Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18-06-2024 15:08

General

  • Target

    TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe

  • Size

    80.9MB

  • MD5

    1c0dc0579e549e8405d3648a0daef12d

  • SHA1

    dd6246be90ee999c298e5346a9131ae89ec81565

  • SHA256

    16de1c80ce70584212fde77a2f9149bddeb8a266820e74c34f0d8303c14609f8

  • SHA512

    5646027558a51d7b4abbb413727b1f1cd47a3b1bb92f913842b413abb96efdecce0209a96de9ff90d08d58fa09b8cd67175f55490160f5a3d0ce2f3f7b522df3

  • SSDEEP

    1572864:rATnjQ2ad/Hx7yhztovEmEMl9GOR32beFKbA4DD9eLcQob41:On+1R7QzCEvMlF/KRUsbi

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe
    "C:\Users\Admin\AppData\Local\Temp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp" /SL5="$50150,84175752,57856,C:\Users\Admin\AppData\Local\Temp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe"
      2⤵
      • Adds Run key to start application
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2944
      • C:\Users\Admin\AppData\Local\Temp\is-2LUFQ.tmp\TixeoOutlookPlugin.exe
        "C:\Users\Admin\AppData\Local\Temp\is-2LUFQ.tmp\TixeoOutlookPlugin.exe" /VERYSILENT /NORESTART /SUPPRESSMSGBOXES /LOG="C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\TixeoOutlookPlugin.log"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:288
        • C:\Users\Admin\AppData\Local\Temp\is-FRQ43.tmp\TixeoOutlookPlugin.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-FRQ43.tmp\TixeoOutlookPlugin.tmp" /SL5="$301E8,7983214,57856,C:\Users\Admin\AppData\Local\Temp\is-2LUFQ.tmp\TixeoOutlookPlugin.exe" /VERYSILENT /NORESTART /SUPPRESSMSGBOXES /LOG="C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\TixeoOutlookPlugin.log"
          4⤵
          • Executes dropped EXE
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:644
          • C:\Windows\SysWOW64\regsvr32.exe
            "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\TixeoOutlookAddin.dll"
            5⤵
            • Loads dropped DLL
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            PID:1920

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\is-2LUFQ.tmp\TixeoOutlookPlugin.exe
    Filesize

    7.9MB

    MD5

    9851bec28a2fe7c81888c11562c420f1

    SHA1

    64ae84d1fc0a4bad2a255d7fb9f93027deb9adf0

    SHA256

    2e38fc9fe4d22c07e3f759654775aa3d549ad403e1b5289d0e07b151b2fde89f

    SHA512

    84aa3d817cc566ed397c37577d94d692e3636bfaadac77e4ba20bcff031ad8f62b3d01a0f94271e0552325e8cf5408791c43aae02a82bf3a7e05db6b17366c56

  • C:\Users\Admin\AppData\Local\Temp\is-FRQ43.tmp\TixeoOutlookPlugin.tmp
    Filesize

    706KB

    MD5

    53267ddd5af9cadba53d9fc842430305

    SHA1

    cdc08fe9629cd54c047022921d56c8dae897adea

    SHA256

    36317779901eff781f19af2e538b712af6128ae3479ecc6c51d23063a94a4e93

    SHA512

    ca182900b7135663ce39235fb22bf4a1a6e284f0f87b6053e7305f0a3e43d447b38c8808f1a61df4d7eb69f858b9d488e540bc2f12a6b06d18743d036cd99fb9

  • C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\TixeoOutlookAddin.dll
    Filesize

    11.3MB

    MD5

    06c21c84c98d10f08a45bb2cf7ea1660

    SHA1

    cfe491396f8caa2d2375d9564d47919ef4526c5c

    SHA256

    0e31c9925fafd5aeb4e4e0e992fcb895b3098afc1e77c25ac875d4365124c7c5

    SHA512

    e570557c2971627dbdad469ec6aa29490fb38255b872a564494f13d01a602e6419e91f367dbea47314f4056e765fd9225741dfcc43319af9d76ea9661ad34475

  • C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\TixeoOutlookAddin.ini
    Filesize

    27B

    MD5

    70da425f8aac14b1484047edb83e60e8

    SHA1

    69d09199af5a5ba4ed4e1d59432fec784d5271e4

    SHA256

    258d4ad31457b1c117b248b6ba0dd1c44ba6ad0a0839623ced45ce15ebbd0a7f

    SHA512

    a9cf352b79a8f38f03a781bf55a94e2c1344e1de55e9ea21e736ad436d7452f8349a64fec3b46e7ddc1d11f5fa3ecc80329b5b4e1da702680e9c2223e57943d2

  • C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\unins000.dat
    Filesize

    56KB

    MD5

    28bc1157520b0771b22d7667ab73cc97

    SHA1

    2430447191c8ccdb1d892fbfbd337d4961e13447

    SHA256

    bc01eddec272f067c37016c25f8615d2404c3aca5a6fe163dad4499d3e53b7ab

    SHA512

    1f40c80240f42d8f1d3d9957724966060dee39a4d2963c076a362b419d7e8c0fc7a40a837be157b6720b0195913db0fc6eca295285dff8059be192ff95230112

  • \Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp
    Filesize

    706KB

    MD5

    c570d17bf317dfaa28d6107e30a5c33a

    SHA1

    b965d8ea6a247c93bec868860e5e49d51f3aa41a

    SHA256

    531b0231439389ed1ea9dc8ea307b355a9adf04c73b899bd5f7685ee75c7aa92

    SHA512

    88e234ecfe54b5d5241bf9ad440298db5c85994fcb68021f3e8684be6db0b6ee848299e2c92ba0eefe4306eb6318e13034344f1de8153a0b56a9b50577e66b20

  • \Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\W3DClient.exe
    Filesize

    37.4MB

    MD5

    309fdd8e3e467bd507d0b0047d095046

    SHA1

    3429b3f7dd3e5bf3d8f5ef9e3486f6a3d54240f6

    SHA256

    bfc2a6195ecfc6dfb5f8f7626e3ae4f0199a292032fbf083714c7e039f4d404b

    SHA512

    59c71d95638364ac7fb80c7da98c165e4df137022ad8743454e979d9b19d91fa1d00b25eae53adf7e33b3f97c567f0c1918403e162d8157006011d1b50581798

  • memory/288-159-0x0000000000400000-0x0000000000415000-memory.dmp
    Filesize

    84KB

  • memory/288-193-0x0000000000400000-0x0000000000415000-memory.dmp
    Filesize

    84KB

  • memory/644-194-0x0000000000400000-0x00000000004BE000-memory.dmp
    Filesize

    760KB

  • memory/1920-195-0x0000000072DC0000-0x0000000073993000-memory.dmp
    Filesize

    11.8MB

  • memory/2868-0-0x0000000000400000-0x0000000000415000-memory.dmp
    Filesize

    84KB

  • memory/2868-2-0x0000000000401000-0x000000000040C000-memory.dmp
    Filesize

    44KB

  • memory/2868-191-0x0000000000400000-0x0000000000415000-memory.dmp
    Filesize

    84KB

  • memory/2944-8-0x0000000000400000-0x00000000004BE000-memory.dmp
    Filesize

    760KB

  • memory/2944-192-0x0000000000400000-0x00000000004BE000-memory.dmp
    Filesize

    760KB

  • memory/2944-202-0x0000000000400000-0x00000000004BE000-memory.dmp
    Filesize

    760KB