2e8bc88df755f2a3fe6639fe58bf8384cb939d13f7769a8ffb029d3b0665d07b

Analysis

max time kernel
151s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TbMate.exe
Size

4.4MB
MD5

f17db2cd5ef9ab8d4d484c928857f073
SHA1

e91f754f3cd2ce19142bff88accb97b813379cd8
SHA256

7fbdf419c7b6698c7b8cf52bde391ca6d61dfc546daf8c2b0fe4526306c44e0d
SHA512

59d4b7a8950816e13a5504456a73d608381952a8ae0e0dd6bd9873fb4646983e3634f21668a4f2fed5b9f2f16198c66e7656a98390643515fb7eca06c619fd80
SSDEEP

49152:LLGzEVZrjqcWXwJP5e8tFd9GsEG0y/NTAJVrIsid9iESVXt12bV1wWbsxtvV7N:LUyqcLBtFDGsgy2JhIBUl72b4T

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\ECTP\DefaultIcon	xEngine.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\ECTP\URL Protocol	xEngine.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\ECTP\shell\open\command	xEngine.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\ECTP\shell\open	xEngine.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\ECTP\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\xEngine.exe\" \"%1\""	xEngine.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\ECTP\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xEngine.exe"	xEngine.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\ECTP\ = "URL: ECTP Protocol"	xEngine.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\ECTP	xEngine.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\ECTP\shell	xEngine.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3052	Consolex.exe
3052	Consolex.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4972	xEngine.exe
4972	xEngine.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4972	xEngine.exe
4972	xEngine.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4596	TbMate.exe
4596	TbMate.exe
4972	xEngine.exe
4596	TbMate.exe
4972	xEngine.exe
4972	xEngine.exe
4596	TbMate.exe
4596	TbMate.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 3052	4596	TbMate.exe	91
PID 4596 wrote to memory of 3052	4596	TbMate.exe	91
PID 4596 wrote to memory of 3052	4596	TbMate.exe	91
PID 3052 wrote to memory of 4972	3052	Consolex.exe	92
PID 3052 wrote to memory of 4972	3052	Consolex.exe	92
PID 3052 wrote to memory of 4972	3052	Consolex.exe	92

C:\Users\Admin\AppData\Local\Temp\TbMate.exe
"C:\Users\Admin\AppData\Local\Temp\TbMate.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Users\Admin\AppData\Local\Temp\Consolex.exe
  /Start xEngine
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Users\Admin\AppData\Local\Temp\xEngine.exe
    "C:\Users\Admin\AppData\Local\Temp\xEngine.exe"
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:4972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Modifies data under HKEY_USERS
PID:4560

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4596-0-0x0000000075D40000-0x0000000075DBA000-memory.dmp

