d1b9e3a7e548eedbbe122287b8589f1eb42023f77e8f7d6856dc1644f038f617

Analysis

max time kernel
134s
max time network
92s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
29-03-2024 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tcmd1103x64.exe
Size

6.2MB
MD5

2bc1009b18915f773803aa5ce0c8c5aa
SHA1

e7ce87c81da0ed4eda263c0bc1a6e87ea2f5b6ec
SHA256

d1b9e3a7e548eedbbe122287b8589f1eb42023f77e8f7d6856dc1644f038f617
SHA512

cecff47bc915b4ca56ca6e524a78835adbe1d14d822f4e1fb7746fc9f5aeaa6ec50a4f2607b7b9a587165d30bce025395421a70832dfd08514fe44531d8d997c
SSDEEP

196608:fuoi4HImqMBbtrrxzf04DC4CycKkPpOMLvo:Gcz3uZlxOMk

Score

6^/10

discovery evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TOTALCMD64.EXE

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\o:	TOTALCMD64.EXE
File opened (read-only)	\??\r:	TOTALCMD64.EXE
File opened (read-only)	\??\v:	TOTALCMD64.EXE
File opened (read-only)	\??\a:	TOTALCMD64.EXE
File opened (read-only)	\??\b:	TOTALCMD64.EXE
File opened (read-only)	\??\i:	TOTALCMD64.EXE
File opened (read-only)	\??\j:	TOTALCMD64.EXE
File opened (read-only)	\??\m:	TOTALCMD64.EXE
File opened (read-only)	\??\s:	TOTALCMD64.EXE
File opened (read-only)	\??\t:	TOTALCMD64.EXE
File opened (read-only)	\??\u:	TOTALCMD64.EXE
File opened (read-only)	\??\w:	TOTALCMD64.EXE
File opened (read-only)	\??\y:	TOTALCMD64.EXE
File opened (read-only)	\??\g:	TOTALCMD64.EXE
File opened (read-only)	\??\l:	TOTALCMD64.EXE
File opened (read-only)	\??\n:	TOTALCMD64.EXE
File opened (read-only)	\??\z:	TOTALCMD64.EXE
File opened (read-only)	\??\e:	TOTALCMD64.EXE
File opened (read-only)	\??\k:	TOTALCMD64.EXE
File opened (read-only)	\??\p:	TOTALCMD64.EXE
File opened (read-only)	\??\x:	TOTALCMD64.EXE
File opened (read-only)	\??\f:	TOTALCMD64.EXE
File opened (read-only)	\??\h:	TOTALCMD64.EXE
File opened (read-only)	\??\q:	TOTALCMD64.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\totalcmd\LANGUAGE\WCMD_HUN.LNG	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\LANGUAGE\WCMD_ITA.MNU	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\LANGUAGE\WCMD_KOR.MNU	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\LANGUAGE\WCMD_CHN.LNG	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\WCUNINST.WUL	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\TcUsbRun.exe	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\KEYBOARD.TXT	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_ESP.LNG	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_UKR.MNU	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\vertical.br2	TOTALCMD64.EXE
File opened for modification	C:\Program Files\totalcmd\TOTALCMD.CHM	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_DUT.INC	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_KOR.INC	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\DESCRIPT.ION	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\VERTICAL.BAR	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\WCMICONS.INC	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\TCUNIN64.EXE	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\TcUsbRun.exe	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_DAN.MNU	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\TOTALCMD64.EXE.MANIFEST	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_KOR.MNU	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\WCMICON2.DLL	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\TC7Z64.DLL	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\vertical.bar	TOTALCMD64.EXE
File opened for modification	C:\Program Files\totalcmd\LANGUAGE\WCMD_SVN.INC	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\LANGUAGE\WCMD_DAN.INC	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_ITA.LNG	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_NOR.LNG	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_POL.INC	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_SVN.MNU	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\FILTER64\SoundTouchDLL_x64.dll	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\FILTER64\SoundTouchDLL_x64.dll	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_CZ.INC	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\TCMDX32.EXE	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\HISTORY.TXT	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\LANGUAGE\WCMD_DUT.LNG	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\LANGUAGE\WCMD_RUS.MNU	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\LANGUAGE\WCMD_UKR.MNU	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\FILTER64\AutoPitch.dll	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\NO.BAR	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\KEYBOARD.TXT	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_ESP.MNU	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_ROM.LNG	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_ITA.MNU	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\TC7Z64.DLL	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\BLAKEX64.DLL	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_DUT.LNG	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\LANGUAGE\WCMD_UKR.INC	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\TCMADM64.EXE	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\TCUNIN64.EXE	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_ESP.INC	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\LANGUAGE\WCMD_DEU.MNU	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\LANGUAGE\WCMD_ESP.INC	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_HUN.MNU	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_SWE.MNU	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_KOR.LNG	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_RUS.LNG	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_UKR.INC	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_CZ.LNG	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\FILTER64\SoundTouchDLL_License.txt	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_CZ.MNU	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\LANGUAGE\WCMD_HUN.INC	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\LANGUAGE\WCMD_NOR.LNG	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\VERTICAL.BAR	tcmd1103x64.exe

