Overview

overview

8

Static

static

3

tmp.exe

windows7-x64

8

tmp.exe

windows10-1703-x64

8

tmp.exe

windows10-2004-x64

7

tmp.exe

windows11-21h2-x64

1

Resubmissions

11/04/2024, 06:38

240411-hd63esha9z 8

11/04/2024, 06:37

240411-hdp4xaha9x 8

11/04/2024, 06:37

240411-hdlrgsha9w 8

11/04/2024, 06:37

240411-hdk5ysha9t 8

11/04/2024, 06:37

240411-hdkjesha9s 8

07/04/2024, 08:23

240407-kabhfsgg71 8

07/04/2024, 08:23

240407-j97t9shc64 8

07/04/2024, 08:22

240407-j93wbagg7w 8

07/04/2024, 08:22

240407-j9yatsgg7s 7

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    11/04/2024, 06:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    5.3MB

  • MD5

    5fe4ea367cee11e92ad4644d8ac3cef7

  • SHA1

    44faea4a352b7860a9eafca82bd3c9b054b6db29

  • SHA256

    1a69f2fcfe5b35bf44ea42a1efe89f18f6b0d522cbbea5c51bae93aff7d3188b

  • SHA512

    1c4499eadaf44847a7a001c2622e558bc130c9ad608b4ec977480e002cf50c9eb36a65974b86a2db69e9bc43e7d239122389a6cf1ca2849c59bc137441fb0a4f

  • SSDEEP

    98304:lgU5484Bq1qdguoOzv4I3KOn6Ka1uFof9Hn6sdw5yOc4:iU54mqL9zvH3qO

Score
8/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 3 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4384
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3376
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1408
    • C:\Windows\SYSTEM32\schtasks.exe
      schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
      2⤵
      • Creates scheduled task(s)
      PID:4176
    • C:\Windows\System\svchost.exe
      "C:\Windows\System\svchost.exe" formal
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2648
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1584
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3884
      • C:\Users\Admin\AppData\Local\Temp\~tl36E5.tmp
        C:\Users\Admin\AppData\Local\Temp\~tl36E5.tmp
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3912
        • C:\Windows\SYSTEM32\netsh.exe
          netsh int ipv4 set dynamicport tcp start=1025 num=64511
          4⤵
            PID:1140
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
            4⤵
            • Modifies Windows Firewall
            PID:4260
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
            4⤵
            • Modifies Windows Firewall
            PID:4532
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:212
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4504
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /delete /TN "Timer"
            4⤵
              PID:2804
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
              4⤵
              • Creates scheduled task(s)
              PID:924
            • C:\Windows\System\svchost.exe
              "C:\Windows\System\svchost.exe" formal
              4⤵
              • Executes dropped EXE
              PID:4148

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        cd5b15b46b9fe0d89c2b8d351c303d2a

        SHA1

        e1d30a8f98585e20c709732c013e926c7078a3c2

        SHA256

        0a8a0dcbec27e07c8dc9ef31622ac41591871416ccd9146f40d8cc9a2421da7a

        SHA512

        d7261b2ff89adcdb909b775c6a47b3cd366b7c3f5cbb4f60428e849582c93e14e76d7dcadec79003eef7c9a3059e305d5e4f6b5b912b9ebc3518e06b0d284dd7

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        eae05d42b5e10303a6a8ff9271c9f3ea

        SHA1

        f1db70800544ff57c5fd891c55965c117b9a5276

        SHA256

        b44bcd00507d2be4b86c527edae4f76b690efb7d984f30461749921a79596aa9

        SHA512

        d7143b35a3e9158b1c75c45deb005198e4ce9def7fab6b71afa4a5a6f2b3062f59c5de1815d6e0df04225d08f31f5efba3aa5d22f22e5f9fb4e4d00a38d4d336

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        c2731d4db91c3214276cc3a74441f8c6

        SHA1

        092c464c97b7b01cafb8c9cf0a742b664cc50c4f

        SHA256

        6bd29e9921fd72872837abd2f4c8b75c16af8a36f239f293b9583b51baf673ac

        SHA512

        1e4cd684760da163c4522b723a6e3d93b68171064606c32e7ccc9423235d1295df178c353424e019b5d9fce16ec5e26c064ac4c29ad655161855fed46165951c

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        fbbaf19e5b2817537e1d07c8c2de56eb

        SHA1

        13fbdb2f31cddccc5409e96adde9ad413c279606

        SHA256

        53287c07dfd708d1926894db7370197d0adbcb2a65a56c32e24072d0d594ca1a

        SHA512

        c18be68a1d4897d8ac20989866e2aebdfde47e44e5bc26fcfba1bd62ca33d13d8128f08aba036bd59b09a4e6348c9125b634ba01f287ff5f20986ae35002dbde

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ymlkcdhu.4u2.ps1
        Filesize

        1B

        MD5

        c4ca4238a0b923820dcc509a6f75849b

        SHA1

        356a192b7913b04c54574d18c28d46e6395428ab

        SHA256

        6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

        SHA512

        4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\~tl36E5.tmp
        Filesize

