Overview
overview
7Static
static
7DllEmForm.dll
windows7-x64
6DllEmForm.dll
windows10-2004-x64
6TYFrame.exe
windows7-x64
7TYFrame.exe
windows10-2004-x64
7data/bmnet.sys
windows7-x64
1data/bmnet.sys
windows10-2004-x64
1data/drvinst.exe
windows7-x64
1data/drvinst.exe
windows10-2004-x64
1data/新云软件.url
windows7-x64
1data/新云软件.url
windows10-2004-x64
1libeay32.dll
windows7-x64
1libeay32.dll
windows10-2004-x64
1prcdcdll.dll
windows7-x64
6prcdcdll.dll
windows10-2004-x64
6ssleay32.dll
windows7-x64
1ssleay32.dll
windows10-2004-x64
1tyframe.exe
windows7-x64
1tyframe.exe
windows10-2004-x64
1unicallem.dll
windows7-x64
6unicallem.dll
windows10-2004-x64
6unins000.exe
windows7-x64
7unins000.exe
windows10-2004-x64
7update.exe
windows7-x64
1update.exe
windows10-2004-x64
1Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/04/2024, 03:24
Behavioral task
behavioral1
Sample
DllEmForm.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
DllEmForm.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
TYFrame.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
TYFrame.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
data/bmnet.sys
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
data/bmnet.sys
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
data/drvinst.exe
Resource
win7-20240215-en
Behavioral task
behavioral8
Sample
data/drvinst.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
data/新云软件.url
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
data/新云软件.url
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
libeay32.dll
Resource
win7-20240220-en
Behavioral task
behavioral12
Sample
libeay32.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
prcdcdll.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
prcdcdll.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
ssleay32.dll
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
ssleay32.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
tyframe.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
tyframe.exe
Resource
win10v2004-20240319-en
Behavioral task
behavioral19
Sample
unicallem.dll
Resource
win7-20240220-en
Behavioral task
behavioral20
Sample
unicallem.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
unins000.exe
Resource
win7-20231129-en
Behavioral task
behavioral22
Sample
unins000.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
update.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
update.exe
Resource
win10v2004-20240226-en
General
-
Target
TYFrame.exe
-
Size
975KB
-
MD5
37a235ee25885b7d32f6e4758d97744f
-
SHA1
5f5365cb021169bab2e48c7e76f3f685b59bd4b8
-
SHA256
6554d3cdf92be4afb113c63ac57b0bf64f654b66ad7a881671b33ae523443830
-
SHA512
3102ac259141305de855b42c704f494cbca8dd651dcb67a2820a53fa83012bf81bf29958760b5c7ff6634072e12ca112cc5a9b69a40a2c328da5a4ca17c92cc5
-
SSDEEP
12288:WMpMLAkwN5VMsXtmzx/2ALo1/iEutcsY0whF6f7dnw40Yidsbf64bOJa88xsv1:HaAbzVp9mz2jdOwrsfBc/4bOQ88M1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2680 tyframe.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2680 tyframe.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1836 update.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 464 TYFrame.exe 464 TYFrame.exe 2680 tyframe.exe 2680 tyframe.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 464 TYFrame.exe 464 TYFrame.exe 2680 tyframe.exe 2680 tyframe.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 464 wrote to memory of 1836 464 TYFrame.exe 91 PID 464 wrote to memory of 1836 464 TYFrame.exe 91 PID 464 wrote to memory of 1836 464 TYFrame.exe 91 PID 1836 wrote to memory of 2680 1836 update.exe 92 PID 1836 wrote to memory of 2680 1836 update.exe 92 PID 1836 wrote to memory of 2680 1836 update.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\TYFrame.exe"C:\Users\Admin\AppData\Local\Temp\TYFrame.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Users\Admin\AppData\Local\Temp\update.exeC:\Users\Admin\AppData\Local\Temp\update.exe tyframe.exe restart2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Users\Admin\AppData\Local\Temp\tyframe.exeC:\Users\Admin\AppData\Local\Temp\tyframe.exe3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2680
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
981KB
MD5d6f79d061aa638dd20f1ded12d8447ad
SHA17263ac01813bac63e87457fc9f28f52defb3b6a6
SHA25612d2a55d16c7bf1c4b07712a2c80cc78d168af227d73fd0f70c009e0a1af19f0
SHA5129927fc0e72a3041d63ce768fd095ed79d0c9379eb6a96136554d000d8982a2fc183ffba1563f163aa18318acd07e163a0d61fc285719c4eab72b5503b48c2ba2