Executes dropped EXE 1 IoCs

pid	Process
1996	TOTALCMD64.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
568	tcmd1103x64.exe
568	tcmd1103x64.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	568	tcmd1103x64.exe
Token: SeDebugPrivilege	568	tcmd1103x64.exe
Token: SeDebugPrivilege	568	tcmd1103x64.exe
Token: SeDebugPrivilege	568	tcmd1103x64.exe
Token: SeDebugPrivilege	568	tcmd1103x64.exe
Token: SeDebugPrivilege	568	tcmd1103x64.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
568	tcmd1103x64.exe
1996	TOTALCMD64.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1996	TOTALCMD64.EXE

C:\Users\Admin\AppData\Local\Temp\tcmd1103x64.exe
"C:\Users\Admin\AppData\Local\Temp\tcmd1103x64.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:568

C:\Program Files\totalcmd\TOTALCMD64.EXE
"C:\Program Files\totalcmd\TOTALCMD64.EXE"
1⤵
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\totalcmd\TOTALCMD64.EXE

Filesize
9.9MB

MD5
010b1b115950c530717128a665f090ee

SHA1
bdabfdfc91f6ad541da2c6cd4a7abcb59f3e72c6

SHA256
aa7d04a9fad39fb4745804a90489ef5c283b9ec780d8f577106042c9e0ed78eb

SHA512
f52e2389dddc3d24ce64345a347813b6eed455e24d11c50fe31f0c197f36732bc0657e88bfb1f6abc3fbee60605e48cc7398d2bfb94733a5a11cbd2274779dd6

Download Submit
C:\Program Files\totalcmd\default.bar

Filesize
977B

MD5
f103b23c658d801d5c31cb056bafdc16

SHA1
8de136fc1dd6372b4eb357304c73eb55393bba13

SHA256
8159c946398eec59d8065342c06b957ae38165e664850fb57f5d9971cffb7c21

SHA512
a4edb8541eea5fcb6411c59ee604304324aea37e7d0cfc271faf0f8bd044f93282d14c54168e355f59ccd81ad679c2f3cf4cd65dc5b22c6ed4ce6f160beb1cd3

Download Submit
C:\Program Files\totalcmd\totalcmd.inc

Filesize
29KB

MD5
0e5650341b163a9bd1986a300e3a550b

SHA1
1c322886379e0c11d748d9ae7d2a341144fc4946

SHA256
dd47559564aacce38a055631ad34ee0000f6b10241917d403cf00dd432d2d616

SHA512
dd7de3f4f9ffac489c6f369ccdad3e57f6bb31282f98cbd54c25cc46a464f9a658cc3aa59252eeb1028da6311cce9948c251a2273aa8c2070a07f1f220ac09d5

