Analysis Overview
SHA256
5efb1e10a940dcb9d561d42a48090ea7310f90fa179392149e4a8d3fd74ab80a
Threat Level: Shows suspicious behavior
The file TPS V2 Umi Keygen(SoftwareCrackGuru).rar was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-01 10:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-01 10:28
Reported
2024-03-01 10:31
Platform
win7-20240221-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\TPS Tool V3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TPS V2 Umi Keygen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TPS V2 Umi Keygen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TPS V2 Umi Keygen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TPS V2 Umi Keygen.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\TPS Tool V3.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TPS V2 Umi Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\TPS V2 Umi Keygen.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\TPS Tool V3.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\TPS Tool V3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 768
Network
Files
\Users\Admin\AppData\Local\Temp\RarSFX0\TPS Tool V3.exe
| MD5 | aa307365f26331d9172190d595771601 |
| SHA1 | f57d8851c804c94578277c32f377ab14f8ab1fa5 |
| SHA256 | 3bdb8e8f053bbf758588c7dc39ecab3bca2152f4d9f20b4ebc5fe52d38592e4a |
| SHA512 | 3891c7e2f141d1b8ebdad1061b8cbe9f51c5a49cbaace6cae6524d7edffa128285e96d79ba860278b7f37bae81c32e3a32eea89ec1b4436d668f4a3056a34420 |
memory/2252-22-0x0000000000EB0000-0x0000000000F28000-memory.dmp
memory/2252-23-0x0000000073890000-0x0000000073F7E000-memory.dmp
memory/2252-29-0x0000000073890000-0x0000000073F7E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-01 10:28
Reported
2024-03-01 10:31
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TPS V2 Umi Keygen.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\TPS Tool V3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\TPS Tool V3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\TPS Tool V3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\TPS Tool V3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\TPS Tool V3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\TPS Tool V3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\TPS Tool V3.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\TPS Tool V3.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 548 wrote to memory of 4812 | N/A | C:\Users\Admin\AppData\Local\Temp\TPS V2 Umi Keygen.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\TPS Tool V3.exe |
| PID 548 wrote to memory of 4812 | N/A | C:\Users\Admin\AppData\Local\Temp\TPS V2 Umi Keygen.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\TPS Tool V3.exe |
| PID 548 wrote to memory of 4812 | N/A | C:\Users\Admin\AppData\Local\Temp\TPS V2 Umi Keygen.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\TPS Tool V3.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\TPS V2 Umi Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\TPS V2 Umi Keygen.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\TPS Tool V3.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\TPS Tool V3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\TPS Tool V3.exe
| MD5 | aa307365f26331d9172190d595771601 |
| SHA1 | f57d8851c804c94578277c32f377ab14f8ab1fa5 |
| SHA256 | 3bdb8e8f053bbf758588c7dc39ecab3bca2152f4d9f20b4ebc5fe52d38592e4a |
| SHA512 | 3891c7e2f141d1b8ebdad1061b8cbe9f51c5a49cbaace6cae6524d7edffa128285e96d79ba860278b7f37bae81c32e3a32eea89ec1b4436d668f4a3056a34420 |
memory/4812-18-0x0000000000A20000-0x0000000000A98000-memory.dmp
memory/4812-19-0x0000000072580000-0x0000000072D30000-memory.dmp
memory/4812-20-0x00000000059E0000-0x0000000005F84000-memory.dmp
memory/4812-21-0x00000000054D0000-0x0000000005562000-memory.dmp
memory/4812-22-0x0000000005570000-0x00000000055D6000-memory.dmp
memory/4812-23-0x00000000053F0000-0x0000000005400000-memory.dmp
memory/4812-24-0x0000000006430000-0x000000000643A000-memory.dmp
memory/4812-25-0x00000000053F0000-0x0000000005400000-memory.dmp
memory/4812-26-0x0000000072580000-0x0000000072D30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tpsControllerLib.dll
| MD5 | 6d1a30cea4ad42edb142dfa44832e108 |
| SHA1 | e7fb38884f7586236ca6adebd9bb12ebe1784748 |
| SHA256 | 1c38284d7cfb0b7dd09012d9de10e92a1c9ee7a8ea33f6489201a71d80d12457 |
| SHA512 | ae96a8d9ce586ac83a31d8d381347c28ab1863c138bd1b0ffbe1ac4798bc1358e61bf72bbcf0436dac2a730cb468c1ccc046a64488e02ef775808a23bd3f565d |
memory/4812-30-0x00000000092A0000-0x00000000093BE000-memory.dmp
memory/4812-31-0x00000000053F0000-0x0000000005400000-memory.dmp
memory/4812-32-0x0000000002E50000-0x0000000002E51000-memory.dmp
memory/4812-33-0x00000000093E0000-0x0000000009734000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HuaweiUpdateLibrary.dll
| MD5 | 81a188ac5da8e396126bbff00430f6f9 |
| SHA1 | ab98043226e10a53101835cbdb1c0f8068c9ef3a |
| SHA256 | 6db66509ae09649c059b63d9ca036c7a37dc213ac478ffd03223efb4eec6b922 |
| SHA512 | 4942a7666f7e58b213e2a1da14f3be32d81fbca0f063a5dd775957d8550538e566f654131065e50eda3b0cb931637536fe472cd677f17e7fd8ba5808be0ff059 |
memory/4812-37-0x0000000009280000-0x000000000928C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tpsThemeLib.dll
| MD5 | bbf4d1132f017b5e723402caa109c70c |
| SHA1 | d91dddbb8b1b2b516d7956b04e57864d4e47c8b0 |
| SHA256 | 037b9e81977a0fbdcebf942f88fdf548c3e9173df5a8fc55236eeefe30ee6fbb |
| SHA512 | 82249ed7f81a2242ac2846df7835807134fddc8a9e7191b581959bcbca24c725ce6dbce64a7b82d5e6c815273084a2f0a3bf176552c43b3c353812f3cb572e86 |
memory/4812-41-0x0000000009820000-0x00000000098F2000-memory.dmp
memory/4812-43-0x00000000053F0000-0x0000000005400000-memory.dmp