Overview

overview

8

Static

static

3

tmp.exe

windows7-x64

8

tmp.exe

windows10-1703-x64

8

tmp.exe

windows10-2004-x64

7

tmp.exe

windows11-21h2-x64

1

Resubmissions

11/04/2024, 06:38

240411-hd63esha9z 8

11/04/2024, 06:37

240411-hdp4xaha9x 8

11/04/2024, 06:37

240411-hdlrgsha9w 8

11/04/2024, 06:37

240411-hdk5ysha9t 8

11/04/2024, 06:37

240411-hdkjesha9s 8

07/04/2024, 08:23

240407-kabhfsgg71 8

07/04/2024, 08:23

240407-j97t9shc64 8

07/04/2024, 08:22

240407-j93wbagg7w 8

07/04/2024, 08:22

240407-j9yatsgg7s 7

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11/04/2024, 06:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    5.3MB

  • MD5

    5fe4ea367cee11e92ad4644d8ac3cef7

  • SHA1

    44faea4a352b7860a9eafca82bd3c9b054b6db29

  • SHA256

    1a69f2fcfe5b35bf44ea42a1efe89f18f6b0d522cbbea5c51bae93aff7d3188b

  • SHA512

    1c4499eadaf44847a7a001c2622e558bc130c9ad608b4ec977480e002cf50c9eb36a65974b86a2db69e9bc43e7d239122389a6cf1ca2849c59bc137441fb0a4f

  • SSDEEP

    98304:lgU5484Bq1qdguoOzv4I3KOn6Ka1uFof9Hn6sdw5yOc4:iU54mqL9zvH3qO

Score
8/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1444
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2628
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2664
    • C:\Windows\system32\schtasks.exe
      schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
      2⤵
      • Creates scheduled task(s)
      PID:2876
    • C:\Windows\System\svchost.exe
      "C:\Windows\System\svchost.exe" formal
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1040
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1728
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2268
      • C:\Users\Admin\AppData\Local\Temp\~tl14B9.tmp
        C:\Users\Admin\AppData\Local\Temp\~tl14B9.tmp
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1644
        • C:\Windows\system32\netsh.exe
          netsh int ipv4 set dynamicport tcp start=1025 num=64511
          4⤵
            PID:2560
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
            4⤵
            • Modifies Windows Firewall
            PID:2460
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
            4⤵
            • Modifies Windows Firewall
            PID:2896
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1736
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2704
          • C:\Windows\system32\schtasks.exe
            schtasks /delete /TN "Timer"
            4⤵
              PID:2652
            • C:\Windows\system32\schtasks.exe
              schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
              4⤵
              • Creates scheduled task(s)
              PID:1664
            • C:\Windows\System\svchost.exe
              "C:\Windows\System\svchost.exe" formal
              4⤵
              • Executes dropped EXE
              PID:584

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        90a3ede53f972b294dce373dea86fc1a

        SHA1

        34de371b6ef95a5f42b216dd778024ef7f25b104

        SHA256

        52ff97af8263d7723d5f8cfcf432cbf5494d123cd589e6e96cb75bb08b8551ff

        SHA512

        ecb73457b5deb1ad9d428183dfec85eb28c0a6ca0f0163c2f6e751c0ff997d8175c27b475f90d85e5b2ffd67ccc1e580baf03140f5fe58c893dbd993a6578e23

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        561a0c86a1593519e33812afb5fd8a49

        SHA1

        d552f5fa44c85c9d8f0f3da9928e432bc9d6541e

        SHA256

        fdb9dbb25029b362bac0493141bff7f026232ae04276595dd22532c85f49a19b

        SHA512

        1d352d9552da367473ee848d1901d5c49619ac91b49e183156d2cdbd4ce00ef386f1283d19e5e3e591fcbeb90aa500b9cfe8b0d4e44d87541a5e615128b159e3

        Download Submit

      • C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
        Filesize

        2.7MB

        MD5

        c9b1dde253446b4b2bc6a0ad4d3022c2

        SHA1

        66cf356f3717f3d07a1c568c7146f9f9f14adf9f

        SHA256

        4fcc265cafab726d5e03b652e7b3fb4681a28f0dc5349825fe28b5413c96d3f3

        SHA512

        0e8f41766a67cea5d48950d0f30b5c5e1c6b7e9a5d77515e2be72d719c11bed624991c8764c7edddb0981dffd34fbd6e6e89d9ac9bd65164a14b27f21a2ce005