        385KB

        MD5

        e802c96760e48c5139995ffb2d891f90

        SHA1

        bba3d278c0eb1094a26e5d2f4c099ad685371578

        SHA256

        cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

        SHA512

        97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

        Download Submit

      • C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
        Filesize

        2.7MB

        MD5

        c9b1dde253446b4b2bc6a0ad4d3022c2

        SHA1

        66cf356f3717f3d07a1c568c7146f9f9f14adf9f

        SHA256

        4fcc265cafab726d5e03b652e7b3fb4681a28f0dc5349825fe28b5413c96d3f3

        SHA512

        0e8f41766a67cea5d48950d0f30b5c5e1c6b7e9a5d77515e2be72d719c11bed624991c8764c7edddb0981dffd34fbd6e6e89d9ac9bd65164a14b27f21a2ce005

        Download Submit

      • C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
        Filesize

        6.2MB

        MD5

        838b46b300004fab57c1ee0e08dd4e16

        SHA1

        a68ccfded37bd4c67ab02bc9d2576af750947669

        SHA256

        772bb306ef9ff054f7040c370a1a30e1ba01d3b7fb5a1e2a9f866648e2f8037f

        SHA512

        cb926d6f6d46adb5760ff6a254e4ab236e3f3b09938e6049c30bca43a169ed4aafed6d331f65a7eb5a893430aaf9dbe36f832dfd5b12bc84a5b71b46ed0b2fb5

        Download Submit

      • C:\Windows\System\svchost.exe
        Filesize

        5.3MB

        MD5

        5fe4ea367cee11e92ad4644d8ac3cef7

        SHA1

        44faea4a352b7860a9eafca82bd3c9b054b6db29

        SHA256

        1a69f2fcfe5b35bf44ea42a1efe89f18f6b0d522cbbea5c51bae93aff7d3188b

        SHA512

        1c4499eadaf44847a7a001c2622e558bc130c9ad608b4ec977480e002cf50c9eb36a65974b86a2db69e9bc43e7d239122389a6cf1ca2849c59bc137441fb0a4f

        Download Submit

      • memory/212-279-0x00000291C8E10000-0x00000291C8E20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/212-280-0x00000291C8E10000-0x00000291C8E20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/212-463-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/212-417-0x00000291C8E10000-0x00000291C8E20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/212-314-0x00000291C8E10000-0x00000291C8E20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/212-276-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1408-52-0x000002BCD5060000-0x000002BCD5070000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1408-98-0x000002BCD5060000-0x000002BCD5070000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1408-17-0x000002BCD5060000-0x000002BCD5070000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1408-109-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1408-14-0x000002BCD5060000-0x000002BCD5070000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1408-19-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1408-25-0x000002BCD5170000-0x000002BCD51E6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/1584-130-0x0000016763A90000-0x0000016763AA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1584-221-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1584-217-0x0000016763A90000-0x0000016763AA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1584-127-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1584-131-0x0000016763A90000-0x0000016763AA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1584-163-0x0000016763A90000-0x0000016763AA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2648-270-0x0000000140000000-0x0000000140645400-memory.dmp

        Filesize

        6.3MB

        Download

      • memory/2648-119-0x0000000140000000-0x0000000140645400-memory.dmp

        Filesize

        6.3MB

        Download

      • memory/2648-222-0x0000000032120000-0x000000003261C000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3376-50-0x000001D6C8960000-0x000001D6C8970000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3376-18-0x000001D6B03D0000-0x000001D6B03F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3376-110-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/3376-101-0x000001D6C8960000-0x000001D6C8970000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3376-15-0x000001D6C8960000-0x000001D6C8970000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3376-12-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/3376-16-0x000001D6C8960000-0x000001D6C8970000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-216-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/3884-124-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/3884-167-0x0000028E72C10000-0x0000028E72C20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-133-0x0000028E72C10000-0x0000028E72C20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-132-0x0000028E72C10000-0x0000028E72C20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-211-0x0000028E72C10000-0x0000028E72C20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3912-269-0x0000000140000000-0x000000014015E400-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/3912-273-0x0000000140000000-0x000000014015E400-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/3912-272-0x0000000140000000-0x000000014015E400-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/3912-271-0x0000000140000000-0x000000014015E400-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/4384-116-0x0000000140000000-0x0000000140645400-memory.dmp

        Filesize

        6.3MB

        Download

      • memory/4384-0-0x0000000140000000-0x0000000140645400-memory.dmp

        Filesize

        6.3MB

        Download

      • memory/4384-4-0x0000000140000000-0x0000000140645400-memory.dmp

        Filesize

        6.3MB

        Download

      • memory/4384-3-0x0000000140000000-0x0000000140645400-memory.dmp

        Filesize

        6.3MB

        Download

      • memory/4384-1-0x0000000140000000-0x0000000140645400-memory.dmp

        Filesize

        6.3MB

        Download

      • memory/4504-285-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/4504-289-0x000001F1E8760000-0x000001F1E8770000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4504-288-0x000001F1E8760000-0x000001F1E8770000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4504-365-0x000001F1E8760000-0x000001F1E8770000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4504-428-0x000001F1E8760000-0x000001F1E8770000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4504-462-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

        Filesize

        9.9MB

        Download