03c25f8ddb354768bf75464dd35d3ab1ac9636ab508959785db5979d74b4a2db

General

Target

TianSys.exe
Size

7.3MB
MD5

00b8460a282d7d884686c6603cd4ebfe
SHA1

dfe79edbb4f16db977de038d64837bd1e498e94c
SHA256

03c25f8ddb354768bf75464dd35d3ab1ac9636ab508959785db5979d74b4a2db
SHA512

7486eebd781ef20eab7a7a7dfb7f9b24f8d54da2734de3a33262f91f46a41a75f958c9b2f315447143d7179118bbcecc6b5ecbaf0da815291c28fd1e3d0ca3ef
SSDEEP

196608:oMcxlCwSfuOxo6uvSBJ2akGC8lCccDBOPn+VZahb7QHxLxn6:o5fCwgvxnu6BkPGvlCpDIP+VZaCH6

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
396	7zg.exe
4544	nwinfo.exe
1996	nwinfo.exe
2208	nwinfo.exe

Loads dropped DLL 1 IoCs

pid	Process
396	7zg.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3792-0-0x00000000000F0000-0x0000000000718000-memory.dmp	upx
behavioral2/files/0x0008000000023489-54.dat	upx
behavioral2/memory/4544-58-0x0000000000440000-0x0000000001AE1000-memory.dmp	upx
behavioral2/memory/2208-60-0x0000000000440000-0x0000000001AE1000-memory.dmp	upx
behavioral2/memory/1996-63-0x0000000000440000-0x0000000001AE1000-memory.dmp	upx
behavioral2/memory/4544-61-0x0000000000440000-0x0000000001AE1000-memory.dmp	upx
behavioral2/memory/1996-62-0x0000000000440000-0x0000000001AE1000-memory.dmp	upx
behavioral2/memory/3792-64-0x00000000000F0000-0x0000000000718000-memory.dmp	upx
behavioral2/memory/3792-66-0x00000000000F0000-0x0000000000718000-memory.dmp	upx
behavioral2/memory/3792-69-0x00000000000F0000-0x0000000000718000-memory.dmp	upx
behavioral2/memory/3792-71-0x00000000000F0000-0x0000000000718000-memory.dmp	upx
behavioral2/memory/3792-74-0x00000000000F0000-0x0000000000718000-memory.dmp	upx
behavioral2/memory/3792-76-0x00000000000F0000-0x0000000000718000-memory.dmp	upx

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\o:	TianSys.exe
File opened (read-only)	\??\p:	TianSys.exe
File opened (read-only)	\??\u:	TianSys.exe
File opened (read-only)	\??\x:	TianSys.exe
File opened (read-only)	\??\g:	TianSys.exe
File opened (read-only)	\??\k:	TianSys.exe
File opened (read-only)	\??\m:	TianSys.exe
File opened (read-only)	\??\n:	TianSys.exe
File opened (read-only)	\??\w:	TianSys.exe
File opened (read-only)	\??\z:	TianSys.exe
File opened (read-only)	\??\f:	TianSys.exe
File opened (read-only)	\??\e:	TianSys.exe
File opened (read-only)	\??\l:	TianSys.exe
File opened (read-only)	\??\q:	TianSys.exe
File opened (read-only)	\??\s:	TianSys.exe
File opened (read-only)	\??\y:	TianSys.exe
File opened (read-only)	\??\a:	TianSys.exe
File opened (read-only)	\??\b:	TianSys.exe
File opened (read-only)	\??\i:	TianSys.exe
File opened (read-only)	\??\r:	TianSys.exe
File opened (read-only)	\??\h:	TianSys.exe
File opened (read-only)	\??\j:	TianSys.exe
File opened (read-only)	\??\t:	TianSys.exe
File opened (read-only)	\??\v:	TianSys.exe

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3792-64-0x00000000000F0000-0x0000000000718000-memory.dmp	autoit_exe
behavioral2/memory/3792-66-0x00000000000F0000-0x0000000000718000-memory.dmp	autoit_exe
behavioral2/memory/3792-69-0x00000000000F0000-0x0000000000718000-memory.dmp	autoit_exe
behavioral2/memory/3792-71-0x00000000000F0000-0x0000000000718000-memory.dmp	autoit_exe
behavioral2/memory/3792-74-0x00000000000F0000-0x0000000000718000-memory.dmp	autoit_exe
behavioral2/memory/3792-76-0x00000000000F0000-0x0000000000718000-memory.dmp	autoit_exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nwinfo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	nwinfo.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3792	TianSys.exe
3792	TianSys.exe
3792	TianSys.exe
3792	TianSys.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3792	TianSys.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	396	7zg.exe
Token: 35	396	7zg.exe
Token: SeSecurityPrivilege	396	7zg.exe
Token: SeSecurityPrivilege	396	7zg.exe
Token: SeSystemEnvironmentPrivilege	2208	nwinfo.exe
Token: SeSystemEnvironmentPrivilege	4544	nwinfo.exe
Token: SeSystemEnvironmentPrivilege	1996	nwinfo.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
396	7zg.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3792 wrote to memory of 396	3792	TianSys.exe	86
PID 3792 wrote to memory of 396	3792	TianSys.exe	86
PID 3792 wrote to memory of 396	3792	TianSys.exe	86
PID 3792 wrote to memory of 4544	3792	TianSys.exe	93
PID 3792 wrote to memory of 4544	3792	TianSys.exe	93
PID 3792 wrote to memory of 4544	3792	TianSys.exe	93
PID 3792 wrote to memory of 1996	3792	TianSys.exe	94
PID 3792 wrote to memory of 1996	3792	TianSys.exe	94
PID 3792 wrote to memory of 1996	3792	TianSys.exe	94
PID 3792 wrote to memory of 2208	3792	TianSys.exe	95
PID 3792 wrote to memory of 2208	3792	TianSys.exe	95
PID 3792 wrote to memory of 2208	3792	TianSys.exe	95

