3694098fa24b1c08a75a24eafeef4ffed4ec4eddcbe002d2857115da82579cb6

Resubmissions

11/06/2024, 15:30

240611-sxzskasdkk 7

11/06/2024, 15:26

240611-svcj9a1hja 7

Analysis

max time kernel
704s
max time network
692s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
11/06/2024, 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TF2CDownloaderWindows.exe
Size

25.0MB
MD5

82980dae0854bec4d47f9e09b667e696
SHA1

407b67a5f96069818dc55589f1491e9e89f2d06b
SHA256

3694098fa24b1c08a75a24eafeef4ffed4ec4eddcbe002d2857115da82579cb6
SHA512

ffa6b9738803a12c727416648b449698d964911ed15fef6a79d741b1aa97e8cb8c42c11ddbfc3c9f2f36c94255a94118c21e4740d2858bbadf7bca483526aa25
SSDEEP

786432:3iyVmdPN1iZOd9h7JLBSUsdJEIXMNzg22sVF3W8Ye:SyVQPN1iwFLfszX0M52F3WPe

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4272	aria2c.exe

Loads dropped DLL 19 IoCs

pid	Process
3840	TF2CDownloaderWindows.exe
3840	TF2CDownloaderWindows.exe
3840	TF2CDownloaderWindows.exe
3840	TF2CDownloaderWindows.exe
3840	TF2CDownloaderWindows.exe
3840	TF2CDownloaderWindows.exe
3840	TF2CDownloaderWindows.exe
3840	TF2CDownloaderWindows.exe
3840	TF2CDownloaderWindows.exe
3840	TF2CDownloaderWindows.exe
3840	TF2CDownloaderWindows.exe
3840	TF2CDownloaderWindows.exe
3840	TF2CDownloaderWindows.exe
3840	TF2CDownloaderWindows.exe
3840	TF2CDownloaderWindows.exe
3840	TF2CDownloaderWindows.exe
3840	TF2CDownloaderWindows.exe
3840	TF2CDownloaderWindows.exe
3840	TF2CDownloaderWindows.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeBackupPrivilege	2396	svchost.exe
Token: SeRestorePrivilege	2396	svchost.exe
Token: SeSecurityPrivilege	2396	svchost.exe
Token: SeTakeOwnershipPrivilege	2396	svchost.exe
Token: 35	2396	svchost.exe
Token: SeRestorePrivilege	2480	7zFM.exe
Token: 35	2480	7zFM.exe
Token: SeRestorePrivilege	1856	7zFM.exe
Token: 35	1856	7zFM.exe
Token: SeRestorePrivilege	3724	7zFM.exe
Token: 35	3724	7zFM.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2480	7zFM.exe
1856	7zFM.exe
3724	7zFM.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 3840	4836	TF2CDownloaderWindows.exe	74
PID 4836 wrote to memory of 3840	4836	TF2CDownloaderWindows.exe	74
PID 3840 wrote to memory of 2852	3840	TF2CDownloaderWindows.exe	75
PID 3840 wrote to memory of 2852	3840	TF2CDownloaderWindows.exe	75
PID 3840 wrote to memory of 4272	3840	TF2CDownloaderWindows.exe	76
PID 3840 wrote to memory of 4272	3840	TF2CDownloaderWindows.exe	76

C:\Users\Admin\AppData\Local\Temp\TF2CDownloaderWindows.exe
"C:\Users\Admin\AppData\Local\Temp\TF2CDownloaderWindows.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Users\Admin\AppData\Local\Temp\TF2CDownloaderWindows.exe
  "C:\Users\Admin\AppData\Local\Temp\TF2CDownloaderWindows.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:2852
- - C:\Users\Admin\AppData\Local\Temp\_MEI48362\aria2c.exe
    C:\Users\Admin\AppData\Local\Temp\_MEI48362\aria2c.exe --max-connection-per-server=16 -UTF2CDownloader2023-05-27 --allow-piece-length-change=true --disable-ipv6=true --max-concurrent-downloads=16 --optimize-concurrent-downloads=true --check-certificate=false --check-integrity=true --auto-file-renaming=false --continue=true --allow-overwrite=true --console-log-level=error --summary-interval=0 --bt-hash-check-seed=false --seed-time=0 -dC:\Users\Admin\AppData\Local\Temp https://wiki.tf2classic.com/kachemak/tf2classic-2.1.5.meta4
    3⤵
    - Executes dropped EXE
    PID:4272

