.exe"1⤵
- Executes dropped EXE
PID:5000
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5KB
MD5d41bff259e1ebb625fc788fa681377ad
SHA1b5c8b7725d6f885db30e9237682abfec72aa65be
SHA256d6a04809c3737f76818082a2caf9b80ac7f0e14bc73b2fabdea2df46d9e25a52
SHA5128aaed8b1b2e40c5a631753789fcf34dadf95a4aab29f852a98ecb3dc30dc5c1df11d69081fb17282c78e0310e65567ab7339bc58efba6fc7b6f729f31fc040e3
-
Filesize
216KB
MD541dd506cd0525197e69d9c8592aed2a7
SHA15d04b134c8f1800fbcd664898d34dee8d10d8fa8
SHA256dcd0162524ce4ae11f5c5e9b496e35ce6a096e5dea8e63b45fa835069737f87c
SHA51216ba073d871eb9a244b8e733c101e9fec98699d881440e0dfa661e9f331fda0789f232e4abd70dcff3649a5428049590461da83ab7f0078e3ed9c7fc2fbfb28b
-
Filesize
146KB
MD56c898b9e5467f6d3442a579b7856bdaf
SHA19522f2f219deaf4bb52262c2a5d23393037ec35f
SHA2568bf6beb962bf051de009059554aa265012342bd6ec841abd2aa94ba1335a333f
SHA512df35d776b2df079a9440ac1b0435e0fe9e4f1c17ee0790b1057ede8f146d90889c1fe727cd5112b27b2f4e96903c83f8ef7d61bc359aa762b708d17ad7676c41
-
Filesize
253B
MD524e4653829de1022d01cd7ddd26e2f22
SHA19160a009cb381e044ba4c63e4435da6bfeb9dc6d
SHA256ded3aeb5856a11db0b654a785574490cab55839ebfb17efe9e39b89618fc5b91
SHA512efd4bbba1baec0b47003831510e3aa539db9ef468e0f06ba9d7ba6d0b3800035f7c818d7d90171bfd377ec97d08c4617555bcff635dd83efceb412b1a9cca820
-
Filesize
351KB
MD56d8d43c5d7dbe36ec01ff8b951cf1e0a
SHA1d6b8214419870770e1ce398ca06a6a9f0e9e62a3
SHA2569c2908709da6761e9b5b9d4d46102d65851145bac987787d6c5a05ffe5689487
SHA512221955b05d83513fadcb79721c96fd467ea871cfa401b279dc8ade426c88df4cadc884dae7a9c418c1012af202263f31ce8b63ca919e1f725eb7c7e8008c3a57
-
Filesize
123B
MD54f10bf483c9fe7cb6834229399b10573
SHA121665c74392b32fda4931d621c84530046f0d624
SHA256e8f023aa53cd2f329d30b87a1a4b255b4fcec776d58b9399edffb28370f04105
SHA51260d2042b9131a22c355f683733cfba008a69cdf96ae89473e7452eb1a88cf5a44e96973b365ef2b5c7f75c2fe172498e620ea76010b0bfd20f0e675177d66048
-
Filesize
1.7MB
MD5523dced95fcb0120698fc194b159a5cd
SHA19f6e4c7269caaf2e09b6961551102b1ec16e60a0
SHA2560d19e3bc90153b7d0360360422355daa569209180dd1e4337f2431148d1d7219
SHA512325c9c3a316852ea6156a07317a64e369048dc7cfea21e9ea87f8723cf37515f0dfc0a31ab3bf07155ea27938d426c9832c1fcba1ab6c96573cc44eacfa05255
-
Filesize
16KB
MD5099edbe28aaacada8a7a12a414a1d68b
SHA10cc1b8ed4448f4c7246dc859a6359fda20c2d927
SHA25652fef316879f90a3897ec33b8a6ca955bd720c8fe53b4479be01b70fcb7d26ee
SHA51207995720bc9e5d3b253b5cbe3f2700978950a81819d5064c25fbb6fe860c1cd1b32379136a390ab85f4612d82d4b256ba2d8c46cccdf9de04aab16135c2d6fe5
-
Filesize
693KB
MD546684228e7c345a3368e8a475ec573b7
SHA1aef278fbd7b3f6a65227c7b6b64eb6d88f6cc433
SHA256b9617847d85b8efe32d07c4c28f1d16cadd4bfe45a09fd1e24eb82505f913257
SHA512ce3ca4c8250bca3e97713d4047d0d874b3b6430014fbc3078b34a9f701a9eaa4b5e990ff99864c19b41eba1dfad74e0f6f1a464bef7b3d5ad825dfcb91b3da31
-
Filesize
2.8MB
MD5c956487c81dc16555e9232408efbe44d
SHA19272088c2dc913b3c6e779a091755b07e7fa3050
SHA25649d8c623abc37dff7af7d7ea15fa66b27504f166b5bf7a2d486c41ce7923a722
SHA5121d1f77372991544e502bf6076a2e5c9cea0d80e2afc00a0f4efe97ebf9b74bb18e1b52b3ec02dd3de441fe3114dd3aa15f21fc421ddf93204571acd7b56af64c
-
Filesize
1.6MB
MD5be2f3202f1b8c74620ab1b5e83ff1ce4
SHA19a0b4ac36b2fc6b21a99ee150b175a1fc4ac0ee6
SHA2560803e42cecd8aea57d7b6ab5ea3662bbfa2aa2d2a6dfe4c819a39174bf7952d9
SHA512526f6fc76037cb8a60010ab7bfb113eda3ab1044866908c5dc7547290c70eb974424078c30115703ad3752ee2ed2d844a8564d9be5484e7fa112a57fee8be853
-
Filesize
1.6MB
MD56627adf7167ee571e8fd6c8b1a0e8ae3
SHA103b9112660ee73c59d84e219f15bf24ae9df48db
SHA2566c5935bcddaa1d4f809487f66db758e892cc0a7fd7704d138904bc879644ea1f
SHA512e05896a6e0d09d4dafeb2467395ca06ae1e728a4aa079041dea82940caeb71646984604fdeea482748423b10257b8462db4f573682f9f719939143fdb5691c60