1c4d6232973923b1b75e33f012b526856580d4153bdeabeac110472c2796359d

Analysis

max time kernel
29s
max time network
38s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TGMacro.exe
Size

1.1MB
MD5

fd6ce55d0fc4454a0a0912997cb104c2
SHA1

703e2f81a950acf7e635ca4d008c1941cea33afd
SHA256

1c4d6232973923b1b75e33f012b526856580d4153bdeabeac110472c2796359d
SHA512

b975ed80de6eccd069b49f09a6691115bdfb599432c79a0439d1c714595be556cd0e27b8e69fe6846e54eb079bea3c2cbd80d6b306c8b5cd9a20a1dd593cc6fb
SSDEEP

6144:7tXr3Ifz4PrJvnNVq5CCDymFEymFEymFEymFEymFTymF8ymFYRM3GWOTymqNi:75r3Kz4NvneOssssjajRM3BOmo

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5AEBEC41-E250-11EE-B7D6-72515687562C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2320	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2320	iexplore.exe
2320	iexplore.exe
2564	IEXPLORE.EXE
2564	IEXPLORE.EXE
2564	IEXPLORE.EXE
2564	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2320	2332	TGMacro.exe	28
PID 2332 wrote to memory of 2320	2332	TGMacro.exe	28
PID 2332 wrote to memory of 2320	2332	TGMacro.exe	28
PID 2320 wrote to memory of 2564	2320	iexplore.exe	30
PID 2320 wrote to memory of 2564	2320	iexplore.exe	30
PID 2320 wrote to memory of 2564	2320	iexplore.exe	30
PID 2320 wrote to memory of 2564	2320	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\TGMacro.exe
"C:\Users\Admin\AppData\Local\Temp\TGMacro.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.trksyln.net/tgmacro/download
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2320 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
a148025d148111b88809272580e4bb81

SHA1
dbc09eb4a00ef5e35445b8cfed4aaaea16ced8fa

SHA256
502e6b05b7f49fced42f313f6372cbb8288b1dc760da55dd27f6bae7e81e48d5

SHA512
08f5d1a876d7beb5246f718136c377d93863475513f984b24d75ecde286bda0a57b0bcca507e60e4dde8898e86e78b6ecb0b0e77eea40c5e722ee7e3428bf52a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d58f23a64c9cf4a7abf18fb04178d840

SHA1
55c3f5ce5139bb126515ee4dafef603caa6b3b1f

SHA256
62a8cfe9b547a52c6e8409dbf1832418a5800b1aa8787cac493bf9b1dea9b98c

SHA512
c44083a55e57cfbeefd5f831434add81ee36f43b2bad3d6d68f66c35a5f2238d3b9a02d10e8b92d1a363ffbc1505efe8fdfa440cabb03b1dc7bea44bfa38a194

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ef34941735a657d6aca5ad0837eed008

SHA1
be6a55d47b11d62664171da58d4c88957f0f5085

SHA256
51dfa1f422eaa2fc3ea23aa910c2f39fe6d7d09140697b32f1f3d9d3a91eef85

SHA512
82f3f8b6e10dd86e836277c17bf94c8d0811f5132fdad8f16dea23d4d195eacae2bf1a87327c557344bb9059cc791aa9c3845168dcd4f9c6c094505a964a3b43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
88b239015beca5740c92c498c59d300d

SHA1
9c00c6f55da46fc0d94da6d314a0cf1e2e768f88

SHA256
a6c2a88a0a17312c109caa99ff1f30178a7cc7f8c97f94af93f702d1f1bbae58

SHA512
0b493d8b7eaf6132de40a3450537cfcb39f372c0b64551a3a284301ee41fd04a89ff7ba009cd5080ced72066577b4a2d90e86f0245e97d5659d68984488a5170

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e51a9a72be97b36b61346cd55150b4c3

SHA1
3866bd0c5d2b8f3a190d92ee0ffec6b17e541976

SHA256
2faf40b7f02085b2bf443ca931626defc41e204810bc293421242d7e7f9de6c9

SHA512
088a382f148cc4307eb3b4f1c24c1b6b7f17ed72c0bb01395bd890cb3ee0c124013bab8644c2151d6ac7b8311955b77d971fc0abe80c00ee00583d609b22c6a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e17f4ce2c38ca5926e4a08e14f0ec4b5