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3808

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\YBQDFVLH-20240404-1224.log
1⤵
PID:4580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\tf2classic-2.1.5.tar.zst"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2480

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\tf2classic-2.1.5.tar.zst"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1856

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\tf2classic-2.1.5.meta4"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3724

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI48362\VCRUNTIME140.dll

Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\_bz2.pyd

Filesize
77KB

MD5
a1fbcfbd82de566a6c99d1a7ab2d8a69

SHA1
3e8ba4c925c07f17c7dffab8fbb7b8b8863cad76

SHA256
0897e209676f5835f62e5985d7793c884fd91b0cfdfaff893fc05176f2f82095

SHA512
55679427c041b2311cff4e97672102962f9d831e84f06f05600ecdc3826f6be5046aa541955f57f06e82ee72a4ee36f086da1f664f493fbe4cc0806e925afa04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\_ctypes.pyd

Filesize
116KB

MD5
92276f41ff9c856f4dbfa6508614e96c

SHA1
5bc8c3555e3407a3c78385ff2657de3dec55988e

SHA256
9ab1f8cbb50db3d9a00f74447a2275a89ec52d1139fc0a93010e59c412c2c850

SHA512
9df63ef04ea890dd0d38a26ac64a92392cf0a8d0ad77929727238e9e456450518404c1b6bb40844522fca27761c4e864550aacb96e825c4e4b367a59892a09e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\_decimal.pyd

Filesize
242KB

MD5
09be0caf0e2bd7bea37a27527cb13c2e

SHA1
e543b614b3d008514979697a458b6d075b62e037

SHA256
2673b0ec0769c2513cfb63d72cbfadd3dd43963d30ddc368c6232dab1f607ee1

SHA512
5b98fb115e40a03b67a24cb18b2c2549efe8e15e7c1674d00307453ec0550d340cf4ea5bc4eee856acfa53bfd0f138d5cae771399db444091f3b8d2eea6c4cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\_hashlib.pyd

Filesize
59KB

MD5
ad6e31dba413be7e082fab3dbafb3ecc

SHA1
f26886c841d1c61fb0da14e20e57e7202eefbacc

SHA256
2e30544d07f1c55d741b03992ea57d1aa519edaaa121e889f301a5b8b6557fe4

SHA512
6401664e5c942d98c6fa955cc2424dfa0c973bd0ac1e515f7640c975bba366af1b3e403ea50e753f837dcd82a04af2ce043e22b15fa9976af7cbb30b3ac80452

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\_lzma.pyd

Filesize
150KB

MD5
a6bee109071bbcf24e4d82498d376f82

SHA1
1babacdfaa60e39e21602908047219d111ed8657

SHA256
ce72d59a0e96077c9ea3f1fd7b011287248dc8d80fd3c16916a1d9040a9a941f

SHA512
8cb2dafd19f212e71fa32cb74dad303af68eaa77a63ccf6d3a6ae82e09ac988f71fe82f8f2858a9c616b06dc42023203fa9f7511fac32023be0bc8392272c336

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\_socket.pyd

Filesize
73KB

MD5
c5378bac8c03d7ef46305ee8394560f5

SHA1
2aa7bc90c0ec4d21113b8aa6709569d59fadd329

SHA256
130de3506471878031aecc4c9d38355a4719edd3786f27262a724efc287a47b9

SHA512
1ecb88c62a9daad93ec85f137440e782dcc40d7f1598b5809ab41bf86a5c97224e2361c0e738c1387c6376f2f24d284583fd001c4e1324d72d6989d0b84bf856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\_ssl.pyd