C:\Users\Admin\AppData\Local\Temp\TianSys.exe
"C:\Users\Admin\AppData\Local\Temp\TianSys.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3792
- C:\Users\Admin\AppData\Local\Temp\TSDT2\x86\7zg.exe
  C:\Users\Admin\AppData\Local\Temp\TSDT2\x86\7zg.exe x "C:\Users\Admin\AppData\Local\Temp\TianSys.exe" -oC:\Users\Admin\AppData\Local\Temp\TSDT2 -y
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:396
- C:\Users\Admin\AppData\Local\Temp\TSDT2\x86\nwinfo.exe
  C:\Users\Admin\AppData\Local\Temp\TSDT2\x86\nwinfo.exe --cpu
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:4544
- C:\Users\Admin\AppData\Local\Temp\TSDT2\x86\nwinfo.exe
  C:\Users\Admin\AppData\Local\Temp\TSDT2\x86\nwinfo.exe --sys
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1996
- C:\Users\Admin\AppData\Local\Temp\TSDT2\x86\nwinfo.exe
  C:\Users\Admin\AppData\Local\Temp\TSDT2\x86\nwinfo.exe --smbios=17
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TSDT2\TSDT.ini

Filesize
741B

MD5
a4e100ac4e2fad637365b61b5d0ded9d

SHA1
93aeff7786d4b710c35e50814d4354ea51c6670b

SHA256
fcea747b1015607564924846e74ad2e8c3dbcd27f49694398926094b5eba6c68

SHA512
f036af07aef8e2c777f19d30882d78ee0f53a1d023abfbca9124b1ad40c8cf64ba3cba5b73a18300d12594cdb17db0b834ab4465fca93ed914a296d1718441cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TSDT2\x86\7z.dll

Filesize
1.1MB

MD5
e7ae42ea24cff97bdead0c560ef2add1

SHA1
866f380a62622ab1b6c7705ddc116635e6e3cc86

SHA256
db2897eeea65401ee1bd8feeebd0dbae8867a27ff4575f12b0b8a613444a5ef7

SHA512
a4a27b2be70e9102d95ee319ec365b0dc434d4e8cd25589ce8a75b73bbe4f06b071caa907c7a61387b2ce6a35a70873593564499b88598f77a7c25c47448fb0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TSDT2\x86\7zG.exe

Filesize
358KB

MD5
751a81fc78a9b23c087d2f7f87ba3be4

SHA1
e71d982b30cbb40ca90426b48bb9b327663392b6

SHA256
fb5d1be500d319ac9fbebed39cc94ab92ac88593c66f97ed0fb10abe351ac5ec

SHA512
6d2623717d21ee1e5dca9d522ac97f94a0e258af9f55a80eb8d9f12c1f4a9096f8d2e609e632c4e102e3f054427fbd83a3b74241aac2a07f197105e34457f4f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TSDT2\x86\nwinfo.exe

Filesize
243KB

MD5
88e249de1854e5f1bcef74e0a4a6380c

SHA1
ef2ed281f4b0efa7a2f2de303480f6ca1fbb5103

SHA256
98a6d78ca927e5df305eab0d0d22524f8b10f7a648db0c4dc72da696880a1880

SHA512
937745ba208480eb355769a1d7b87856d3e5ca385838b969eb1fbacea6e868679c5e3cff7fa8ef1a428450619ed11726c1e4cdb4de0245601773e2e67ee78ae7

Download Submit
memory/1996-63-0x0000000000440000-0x0000000001AE1000-memory.dmp

Filesize
22.6MB

Download
memory/1996-62-0x0000000000440000-0x0000000001AE1000-memory.dmp

Filesize
22.6MB

Download
memory/2208-60-0x0000000000440000-0x0000000001AE1000-memory.dmp

Filesize
22.6MB

Download
memory/3792-69-0x00000000000F0000-0x0000000000718000-memory.dmp

Filesize
6.2MB

Download
memory/3792-64-0x00000000000F0000-0x0000000000718000-memory.dmp

Filesize
6.2MB

Download
memory/3792-66-0x00000000000F0000-0x0000000000718000-memory.dmp

Filesize
6.2MB

Download
memory/3792-0-0x00000000000F0000-0x0000000000718000-memory.dmp

Filesize
6.2MB

Download
memory/3792-71-0x00000000000F0000-0x0000000000718000-memory.dmp

Filesize
6.2MB

Download
memory/3792-74-0x00000000000F0000-0x0000000000718000-memory.dmp

Filesize
6.2MB

Download
memory/3792-76-0x00000000000F0000-0x0000000000718000-memory.dmp

Filesize
6.2MB

Download
memory/4544-61-0x0000000000440000-0x0000000001AE1000-memory.dmp

Filesize
22.6MB

Download
memory/4544-58-0x0000000000440000-0x0000000001AE1000-memory.dmp

Filesize
22.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads