Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-06-2024 15:08
Static task
static1
Behavioral task
behavioral1
Sample
TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe
Resource
win10v2004-20240508-en
General
-
Target
TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe
-
Size
80.9MB
-
MD5
1c0dc0579e549e8405d3648a0daef12d
-
SHA1
dd6246be90ee999c298e5346a9131ae89ec81565
-
SHA256
16de1c80ce70584212fde77a2f9149bddeb8a266820e74c34f0d8303c14609f8
-
SHA512
5646027558a51d7b4abbb413727b1f1cd47a3b1bb92f913842b413abb96efdecce0209a96de9ff90d08d58fa09b8cd67175f55490160f5a3d0ce2f3f7b522df3
-
SSDEEP
1572864:rATnjQ2ad/Hx7yhztovEmEMl9GOR32beFKbA4DD9eLcQob41:On+1R7QzCEvMlF/KRUsbi
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmpdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\W3DClient = "\"C:\\Users\\Admin\\AppData\\Local\\Tixeo Soft\\Communication\\Client\\W3DClient.exe\"" TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Executes dropped EXE 3 IoCs
Processes:
TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmpTixeoOutlookPlugin.exeTixeoOutlookPlugin.tmppid process 2944 TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp 288 TixeoOutlookPlugin.exe 644 TixeoOutlookPlugin.tmp -
Loads dropped DLL 10 IoCs
Processes:
TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exeTixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmpTixeoOutlookPlugin.exeregsvr32.exepid process 2868 TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe 2944 TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp 2944 TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp 2944 TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp 1204 1204 1204 1204 288 TixeoOutlookPlugin.exe 1920 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmpdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AA9F442A-C8E1-11DC-8404-C59755D89593} TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Low Rights TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AA9F442A-C8E1-11DC-8404-C59755D89593}\AppName = "W3DClient.exe" TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AA9F442A-C8E1-11DC-8404-C59755D89593}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Tixeo Soft\\Communication\\Client" TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AA9F442A-C8E1-11DC-8404-C59755D89593}\Policy = "3" TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp -
Modifies registry class 24 IoCs
Processes:
TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmpregsvr32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\w3d\shell\Open\command TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\w3d\shell TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{49A05F6A-AB62-41F8-87CB-63AFA90AFE28}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{49A05F6A-AB62-41F8-87CB-63AFA90AFE28}\ProgID\ = "TixeoOutlookAddin.coTixeoOutlookAddin" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{49A05F6A-AB62-41F8-87CB-63AFA90AFE28}\Version regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\w3d TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{49A05F6A-AB62-41F8-87CB-63AFA90AFE28}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TixeoOutlookAddin.coTixeoOutlookAddin\Clsid regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{49A05F6A-AB62-41F8-87CB-63AFA90AFE28}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\w3d\shell\Open TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TixeoOutlookAddin.coTixeoOutlookAddin\Clsid\ = "{49A05F6A-AB62-41F8-87CB-63AFA90AFE28}" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{49A05F6A-AB62-41F8-87CB-63AFA90AFE28}\ProgID regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{49A05F6A-AB62-41F8-87CB-63AFA90AFE28}\TypeLib regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{49A05F6A-AB62-41F8-87CB-63AFA90AFE28}\TypeLib\ = "{DD7C8A60-77B9-4441-8898-F10682EDE59C}" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TixeoOutlookAddin.coTixeoOutlookAddin regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TixeoOutlookAddin.coTixeoOutlookAddin\ = "coTixeoOutlookAddin Object" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\w3d\ = "URL:Tixeo Communication protocol" TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\w3d\URL Protocol TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\w3d\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Tixeo Soft\\Communication\\Client\\W3DClient.exe %1" TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{49A05F6A-AB62-41F8-87CB-63AFA90AFE28} regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{49A05F6A-AB62-41F8-87CB-63AFA90AFE28}\ = "coTixeoOutlookAddin Object" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{49A05F6A-AB62-41F8-87CB-63AFA90AFE28}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\TIXEOS~1\\COMMUN~1\\Client\\TIXEOO~2.DLL" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmpregsvr32.exepid process 2944 TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp 2944 TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp 1920 regsvr32.exe 1920 regsvr32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmpTixeoOutlookPlugin.tmppid process 2944 TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp 644 TixeoOutlookPlugin.tmp -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exeTixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmpTixeoOutlookPlugin.exeTixeoOutlookPlugin.tmpdescription pid process target process PID 2868 wrote to memory of 2944 2868 TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp PID 2868 wrote to memory of 2944 2868 TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp PID 2868 wrote to memory of 2944 2868 TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp PID 2868 wrote to memory of 2944 2868 TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp PID 2868 wrote to memory of 2944 2868 TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp PID 2868 wrote to memory of 2944 2868 TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp PID 2868 wrote to memory of 2944 2868 TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp PID 2944 wrote to memory of 288 2944 TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp TixeoOutlookPlugin.exe PID 2944 wrote to memory of 288 2944 TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp TixeoOutlookPlugin.exe PID 2944 wrote to memory of 288 2944 TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp TixeoOutlookPlugin.exe PID 2944 wrote to memory of 288 2944 TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp TixeoOutlookPlugin.exe PID 288 wrote to memory of 644 288 TixeoOutlookPlugin.exe TixeoOutlookPlugin.tmp PID 288 wrote to memory of 644 288 TixeoOutlookPlugin.exe TixeoOutlookPlugin.tmp PID 288 wrote to memory of 644 288 TixeoOutlookPlugin.exe TixeoOutlookPlugin.tmp PID 288 wrote to memory of 644 288 TixeoOutlookPlugin.exe TixeoOutlookPlugin.tmp PID 288 wrote to memory of 644 288 TixeoOutlookPlugin.exe TixeoOutlookPlugin.tmp PID 288 wrote to memory of 644 288 TixeoOutlookPlugin.exe TixeoOutlookPlugin.tmp PID 288 wrote to memory of 644 288 TixeoOutlookPlugin.exe TixeoOutlookPlugin.tmp PID 644 wrote to memory of 1920 644 TixeoOutlookPlugin.tmp regsvr32.exe PID 644 wrote to memory of 1920 644 TixeoOutlookPlugin.tmp regsvr32.exe PID 644 wrote to memory of 1920 644 TixeoOutlookPlugin.tmp regsvr32.exe PID 644 wrote to memory of 1920 644 TixeoOutlookPlugin.tmp regsvr32.exe PID 644 wrote to memory of 1920 644 TixeoOutlookPlugin.tmp regsvr32.exe PID 644 wrote to memory of 1920 644 TixeoOutlookPlugin.tmp regsvr32.exe PID 644 wrote to memory of 1920 644 TixeoOutlookPlugin.tmp regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe"C:\Users\Admin\AppData\Local\Temp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp"C:\Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp" /SL5="$50150,84175752,57856,C:\Users\Admin\AppData\Local\Temp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe"2⤵
- Adds Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-2LUFQ.tmp\TixeoOutlookPlugin.exe"C:\Users\Admin\AppData\Local\Temp\is-2LUFQ.tmp\TixeoOutlookPlugin.exe" /VERYSILENT /NORESTART /SUPPRESSMSGBOXES /LOG="C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\TixeoOutlookPlugin.log"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-FRQ43.tmp\TixeoOutlookPlugin.tmp"C:\Users\Admin\AppData\Local\Temp\is-FRQ43.tmp\TixeoOutlookPlugin.tmp" /SL5="$301E8,7983214,57856,C:\Users\Admin\AppData\Local\Temp\is-2LUFQ.tmp\TixeoOutlookPlugin.exe" /VERYSILENT /NORESTART /SUPPRESSMSGBOXES /LOG="C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\TixeoOutlookPlugin.log"4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\TixeoOutlookAddin.dll"5⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\is-2LUFQ.tmp\TixeoOutlookPlugin.exeFilesize
7.9MB
MD59851bec28a2fe7c81888c11562c420f1
SHA164ae84d1fc0a4bad2a255d7fb9f93027deb9adf0
SHA2562e38fc9fe4d22c07e3f759654775aa3d549ad403e1b5289d0e07b151b2fde89f
SHA51284aa3d817cc566ed397c37577d94d692e3636bfaadac77e4ba20bcff031ad8f62b3d01a0f94271e0552325e8cf5408791c43aae02a82bf3a7e05db6b17366c56
-
C:\Users\Admin\AppData\Local\Temp\is-FRQ43.tmp\TixeoOutlookPlugin.tmpFilesize
706KB
MD553267ddd5af9cadba53d9fc842430305
SHA1cdc08fe9629cd54c047022921d56c8dae897adea
SHA25636317779901eff781f19af2e538b712af6128ae3479ecc6c51d23063a94a4e93
SHA512ca182900b7135663ce39235fb22bf4a1a6e284f0f87b6053e7305f0a3e43d447b38c8808f1a61df4d7eb69f858b9d488e540bc2f12a6b06d18743d036cd99fb9
-
C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\TixeoOutlookAddin.dllFilesize
11.3MB
MD506c21c84c98d10f08a45bb2cf7ea1660
SHA1cfe491396f8caa2d2375d9564d47919ef4526c5c
SHA2560e31c9925fafd5aeb4e4e0e992fcb895b3098afc1e77c25ac875d4365124c7c5
SHA512e570557c2971627dbdad469ec6aa29490fb38255b872a564494f13d01a602e6419e91f367dbea47314f4056e765fd9225741dfcc43319af9d76ea9661ad34475
-
C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\TixeoOutlookAddin.iniFilesize
27B
MD570da425f8aac14b1484047edb83e60e8
SHA169d09199af5a5ba4ed4e1d59432fec784d5271e4
SHA256258d4ad31457b1c117b248b6ba0dd1c44ba6ad0a0839623ced45ce15ebbd0a7f
SHA512a9cf352b79a8f38f03a781bf55a94e2c1344e1de55e9ea21e736ad436d7452f8349a64fec3b46e7ddc1d11f5fa3ecc80329b5b4e1da702680e9c2223e57943d2
-
C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\unins000.datFilesize
56KB
MD528bc1157520b0771b22d7667ab73cc97
SHA12430447191c8ccdb1d892fbfbd337d4961e13447
SHA256bc01eddec272f067c37016c25f8615d2404c3aca5a6fe163dad4499d3e53b7ab
SHA5121f40c80240f42d8f1d3d9957724966060dee39a4d2963c076a362b419d7e8c0fc7a40a837be157b6720b0195913db0fc6eca295285dff8059be192ff95230112
-
\Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmpFilesize
706KB
MD5c570d17bf317dfaa28d6107e30a5c33a
SHA1b965d8ea6a247c93bec868860e5e49d51f3aa41a
SHA256531b0231439389ed1ea9dc8ea307b355a9adf04c73b899bd5f7685ee75c7aa92
SHA51288e234ecfe54b5d5241bf9ad440298db5c85994fcb68021f3e8684be6db0b6ee848299e2c92ba0eefe4306eb6318e13034344f1de8153a0b56a9b50577e66b20
-
\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\W3DClient.exeFilesize
37.4MB
MD5309fdd8e3e467bd507d0b0047d095046
SHA13429b3f7dd3e5bf3d8f5ef9e3486f6a3d54240f6
SHA256bfc2a6195ecfc6dfb5f8f7626e3ae4f0199a292032fbf083714c7e039f4d404b
SHA51259c71d95638364ac7fb80c7da98c165e4df137022ad8743454e979d9b19d91fa1d00b25eae53adf7e33b3f97c567f0c1918403e162d8157006011d1b50581798
-
memory/288-159-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/288-193-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/644-194-0x0000000000400000-0x00000000004BE000-memory.dmpFilesize
760KB
-
memory/1920-195-0x0000000072DC0000-0x0000000073993000-memory.dmpFilesize
11.8MB
-
memory/2868-0-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/2868-2-0x0000000000401000-0x000000000040C000-memory.dmpFilesize
44KB
-
memory/2868-191-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/2944-8-0x0000000000400000-0x00000000004BE000-memory.dmpFilesize
760KB
-
memory/2944-192-0x0000000000400000-0x00000000004BE000-memory.dmpFilesize
760KB
-
memory/2944-202-0x0000000000400000-0x00000000004BE000-memory.dmpFilesize
760KB