        Download Submit

      • C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
        Filesize

        6.5MB

        MD5

        402ac853381e0feff7228485e17f55e5

        SHA1

        7e2035bc4f13a56ed829284126d7b78512dac113

        SHA256

        1381134a2a520ef705608d367a1f5445b0a8dbeef5234c10acad6877aecf3713

        SHA512

        2f3da0383be038563bd537f15fcb1c146e01a08158b155f9470331cb00786fed8cc169e19ab553520874a44d0dc4d35234211af8dfb4d5ed8e640c0c3ce7cd99

        Download Submit

      • \Users\Admin\AppData\Local\Temp\~tl14B9.tmp
        Filesize

        385KB

        MD5

        e802c96760e48c5139995ffb2d891f90

        SHA1

        bba3d278c0eb1094a26e5d2f4c099ad685371578

        SHA256

        cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

        SHA512

        97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

        Download Submit

      • \Windows\system\svchost.exe
        Filesize

        5.3MB

        MD5

        5fe4ea367cee11e92ad4644d8ac3cef7

        SHA1

        44faea4a352b7860a9eafca82bd3c9b054b6db29

        SHA256

        1a69f2fcfe5b35bf44ea42a1efe89f18f6b0d522cbbea5c51bae93aff7d3188b

        SHA512

        1c4499eadaf44847a7a001c2622e558bc130c9ad608b4ec977480e002cf50c9eb36a65974b86a2db69e9bc43e7d239122389a6cf1ca2849c59bc137441fb0a4f

        Download Submit

      • memory/584-158-0x0000000140000000-0x000000014015E400-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/584-157-0x0000000140000000-0x000000014015E400-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1040-67-0x0000000040420000-0x000000004091C000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/1040-117-0x0000000140000000-0x0000000140645400-memory.dmp

        Filesize

        6.3MB

        Download

      • memory/1040-38-0x0000000140000000-0x0000000140645400-memory.dmp

        Filesize

        6.3MB

        Download

      • memory/1040-40-0x0000000140000000-0x0000000140645400-memory.dmp

        Filesize

        6.3MB

        Download

      • memory/1444-4-0x0000000140000000-0x0000000140645400-memory.dmp

        Filesize

        6.3MB

        Download

      • memory/1444-3-0x0000000140000000-0x0000000140645400-memory.dmp

        Filesize

        6.3MB

        Download

      • memory/1444-0-0x0000000140000000-0x0000000140645400-memory.dmp

        Filesize

        6.3MB

        Download

      • memory/1444-1-0x0000000140000000-0x0000000140645400-memory.dmp

        Filesize

        6.3MB

        Download

      • memory/1444-2-0x0000000140000000-0x0000000140645400-memory.dmp

        Filesize

        6.3MB

        Download

      • memory/1444-36-0x0000000140000000-0x0000000140645400-memory.dmp

        Filesize

        6.3MB

        Download

      • memory/1644-119-0x0000000140000000-0x000000014015E400-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1644-120-0x0000000140000000-0x000000014015E400-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1644-121-0x0000000140000000-0x000000014015E400-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1728-59-0x0000000002200000-0x0000000002280000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1728-58-0x000007FEF4F20000-0x000007FEF58BD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1728-53-0x0000000002330000-0x0000000002338000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1728-65-0x000007FEF4F20000-0x000007FEF58BD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1728-62-0x0000000002200000-0x0000000002280000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1728-61-0x0000000002200000-0x0000000002280000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1728-60-0x000007FEF4F20000-0x000007FEF58BD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1736-135-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1736-140-0x0000000002880000-0x0000000002900000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1736-142-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1736-128-0x000000001B290000-0x000000001B572000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1736-133-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1736-134-0x0000000002880000-0x0000000002900000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1736-139-0x0000000002880000-0x0000000002900000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2268-55-0x0000000002930000-0x00000000029B0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2268-52-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2268-66-0x000007FEF4F20000-0x000007FEF58BD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2268-64-0x0000000002930000-0x00000000029B0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2268-63-0x0000000002930000-0x00000000029B0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2268-54-0x000007FEF4F20000-0x000007FEF58BD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2268-57-0x0000000002930000-0x00000000029B0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2268-56-0x000007FEF4F20000-0x000007FEF58BD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2628-18-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2628-21-0x0000000002850000-0x00000000028D0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2628-16-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2628-17-0x0000000002850000-0x00000000028D0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2628-26-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2664-24-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2664-20-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2664-22-0x0000000002B90000-0x0000000002C10000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2664-23-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2664-19-0x0000000002B90000-0x0000000002C10000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2664-15-0x00000000022E0000-0x00000000022E8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2664-14-0x000000001B400000-0x000000001B6E2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2704-136-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2704-137-0x0000000002940000-0x00000000029C0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2704-138-0x0000000002940000-0x00000000029C0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2704-141-0x0000000002940000-0x00000000029C0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2704-143-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

        Filesize

        9.6MB

        Download