Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-03-2024 17:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0167dfa1505eb3861e0616f6d082bec3ed8a537c1e5cfd383c194ca5315268fa.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
0167dfa1505eb3861e0616f6d082bec3ed8a537c1e5cfd383c194ca5315268fa.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
0167dfa1505eb3861e0616f6d082bec3ed8a537c1e5cfd383c194ca5315268fa.exe
-
Size
204KB
-
MD5
6de2af972d67d50ac73cd25f23f5e993
-
SHA1
22ed403f9afa1fea3c5052b57cc2923a97fb2724
-
SHA256
0167dfa1505eb3861e0616f6d082bec3ed8a537c1e5cfd383c194ca5315268fa
-
SHA512
96edcbd7b2f2b3d66332e8dd9ad9af1e202e8481f45fb16a8a646186ff09da3f8e2ba74de07df9df4c16e0db910431b8bd38f13646c3f89742015553e7118be4
-
SSDEEP
3072:6mIW88b0tQ9nLHbB9W0c1TqECzR/mkSYGrl9ymgYUWVk8:1dz4QxL7B9W0c1RCzR/fSmlu/
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 0167dfa1505eb3861e0616f6d082bec3ed8a537c1e5cfd383c194ca5315268fa.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tiidaa.exe -
Executes dropped EXE 1 IoCs
pid Process 2080 tiidaa.exe -
Loads dropped DLL 2 IoCs
pid Process 1676 0167dfa1505eb3861e0616f6d082bec3ed8a537c1e5cfd383c194ca5315268fa.exe 1676 0167dfa1505eb3861e0616f6d082bec3ed8a537c1e5cfd383c194ca5315268fa.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiidaa = "C:\\Users\\Admin\\tiidaa.exe /b" 0167dfa1505eb3861e0616f6d082bec3ed8a537c1e5cfd383c194ca5315268fa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiidaa = "C:\\Users\\Admin\\tiidaa.exe /b" tiidaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiidaa = "C:\\Users\\Admin\\tiidaa.exe /d" tiidaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiidaa = "C:\\Users\\Admin\\tiidaa.exe /w" tiidaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiidaa = "C:\\Users\\Admin\\tiidaa.exe /f" tiidaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiidaa = "C:\\Users\\Admin\\tiidaa.exe /p" tiidaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiidaa = "C:\\Users\\Admin\\tiidaa.exe /h" tiidaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiidaa = "C:\\Users\\Admin\\tiidaa.exe /m" tiidaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiidaa = "C:\\Users\\Admin\\tiidaa.exe /v" tiidaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiidaa = "C:\\Users\\Admin\\tiidaa.exe /r" tiidaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiidaa = "C:\\Users\\Admin\\tiidaa.exe /u" tiidaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiidaa = "C:\\Users\\Admin\\tiidaa.exe /n" tiidaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiidaa = "C:\\Users\\Admin\\tiidaa.exe /i" tiidaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiidaa = "C:\\Users\\Admin\\tiidaa.exe /x" tiidaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiidaa = "C:\\Users\\Admin\\tiidaa.exe /k" tiidaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiidaa = "C:\\Users\\Admin\\tiidaa.exe /y" tiidaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiidaa = "C:\\Users\\Admin\\tiidaa.exe /t" tiidaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiidaa = "C:\\Users\\Admin\\tiidaa.exe /c" tiidaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiidaa = "C:\\Users\\Admin\\tiidaa.exe /l" tiidaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiidaa = "C:\\Users\\Admin\\tiidaa.exe /g" tiidaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiidaa = "C:\\Users\\Admin\\tiidaa.exe /o" tiidaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiidaa = "C:\\Users\\Admin\\tiidaa.exe /z" tiidaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiidaa = "C:\\Users\\Admin\\tiidaa.exe /j" tiidaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiidaa = "C:\\Users\\Admin\\tiidaa.exe /q" tiidaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiidaa = "C:\\Users\\Admin\\tiidaa.exe /a" tiidaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiidaa = "C:\\Users\\Admin\\tiidaa.exe /e" tiidaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiidaa = "C:\\Users\\Admin\\tiidaa.exe /s" tiidaa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1676 0167dfa1505eb3861e0616f6d082bec3ed8a537c1e5cfd383c194ca5315268fa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe 2080 tiidaa.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1676 0167dfa1505eb3861e0616f6d082bec3ed8a537c1e5cfd383c194ca5315268fa.exe 2080 tiidaa.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1676 wrote to memory of 2080 1676 0167dfa1505eb3861e0616f6d082bec3ed8a537c1e5cfd383c194ca5315268fa.exe 28 PID 1676 wrote to memory of 2080 1676 0167dfa1505eb3861e0616f6d082bec3ed8a537c1e5cfd383c194ca5315268fa.exe 28 PID 1676 wrote to memory of 2080 1676 0167dfa1505eb3861e0616f6d082bec3ed8a537c1e5cfd383c194ca5315268fa.exe 28 PID 1676 wrote to memory of 2080 1676 0167dfa1505eb3861e0616f6d082bec3ed8a537c1e5cfd383c194ca5315268fa.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\0167dfa1505eb3861e0616f6d082bec3ed8a537c1e5cfd383c194ca5315268fa.exe"C:\Users\Admin\AppData\Local\Temp\0167dfa1505eb3861e0616f6d082bec3ed8a537c1e5cfd383c194ca5315268fa.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Users\Admin\tiidaa.exe"C:\Users\Admin\tiidaa.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2080
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD5e68df2d3664272b08c73b93af77f37a3
SHA12c83f6b9d085ae8caafaa5ace0ef31e4cb3b2da2
SHA256aca59b6d0ef1943cfc0de34a4c36b74ac5ce7c8762d46121d1bbb651c09343ee
SHA51213ab72136de8174d6ebe1c13be10bf79897760172a261a2a679d47d8dd5607144e02e28c3d0b92d84428b4de442b5518a1975d2d2b096d6d69c9a6110e30c622