Download Submit
C:\Program Files\totalcmd\vertical.bar

Filesize
417B

MD5
359a5959600405bafe7f527698403fd5

SHA1
4024b741ec3a894123436c20d92e742d2c5549e8

SHA256
2269161181abceb488f93ed7a52e81900d3217d0da4cd3fe7cd405b7658d814a

SHA512
04af487a7c3a680effdad2ac34881312863a8c1fd5f02d651440a749672972e081b63bc715f0048639618c323377295201195c2b893f5748fe936568282f8ac6

Download Submit
C:\Program Files\totalcmd\wcmicon2.dll

Filesize
1.5MB

MD5
e27082b0866a67ce44e1b87cf49a59a5

SHA1
9307b91833f8234c34d797c0feb4538e3be497f7

SHA256
9f1ee34b38da173f59bdf6172198ff2ec872fb75bc09ffa55cc3847ecda14cba

SHA512
8ee78da80693d5eaa49db85e1c3c0c3b94d70e17f6a8390f35c4a89aa08bc65c6aca05100c05ae32d789f1dc8e4cf23585abba1b6193a647c891daffaffc9fe6

Download Submit
C:\Program Files\totalcmd\wcmicons.dll

Filesize
623KB

MD5
c6a57219c6e2c4ebb4b6e887a3895308

SHA1
80bd3a6ca1b5ae395e64ad16665099efe759856e

SHA256
23498765aeb0f74007ecd45a8eb83d64d839ad8cacfce59f1d77621583dd61ef

SHA512
0f42a0cb29cfbbc0ef988cba1876dba492759a103be55d94757d1fafde111aec225fc6384af450544df5fd027f3df8d028ba2c76c8df77271002c62812f6e0e4

Download Submit
C:\Program Files\totalcmd\wcmicons.inc

Filesize
1KB

MD5
7413491be06e421a6d8b0e64a1f54b13

SHA1
ba2637885daec4685a8c9983626d92820b8fc00d

SHA256
4d74f2df5eef181bb65d66648afacc61391fd2213312d0b0929e6c3850f27be9

SHA512
8db9fa4dab27870ceea978f6b16293b94f8a1f424ba2042a791b9cfd2ce122c6c6af2c4bfae665d5ba3853a5cfe1f94b84e178880a773fbea596b9db7cef5e52

Download Submit
C:\Users\Admin\AppData\Roaming\GHISLER\wincmd.ini

Filesize
55B

MD5
8d158ff6c3d1872a17896ca8a116c9b1

SHA1
f8e57560a4fd5f9c47c7fd9c1cad773f58cba6d5

SHA256
6f54122f094088382bacecfee05210769ea957f5cdd35b6f4e1e69ea6851ebe8

SHA512
9df88ce729a12dab4d750a1012f53c2d064b677cd31c901c22a0090e873f7600843db3db42a3478f914d821141393c5a5cd14068cb9ed4bb9b6f958600e14109

Download Submit
C:\Users\Admin\AppData\Roaming\GHISLER\wincmd.ini

Filesize
72B

MD5
7125e35228f66938f369a50011a2df6d

SHA1
ffe74e057cde68d7fc2378b7eb830e3d59030bc5

SHA256
df0a35a35ed074325726d5e927fe2013bd47ca4d898039d23a4a062d675bfd23

SHA512
223b579b1ebdf308541cc10cb2fa01fd887c931f4b413ec15b18adb1efcb16b6a429eb83b7c59888b0208f7b568da34d3e2f12f9ef6170552c7ddd42408224fa

Download Submit
C:\Users\Admin\AppData\Roaming\GHISLER\wincmd.ini

Filesize
112B

MD5
2a59360a75a97af5811c0c17b92c90e5

SHA1
7b5f9407e715b6fddf279ff850563b3852309343

SHA256
4e367e5483c8e8640236633b47963ccb07b16133ffaefa2d7c923a2f5d704ed5

SHA512
9312e05c5b9a38261f49af4dc5ca96d6e2697201cef4d9d97bf723efb70582c184694b5efcddbacb5eb38f1ad50201767b5befb620744517ab26d7ae7c4f30e9

