6ab24b40ab5f281cf096e413991e9da60ff3c003698a5ef77c8067751e34bfab

Analysis

max time kernel
49s
max time network
20s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/06/2024, 14:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

RESET_TPM.exe
Size

19KB
MD5

fe4f7ddef1ec8db8c065bb7d02b707ba
SHA1

4f5f290bbec319ea56e317112a90990b6a270a6f
SHA256

6ab24b40ab5f281cf096e413991e9da60ff3c003698a5ef77c8067751e34bfab
SHA512

bc32ad1508adfab3ff0d07b95f256acca511dd8d68e3f90da5c4baf6a27028f4776b6fac8108ad946a6097e4d4159067a816756d05559c26060a86692f4240a7
SSDEEP

384:6wGLltJ7taNJawcudoD7UogptD4bukJl7y7pqkgb3LFEI+3mK:stCnbcuyD7UowD4bukJl7Spjgb35EVm

Score

7^/10

execution upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3028	b2e.exe

Loads dropped DLL 2 IoCs

pid	Process
2876	RESET_TPM.exe
2876	RESET_TPM.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2876-12-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2876-0-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\tpm.msc	mmc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2600	powershell.exe
2388	powershell.exe
2952	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2376	timeout.exe
1468	timeout.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2600	powershell.exe
2388	powershell.exe
2952	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2692	mmc.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: 33	2692	mmc.exe
Token: SeIncBasePriorityPrivilege	2692	mmc.exe
Token: 33	2692	mmc.exe
Token: SeIncBasePriorityPrivilege	2692	mmc.exe
Token: 33	2692	mmc.exe
Token: SeIncBasePriorityPrivilege	2692	mmc.exe
Token: 33	2692	mmc.exe
Token: SeIncBasePriorityPrivilege	2692	mmc.exe
Token: 33	2692	mmc.exe
Token: SeIncBasePriorityPrivilege	2692	mmc.exe
Token: 33	2692	mmc.exe
Token: SeIncBasePriorityPrivilege	2692	mmc.exe
Token: 33	2692	mmc.exe
Token: SeIncBasePriorityPrivilege	2692	mmc.exe
Token: 33	2692	mmc.exe
Token: SeIncBasePriorityPrivilege	2692	mmc.exe
Token: 33	2692	mmc.exe
Token: SeIncBasePriorityPrivilege	2692	mmc.exe
Token: 33	2692	mmc.exe
Token: SeIncBasePriorityPrivilege	2692	mmc.exe
Token: 33	2692	mmc.exe
Token: SeIncBasePriorityPrivilege	2692	mmc.exe
Token: 33	2692	mmc.exe
Token: SeIncBasePriorityPrivilege	2692	mmc.exe
Token: 33	2692	mmc.exe
Token: SeIncBasePriorityPrivilege	2692	mmc.exe
Token: 33	2692	mmc.exe
Token: SeIncBasePriorityPrivilege	2692	mmc.exe
Token: 33	2692	mmc.exe
Token: SeIncBasePriorityPrivilege	2692	mmc.exe
Token: 33	2692	mmc.exe
Token: SeIncBasePriorityPrivilege	2692	mmc.exe
Token: 33	2692	mmc.exe
Token: SeIncBasePriorityPrivilege	2692	mmc.exe
Token: 33	2692	mmc.exe
Token: SeIncBasePriorityPrivilege	2692	mmc.exe
Token: 33	2692	mmc.exe
Token: SeIncBasePriorityPrivilege	2692	mmc.exe
Token: 33	2692	mmc.exe
Token: SeIncBasePriorityPrivilege	2692	mmc.exe
Token: 33	2692	mmc.exe
Token: SeIncBasePriorityPrivilege	2692	mmc.exe
Token: 33	2692	mmc.exe
Token: SeIncBasePriorityPrivilege	2692	mmc.exe
Token: 33	2692	mmc.exe
Token: SeIncBasePriorityPrivilege	2692	mmc.exe
Token: 33	2692	mmc.exe
Token: SeIncBasePriorityPrivilege	2692	mmc.exe
Token: 33	2692	mmc.exe
Token: SeIncBasePriorityPrivilege	2692	mmc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2692	mmc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1856	mmc.exe
2692	mmc.exe
2692	mmc.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 3028	2876	RESET_TPM.exe	28
PID 2876 wrote to memory of 3028	2876	RESET_TPM.exe	28
PID 2876 wrote to memory of 3028	2876	RESET_TPM.exe	28
PID 2876 wrote to memory of 3028	2876	RESET_TPM.exe	28
PID 3028 wrote to memory of 2580	3028	b2e.exe	29
PID 3028 wrote to memory of 2580	3028	b2e.exe	29
PID 3028 wrote to memory of 2580	3028	b2e.exe	29
PID 3028 wrote to memory of 2580	3028	b2e.exe	29
PID 2580 wrote to memory of 2600	2580	cmd.exe	31
PID 2580 wrote to memory of 2600	2580	cmd.exe	31
PID 2580 wrote to memory of 2600	2580	cmd.exe	31
PID 2580 wrote to memory of 2600	2580	cmd.exe	31
PID 2580 wrote to memory of 2396	2580	cmd.exe	32
PID 2580 wrote to memory of 2396	2580	cmd.exe	32
PID 2580 wrote to memory of 2396	2580	cmd.exe	32
PID 2580 wrote to memory of 2396	2580	cmd.exe	32
PID 2396 wrote to memory of 1776	2396	net.exe	33
PID 2396 wrote to memory of 1776	2396	net.exe	33
PID 2396 wrote to memory of 1776	2396	net.exe	33
PID 2396 wrote to memory of 1776	2396	net.exe	33
PID 2580 wrote to memory of 2376	2580	cmd.exe	34
PID 2580 wrote to memory of 2376	2580	cmd.exe	34
PID 2580 wrote to memory of 2376	2580	cmd.exe	34
PID 2580 wrote to memory of 2376	2580	cmd.exe	34
PID 2580 wrote to memory of 2388	2580	cmd.exe	35
PID 2580 wrote to memory of 2388	2580	cmd.exe	35
PID 2580 wrote to memory of 2388	2580	cmd.exe	35
PID 2580 wrote to memory of 2388	2580	cmd.exe	35
PID 2580 wrote to memory of 2952	2580	cmd.exe	36
PID 2580 wrote to memory of 2952	2580	cmd.exe	36
PID 2580 wrote to memory of 2952	2580	cmd.exe	36
PID 2580 wrote to memory of 2952	2580	cmd.exe	36
PID 2580 wrote to memory of 1468	2580	cmd.exe	37
PID 2580 wrote to memory of 1468	2580	cmd.exe	37
PID 2580 wrote to memory of 1468	2580	cmd.exe	37
PID 2580 wrote to memory of 1468	2580	cmd.exe	37
PID 2580 wrote to memory of 1856	2580	cmd.exe	38
PID 2580 wrote to memory of 1856	2580	cmd.exe	38
PID 2580 wrote to memory of 1856	2580	cmd.exe	38
PID 2580 wrote to memory of 1856	2580	cmd.exe	38
PID 3028 wrote to memory of 2608	3028	b2e.exe	39
PID 3028 wrote to memory of 2608	3028	b2e.exe	39
PID 3028 wrote to memory of 2608	3028	b2e.exe	39
PID 3028 wrote to memory of 2608	3028	b2e.exe	39
PID 1856 wrote to memory of 2692	1856	mmc.exe	41
PID 1856 wrote to memory of 2692	1856	mmc.exe	41
PID 1856 wrote to memory of 2692	1856	mmc.exe	41
PID 1856 wrote to memory of 2692	1856	mmc.exe	41