Filesize
152KB

MD5
9d810454bc451ff440ec95de36088909

SHA1
8c890b934a2d84c548a09461ca1e783810f075be

SHA256
5a4c78adedf0bcb5fc422faac619b4c7b57e3d7ba4f2d47a98c1fb81a503b6b7

SHA512
0800666f848faec976366dbfd2c65e7b7e1d8375d5d9e7d019bf364a1f480216c271c3bcf994dbab19290d336cf691cd8235e636f3dbc4d2a77f4760871c19ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\_tkinter.pyd

Filesize
60KB

MD5
63cb15c35973016a2faa85b6498e7e6e

SHA1
e4b29cfb1816cbb4dca48cb1c198ca77e62c1d2a

SHA256
fee72ad34e2ee6d0156d7521f3fda7fe1c336201db4e694bfacbf20f3de3845a

SHA512
ff63fc2f4b24c5001124b86414bcab95044661e71220308deaa92aef79184e559b28852029079369f38926d9fdd14d524d43ab6fc9e950d7287b05805dfb1d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\aria2c.exe

Filesize
7.8MB

MD5
9ace9fcf1763884fbd1d0363ea29247b

SHA1
246f2bfbdcb1c792218ef122169a40bedc50c0fc

SHA256
83c1537d63cc01e7c43dd2222b7456cbea3078f365c74bd7b4a0dcc0a9ef41ad

SHA512
8e8f64a78014be819df383b8738b44eea11c63e69413fc1b13345ee7686841b84322dc54d9e691fccf4d9fae22c861e8c805cc877a06b3c508473c63ad4cc24c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\base_library.zip

Filesize
812KB

MD5
a928becdfac91f1d4407812a6057e55d

SHA1
c0fe8327b62290dae4d26e7c9a68c92790337616

SHA256
8d62379941335d3b87f9eb3d8d9a83e7e84630c305dee477aed9b3a78ca444e9

SHA512
600210e0bd4162e2122bc2499d803d7972582504578ea6d7b9abfbd8d8b377563f3f7b3b73701acf6e411cc4d838726a0c4805415d192b7eff6365d39a468d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\certifi\cacert.pem

Filesize
268KB

MD5
59a15f9a93dcdaa5bfca246b84fa936a

SHA1
7f295ea74fc7ed0af0e92be08071fb0b76c8509e

SHA256
2c11c3ce08ffc40d390319c72bc10d4f908e9c634494d65ed2cbc550731fd524

SHA512
746157a0fcedc67120c2a194a759fa8d8e1f84837e740f379566f260e41aa96b8d4ea18e967e3d1aa1d65d5de30453446d8a8c37c636c08c6a3741387483a7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\libcrypto-1_1.dll

Filesize
3.3MB

MD5
ab01c808bed8164133e5279595437d3d

SHA1
0f512756a8db22576ec2e20cf0cafec7786fb12b

SHA256
9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55

SHA512
4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\libssl-1_1.dll

Filesize
682KB

MD5
de72697933d7673279fb85fd48d1a4dd

SHA1
085fd4c6fb6d89ffcc9b2741947b74f0766fc383

SHA256
ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f

SHA512
0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\pyexpat.pyd

Filesize
189KB

MD5
8b9855e1b442b22984dc07a8c6d9d2ed

SHA1
2e708fbf1344731bca3c603763e409190c019d7f

SHA256
4d0f50757a4d9abe249bd7ebea35243d4897911a72de213ddb6c6945fef49e06

SHA512
59ca1cbc51a0b9857e921e769587b021bc3f157d8680bb8f7d7f99deb90405db92051e9be8891399379d918afc5d8cb36123297d748c5265ae0855613b277809

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\python310.dll

Filesize
4.2MB

MD5
a1185bef38fdba5e3fe6a71f93a9d142

SHA1
e2b40f5e518ad000002b239a84c153fdc35df4eb

SHA256
8d0bec69554317ccf1796c505d749d5c9f3be74ccbfce1d9e4d5fe64a536ae9e

SHA512
cb9baea9b483b9153efe2f453d6ac0f0846b140e465d07244f651c946900bfcd768a6b4c0c335ecebb45810bf08b7324501ea22b40cc7061b2f2bb98ed7897f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\pyzstd\c\_zstd.cp310-win_amd64.pyd