SHA1
e835f4da8a0d478b941d6c7276094444cde6e610

SHA256
5782ce7921c16569a65117358f3e043387c44ea4d45999c1c9aca423b24b5f76

SHA512
fcf3446b907be501d6d17f25ede89d6ec5a42f44531efd43252a209a55cd09b55b54f8af16356aaeb48333e08384cf650f00997736208b150aeb5669d2327ef1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1711f1db1194527f6d9be944a32a1288

SHA1
729aac24788e7a39b5209a5bd09b863881a2c069

SHA256
e9a6720c8840d0bd6c9b8544de513b5f690c7870ef22e52784c7c33ab1f44450

SHA512
9973bdad4491984928c013e03b548c3f0af6740ad178d046a1be09f250463d2abddb968172b5bb0b106ffc112679894ed2204b5ed4131102e533abe871669b15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
690db53eff6965b8ef0c92bdefab836d

SHA1
5d2f09b227cc4d907c1ddeb9dc0d304a1d6eea0a

SHA256
6ae3c93a80b90ef58659bbe9df49f7725511530392c82bbcec690d253a4ce86c

SHA512
3091b2356c5f56c6711e15cfdd97a745758e4b8b0f5ec0e3621ff2279eb83788209db573b5dcbfe8b9ca30cddc7db3ead0cb18261fbbef2c6bf4c3047aeb8b14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0b5b2786b98394c8a0f32a1f1aa35a2c

SHA1
8a0df03ad3a7f99d6e18152c43f81c7df5a25c8f

SHA256
f4846c986be2b5ac4a92983f6096095ea7dcc577e7627204a12d9ba8cf12ac8b

SHA512
1d50dd77e03cb2577b1c05186d6c5ec5b3dd05d2c995b2a3ad973ac05dcf6e10d405a35ef847373d2173bfa8049735d659c7a16bc34b276a0d7de2233396e203

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a9ee313ed63737b4e01ca83cec6f2196

SHA1
31d05f283a811c25b7c13b5a25430ecbb5e27d23

SHA256
cc1f071531fc40a45db901fc19d5e2e706558e125cea0ca3cd8df2ae46a87dee

SHA512
41e33774cc834c83df3e05043ae573177dc5913da335dd6ec1be8c03847918f7fb5e093f567944c35fb3f72819667743a905effc7a2bb937dec5e017066f4885

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3d3f14e3f5124f934225fb95e3991d22

SHA1
c5b9f28de1393f980dc3c669675f923382b5cc35

SHA256
2a0184c3e49a5fa521ff9a99440d0a52301e7e80b8dc32bb470dc4b132183dda

SHA512
19a1bfe68d832f57073c75792ff5c81756cda5f3d7d8137e5d4c892234cfb8ccd338de1e9f621f0f375d5f9fc2dc96a38c7934280662215973924d8285ebbc59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a9b98e37429afcd6f5c495be7239919c

SHA1
3ed58333345ff76e50f6c397cb7968fdcdf4e57a

SHA256
e19b5ac32c57f7291bcd4148524e030ecd3a66bd64624b7fe52f24e9f27180ec

SHA512
14ffed08aeab7ee9ec7f651b97c776ee40ac196ca702288a2ff7e5a684feab3dad7c1807d33fb4db890eeee0b660abae28e86b27872cb92eec4cf7dd0a0c6900

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
990a42388a87d50d00deab8bdfa1f884

SHA1
2bc643b94e9acaa261459deb3fdf0c886a36fe0a

SHA256
3586b9422cdb9746f5a2ac31fec20dde754038b6ff99baf27d22730f4cef0b24

SHA512
f3fb99b8b823a970cbf192336ce5d07e3c2d8f56a1add9cb615b5670cbf8815e151ac2514a5440f155caf5bc0bb64c9158734d1fc8ef207b6f8e737c04d43546

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
dd8171400ea95e9ad149c8a0276414b7

SHA1
34f1811ff1be6cc09445b5347aac4ff9f39f2a09

SHA256
9db9929b3c91e32335c37902fe19f3f4ee5e10f77ddffaf4497142fa81ebd833

SHA512
384458bedb11cd26c25a2898a778d819faf2970ed28860a69f9a00b77dab3c4f9eeedc92498a0654c562a02ea3225aa93b89efac08c1c90d7b97b61418d75247

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3BED.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
memory/2332-3-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2332-0-0x0000000000C40000-0x0000000000D60000-memory.dmp

Filesize
1.1MB

Download
memory/2332-2-0x000000001AFF0000-0x000000001B070000-memory.dmp

Filesize
512KB

Download
memory/2332-1-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download