Download Submit
C:\Users\Admin\AppData\Roaming\GHISLER\wincmd.ini

Filesize
180B

MD5
1ac013e38533f98da5c3a948d854e6ac

SHA1
976b5153adfbb8d37ebe0637e84a231ce319360c

SHA256
3ee8bb65123347dbf23d080e00e66303cc261f40c4f7bf2b8851e33fb21a9271

SHA512
06395c01cd94419b6e3f06c28f4cf8af023e0bcd045e5288d1943490e652b978455bf150e4d324fed47824793c4be719b4aae3c23efbddb881268166075cf120

Download Submit
C:\Users\Admin\AppData\Roaming\GHISLER\wincmd.ini

Filesize
223B

MD5
af6ecebfa269ea202fa1c5a8e04bfde6

SHA1
4c0b41e892e932c42b4c7ba13838ec8104cec116

SHA256
2f681e2ebd2339c75ab929a364a50b6aa62ebe054754cfebf7312cf9380b1866

SHA512
6cfa50464e65a99bf200d0e8fa65c888ecdbdd80159f98867eef63caeec9e9109064517dae9faac8c9aa9546b34003a7033c6b84fd45b03201e00f7e90dab94b

Download Submit
C:\Users\Admin\AppData\Roaming\GHISLER\wincmd.ini

Filesize
256B

MD5
8066a07d85a59b8036266d2d0dd7527e

SHA1
4850a2ab6a395f8830a0c2bf8a53dce7909a7cd9

SHA256
c4a124895de7198b799e49af1294dc17f9428c559aa381ef5fcea5fc164c253f

SHA512
abbfed1d6cbaa8222e420f4b7da49235c6717a5aefce7a0cbedb9c273cedf066ec17741cc21434253f9133b390766eb7da93ecfa78c2b84d366a5eeea8575888

Download Submit
C:\Users\Admin\AppData\Roaming\GHISLER\wincmd.ini

Filesize
266B

MD5
f0a5eb5f6ceaf7fc3475dde579013ca1

SHA1
a5c97c155845c72f4c048060a225a2f84e55c046

SHA256
09c51a67b41ab6afb09bf1d91e07d77740c616c9ec04fec687778be6ec26101c

SHA512
d6055517c79de6d33ff204949d4629739d37e7143e09f37ff1f3f776028c6dc52c0e671c011355f5a02a8f460c094c3c00caa1cab17c9bc4aaf01a2daf3ed43c

Download Submit
C:\Users\Admin\AppData\Roaming\GHISLER\wincmd.ini

Filesize
709B

MD5
d11ded1263d56c924e7a16dd7812c100

SHA1
65d5392edb9afa5f097fecbfe7addabe87d998b6

SHA256
97d38fe15be381ce4e50fe38fe60816235e1920d0486745575f58dce01756f02

SHA512
1c1dd6246de9c0de2a85bc177fcb37d54130282e1dd1a7d6a83c1a5941c463d7547b8cbce1bcdc0752438ed346d89bd1ebfc4dc3d311f569ce18cccd6209280d

Download Submit
C:\Users\Admin\AppData\Roaming\GHISLER\wincmd.ini

Filesize
709B

MD5
091deb477fe9080cd2e9c855e366776b

SHA1
220743fd2500f8459fde980207930226849835e3

SHA256
36b6094553f765036bd03d946074f72f8944cf490e64fd49c8b0bc522b2fc22a

SHA512
915c523e9348907243f761160ab6a2d5b1016eb98e2963626b65472e78034122ebf6669199e1d3affb4f1970403e82f3bd8ddbee8a44a90f7f87d883995d87c2

Download Submit
C:\Users\Admin\AppData\Roaming\GHISLER\wincmd.ini

Filesize
760B

MD5
add9fac7068703b57c976e07cbf15e52

SHA1
3c356c636b1495a5806f3af03aab557302d90224

SHA256
856b8bf351a33775e4e56fab32b18fddecb0332c42f5ae7d35cf2705c947511a

SHA512
0278e7d857ced49eea88185fa89af968bdf9e237d6fb33c8bff9c591ecd1fa37acdf31c4a9e0350e5009fbc7a26f10f185b9d55a2a3fe7f8561cff8874976b7d

Download Submit