Filesize
525KB

MD5
d3b1968c6ffd5378bcb29e068392f78c

SHA1
6c50d3a8e95e4dff697b2c4aa0065f911cea513c

SHA256
020392940869e2b4b4a1a89fe89d2358d065d6b7c3af1511e99fd8614c54254b

SHA512
1ab10ddc3235ec6673c141c21f15e49d0e17f978a43a278d0bd15ca340fde1a9eb9e1555277e6ae85ffec6292155b95efec991a7e8403eb09e10e16cd75c0f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\select.pyd

Filesize
25KB

MD5
63ede3c60ee921074647ec0278e6aa45

SHA1
a02c42d3849ad8c03ce60f2fd1797b1901441f26

SHA256
cb643556c2dcdb957137b25c8a33855067e0d07547e547587c9886238253bfe5

SHA512
d0babc48b0e470abdafad6205cc0824eec66dbb5bff771cee6d99a0577373a2de2ffab93e86c42c7642e49999a03546f94e7630d3c58db2cff8f26debc67fcad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\tcl86t.dll

Filesize
1.8MB

MD5
75909678c6a79ca2ca780a1ceb00232e

SHA1
39ddbeb1c288335abe910a5011d7034345425f7d

SHA256
fbfd065f861ec0a90dd513bc209c56bbc23c54d2839964a0ec2df95848af7860

SHA512
91689413826d3b2e13fc7f579a71b676547bc4c06d2bb100b4168def12ab09b65359d1612b31a15d21cb55147bbab4934e6711351a0440c1533fb94fe53313bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\tcl\encoding\cp1252.enc

Filesize
1KB

MD5
e9117326c06fee02c478027cb625c7d8

SHA1
2ed4092d573289925a5b71625cf43cc82b901daf

SHA256
741859cf238c3a63bbb20ec6ed51e46451372bb221cfff438297d261d0561c2e

SHA512
d0a39bc41adc32f2f20b1a0ebad33bf48dfa6ed5cc1d8f92700cdd431db6c794c09d9f08bb5709b394acf54116c3a1e060e2abcc6b503e1501f8364d3eebcd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\tk86t.dll

Filesize
1.5MB

MD5
4b6270a72579b38c1cc83f240fb08360

SHA1
1a161a014f57fe8aa2fadaab7bc4f9faaac368de

SHA256
cd2f60075064dfc2e65c88b239a970cb4bd07cb3eec7cc26fb1bf978d4356b08

SHA512
0c81434d8c205892bba8a4c93ff8fc011fb8cfb72cfec172cf69093651b86fd9837050bd0636315840290b28af83e557f2205a03e5c344239356874fce0c72b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\unicodedata.pyd

Filesize
1.1MB

MD5
d67ac58da9e60e5b7ef3745fdda74f7d

SHA1
092faa0a13f99fd05c63395ee8ee9aa2bb1ca478

SHA256
09e1d1e9190160959696aeddb0324667fef39f338edc28f49b5f518b92f27f5f

SHA512
9d510135e4106fef0640565e73d438b4398f7aa65a36e3ea21d8241f07fec7a23e721e8696b3605147e5ce5365684e84e8145001201a19d7537e8f61b20cf32c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tf2classic-2.1.5.meta4

Filesize
321KB

MD5
ed6ce1b69d3c9d8c049085172ac836c0

SHA1
e2aa4e3bde022e16a58413653471bfb61f818178

SHA256
e737eac58f49eac36540b8127205ee50aa5be86591565e576cb342df592efff8

SHA512
0dab29cf7a11df9d9e37a4764f9fdb8cc9490f4f155463bffa8311cc16f059eae472156d55ce751238229541334073a23d3515a2c55ba7587de0c9e18620fab3

Download Submit
memory/3840-1007-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4272-1019-0x0000000000D30000-0x0000000001501000-memory.dmp

Filesize
7.8MB

Download
memory/4836-1006-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download