Filesize
488KB

Download
memory/4596-1-0x0000000074340000-0x00000000743BA000-memory.dmp

Filesize
488KB

Download
memory/4596-2-0x0000000000200000-0x0000000000671000-memory.dmp

Filesize
4.4MB

Download
memory/4596-3-0x0000000075D40000-0x0000000075DBA000-memory.dmp

Filesize
488KB

Download
memory/4596-4-0x0000000074F70000-0x0000000074F9C000-memory.dmp

Filesize
176KB

Download
memory/4596-5-0x0000000074340000-0x00000000743BA000-memory.dmp

Filesize
488KB

Download
memory/4596-6-0x0000000000200000-0x0000000000671000-memory.dmp

Filesize
4.4MB

Download
memory/4596-7-0x0000000075D40000-0x0000000075DBA000-memory.dmp

Filesize
488KB

Download
memory/4596-8-0x0000000000200000-0x0000000000671000-memory.dmp

Filesize
4.4MB

Download
memory/4596-9-0x0000000075D40000-0x0000000075DBA000-memory.dmp

Filesize
488KB

Download
memory/4596-10-0x0000000074F70000-0x0000000074F9C000-memory.dmp

Filesize
176KB

Download
memory/4596-11-0x00000000752D0000-0x00000000752F5000-memory.dmp

Filesize
148KB

Download
memory/4596-12-0x0000000000200000-0x0000000000671000-memory.dmp

Filesize
4.4MB

Download
memory/4596-13-0x0000000075D40000-0x0000000075DBA000-memory.dmp

Filesize
488KB

Download
memory/4596-14-0x0000000074F70000-0x0000000074F9C000-memory.dmp

Filesize
176KB

Download
memory/4596-15-0x00000000752D0000-0x00000000752F5000-memory.dmp

Filesize
148KB

Download
memory/4596-16-0x0000000074340000-0x00000000743BA000-memory.dmp

Filesize
488KB

Download
memory/4596-17-0x0000000000200000-0x0000000000671000-memory.dmp

Filesize
4.4MB

Download
memory/4596-20-0x0000000074340000-0x00000000743BA000-memory.dmp

Filesize
488KB

Download
memory/4596-21-0x0000000000200000-0x0000000000671000-memory.dmp

Filesize
4.4MB

Download
memory/4596-22-0x00000000752D0000-0x00000000752F5000-memory.dmp

Filesize
148KB

Download
memory/4596-23-0x0000000000200000-0x0000000000671000-memory.dmp

Filesize
4.4MB

Download
memory/4596-24-0x0000000074340000-0x00000000743BA000-memory.dmp

Filesize
488KB

Download
memory/4596-26-0x0000000075C90000-0x0000000075D3F000-memory.dmp

Filesize
700KB

Download
memory/4596-25-0x0000000000200000-0x0000000000671000-memory.dmp

Filesize
4.4MB

Download
memory/4596-28-0x0000000075020000-0x0000000075230000-memory.dmp

Filesize
2.1MB

Download
memory/4596-27-0x0000000076940000-0x0000000076EF3000-memory.dmp

Filesize
5.7MB

Download
memory/4596-30-0x0000000074F70000-0x0000000074F9C000-memory.dmp

Filesize
176KB

Download
memory/4596-31-0x0000000074340000-0x00000000743BA000-memory.dmp

Filesize
488KB

Download
memory/4596-29-0x00000000757B0000-0x0000000075893000-memory.dmp

Filesize
908KB

Download
memory/4596-32-0x0000000000200000-0x0000000000671000-memory.dmp

Filesize
4.4MB

Download
memory/4596-33-0x0000000076840000-0x000000007691C000-memory.dmp

Filesize
880KB

Download
memory/4596-34-0x0000000075C90000-0x0000000075D3F000-memory.dmp

Filesize
700KB

Download
memory/4596-35-0x0000000076940000-0x0000000076EF3000-memory.dmp

Filesize
5.7MB

Download
memory/4596-36-0x0000000075020000-0x0000000075230000-memory.dmp

Filesize
2.1MB

Download
memory/4596-37-0x00000000757B0000-0x0000000075893000-memory.dmp

Filesize
908KB

Download
memory/4596-38-0x0000000074F70000-0x0000000074F9C000-memory.dmp

Filesize
176KB

Download
memory/4596-39-0x0000000074A30000-0x0000000074AA4000-memory.dmp

Filesize
464KB

Download
memory/4596-40-0x0000000074340000-0x00000000743BA000-memory.dmp

Filesize
488KB

Download
memory/4596-41-0x0000000000200000-0x0000000000671000-memory.dmp

Filesize
4.4MB

Download
memory/4596-42-0x0000000075C90000-0x0000000075D3F000-memory.dmp

Filesize
700KB

Download
memory/4596-43-0x0000000076940000-0x0000000076EF3000-memory.dmp

Filesize
5.7MB

Download
memory/4596-45-0x0000000074A30000-0x0000000074AA4000-memory.dmp

Filesize
464KB

Download
memory/4596-46-0x0000000000200000-0x0000000000671000-memory.dmp

Filesize
4.4MB

Download
memory/4596-47-0x0000000075C90000-0x0000000075D3F000-memory.dmp

Filesize
700KB

Download
memory/4596-48-0x0000000076940000-0x0000000076EF3000-memory.dmp

Filesize
5.7MB

Download
memory/4596-49-0x0000000075020000-0x0000000075230000-memory.dmp

Filesize
2.1MB

Download
memory/4596-50-0x00000000752D0000-0x00000000752F5000-memory.dmp

Filesize
148KB

Download
memory/4596-52-0x0000000000200000-0x0000000000671000-memory.dmp

Filesize
4.4MB

Download
memory/4596-53-0x0000000075C90000-0x0000000075D3F000-memory.dmp

Filesize
700KB

Download
memory/4596-51-0x0000000074A30000-0x0000000074AA4000-memory.dmp

Filesize
464KB

Download
memory/4596-44-0x0000000075020000-0x0000000075230000-memory.dmp

Filesize
2.1MB

Download
memory/4596-54-0x0000000076940000-0x0000000076EF3000-memory.dmp

Filesize
5.7MB

Download
memory/4596-56-0x0000000074F70000-0x0000000074F9C000-memory.dmp

Filesize
176KB

Download
memory/4596-55-0x0000000075020000-0x0000000075230000-memory.dmp

Filesize
2.1MB

Download
memory/4596-57-0x0000000074A30000-0x0000000074AA4000-memory.dmp

Filesize
464KB

Download
memory/4596-58-0x0000000074340000-0x00000000743BA000-memory.dmp

Filesize
488KB

Download
memory/4596-59-0x0000000000200000-0x0000000000671000-memory.dmp

Filesize
4.4MB

Download
memory/4596-60-0x0000000076840000-0x000000007691C000-memory.dmp

Filesize
880KB

Download
memory/4596-61-0x0000000075C90000-0x0000000075D3F000-memory.dmp

Filesize
700KB

Download
memory/4596-62-0x0000000076940000-0x0000000076EF3000-memory.dmp

Filesize
5.7MB

Download
memory/4596-66-0x0000000075020000-0x0000000075230000-memory.dmp

Filesize
2.1MB

Download
memory/4596-67-0x00000000757B0000-0x0000000075893000-memory.dmp

Filesize
908KB

Download
memory/4596-68-0x0000000074F70000-0x0000000074F9C000-memory.dmp

Filesize
176KB

Download