C:\Users\Admin\AppData\Local\Temp\RESET_TPM.exe
"C:\Users\Admin\AppData\Local\Temp\RESET_TPM.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\8DED.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8DED.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8DED.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\RESET_TPM.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\8EF7.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Write-Host 'Welcome to ' -NoNewline; Write-Host '23SHOP.XYZ' -ForegroundColor Magenta"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2600
  - - C:\Windows\SysWOW64\net.exe
      net session
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:1776
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2376
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Clear-Tpm"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2388
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Disable-TpmAutoProvisioning"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2952
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 3
      4⤵
      Delays execution with timeout.exe
      PID:1468
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\system32\tpm.msc"
      4⤵
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1856
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\system32\tpm.msc" "C:\Windows\system32\tpm.msc"
        5⤵
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
    3⤵
    PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8DED.tmp\b2e.exe

Filesize
9KB

MD5
aa128536af8bb6d1ce2eb4f37433bded

SHA1
471d7d57d0a941693abbf2d05ee98cf5263aa828

SHA256
67d3ee5f03f32a85b2e3f23f5cb1bc8fe15c60d5e37a7368740719127bac2e60

SHA512
f6424fc9b52e2b65bc9111c1a718a6c381061ea891bfb4217238c26033d966a93115ab3560900fa889c75987de07292fc0d9ead2ed4732febf3da2d7e5a9cbb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EF7.tmp\batchfile.bat

Filesize
1KB

MD5
7fcb778c692689ad1b311c455e091caa

SHA1
228972242a3488b0bc15009029d03e7b22294410

SHA256
30067785ec0882a2e28311b4c9cfd8ef9be5a61caf91bebf3cba565bd2a289db

SHA512
945f21c689b6e3118bfa9185ae08d095427a2e76c79c950c26fb8a2afcfd1a5d8ab8a634b8aac7a081e3f3d37aa765bc5824eb340a4f2369f0035f012363a204

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfdel0.bat

Filesize
158B

MD5
44422982752fb20327f94391985d18d9

SHA1
49d06de476851148354c4788504faf891fbdb314

SHA256
7c39d0d12fabb1b93705ad993001ed72193bca61f3aa1533a79ad2ad30139e1a

SHA512
4105abda15b7859cdf9742754ca8267e7d5ff43f6234c44d02470fb28d4b017911484b629ba61572fd1ab3cad606bdf4fedeec3447e8027d550ae6bb386a0e09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
7218d59ad9ce6a6da47b5cca99ad9540

SHA1
043b230e1c34526f4a0d80be43fd957bb79923d2

SHA256
56b1568d6b9313e30e7dab16e87e308451605ee5f6343eec6f8113195fd14f33

SHA512
bca665283a958f2acaad68c593ffc39bce6ec43ae34428cefeca1035b923d76244b0c5191b1bbfc9be30f843d4a30a9562551188b8d462be5afb84e2055b964a

Download Submit
memory/2692-63-0x0000000002470000-0x000000000248E000-memory.dmp

Filesize
120KB

Download
memory/2692-64-0x0000000004200000-0x0000000004232000-memory.dmp

Filesize
200KB

Download
memory/2876-12-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2876-5-0x00000000020F0000-0x00000000020F5000-memory.dmp

Filesize
20KB

Download
memory/2876-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3028-13-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3028-61-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download