Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-06-2024 15:08

General

  • Target

    TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe

  • Size

    80.9MB

  • MD5

    1c0dc0579e549e8405d3648a0daef12d

  • SHA1

    dd6246be90ee999c298e5346a9131ae89ec81565

  • SHA256

    16de1c80ce70584212fde77a2f9149bddeb8a266820e74c34f0d8303c14609f8

  • SHA512

    5646027558a51d7b4abbb413727b1f1cd47a3b1bb92f913842b413abb96efdecce0209a96de9ff90d08d58fa09b8cd67175f55490160f5a3d0ce2f3f7b522df3

  • SSDEEP

    1572864:rATnjQ2ad/Hx7yhztovEmEMl9GOR32beFKbA4DD9eLcQob41:On+1R7QzCEvMlF/KRUsbi

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 7 IoCs
  • Modifies registry class 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe
    "C:\Users\Admin\AppData\Local\Temp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4592
    • C:\Users\Admin\AppData\Local\Temp\is-VQ4NG.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-VQ4NG.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp" /SL5="$120070,84175752,57856,C:\Users\Admin\AppData\Local\Temp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe"
      2⤵
      • Adds Run key to start application
      • Executes dropped EXE
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4020
      • C:\Users\Admin\AppData\Local\Temp\is-EH9J7.tmp\TixeoOutlookPlugin.exe
        "C:\Users\Admin\AppData\Local\Temp\is-EH9J7.tmp\TixeoOutlookPlugin.exe" /VERYSILENT /NORESTART /SUPPRESSMSGBOXES /LOG="C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\TixeoOutlookPlugin.log"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2864
        • C:\Users\Admin\AppData\Local\Temp\is-AOOBA.tmp\TixeoOutlookPlugin.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-AOOBA.tmp\TixeoOutlookPlugin.tmp" /SL5="$B005A,7983214,57856,C:\Users\Admin\AppData\Local\Temp\is-EH9J7.tmp\TixeoOutlookPlugin.exe" /VERYSILENT /NORESTART /SUPPRESSMSGBOXES /LOG="C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\TixeoOutlookPlugin.log"
          4⤵
          • Executes dropped EXE
          PID:1556
      • C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\W3DClient.exe
        "C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\W3DClient.exe" w3d%3A%2F%2Ftixeocloud.sec.orange%2Fmeet%2F
        3⤵
        • Adds Run key to start application
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:3180

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\is-AOOBA.tmp\TixeoOutlookPlugin.tmp
    Filesize

    706KB

    MD5

    53267ddd5af9cadba53d9fc842430305

    SHA1

    cdc08fe9629cd54c047022921d56c8dae897adea

    SHA256

    36317779901eff781f19af2e538b712af6128ae3479ecc6c51d23063a94a4e93

    SHA512

    ca182900b7135663ce39235fb22bf4a1a6e284f0f87b6053e7305f0a3e43d447b38c8808f1a61df4d7eb69f858b9d488e540bc2f12a6b06d18743d036cd99fb9

  • C:\Users\Admin\AppData\Local\Temp\is-EH9J7.tmp\TixeoOutlookPlugin.exe
    Filesize

    7.9MB

    MD5

    9851bec28a2fe7c81888c11562c420f1

    SHA1

    64ae84d1fc0a4bad2a255d7fb9f93027deb9adf0

    SHA256

    2e38fc9fe4d22c07e3f759654775aa3d549ad403e1b5289d0e07b151b2fde89f

    SHA512

    84aa3d817cc566ed397c37577d94d692e3636bfaadac77e4ba20bcff031ad8f62b3d01a0f94271e0552325e8cf5408791c43aae02a82bf3a7e05db6b17366c56

  • C:\Users\Admin\AppData\Local\Temp\is-VQ4NG.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp
    Filesize

    706KB

    MD5

    c570d17bf317dfaa28d6107e30a5c33a

    SHA1

    b965d8ea6a247c93bec868860e5e49d51f3aa41a

    SHA256

    531b0231439389ed1ea9dc8ea307b355a9adf04c73b899bd5f7685ee75c7aa92

    SHA512

    88e234ecfe54b5d5241bf9ad440298db5c85994fcb68021f3e8684be6db0b6ee848299e2c92ba0eefe4306eb6318e13034344f1de8153a0b56a9b50577e66b20

  • C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\Res\FMXStyle\Tixeo.style
    Filesize

    693KB

    MD5

    f566675c424ef5c970db95bdc1122544

    SHA1

    023d850f042237aa5e0e52f54ceb6394854d51ba

    SHA256

    add992778228969e6a5e6cb0d37e900ef4b687a3dd711d1ad329272a9c4f9acb

    SHA512

    98846c90bc2ce5af9d50e4571bcd41233cca225beda63aa7fdbbc6c642ff50cf71584a0d645baaa5e8849377de551950f40ca797b4b43aa360d2f2841ac93644

  • C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\Res\W3DClient.ico
    Filesize

    14KB

    MD5

    b1ac0ba9a872c5c8d3cd98da8cf2610c

    SHA1

    ebca489f77d10f19646f09b272ff4b8f5c0250b0

    SHA256

    e1baaedd65026ba814c3d1130ac1822f5b0401ec1087eb9806d6eaeb9d065227

    SHA512

    f1a0c465f28fe0dc1da40008578afb133dee8307e69da6e77f3ec2cb0c53a7d1a2ef94fd44bac5f045e4ee7d4dbaa6d1657fb53b56e168b1452e079faaf8ce15

  • C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\Res\logo.png
    Filesize

    16KB

    MD5

    2969fe9eb4c6849f5b82f6e1341064b2

    SHA1

    941020826c9812987a037e963eec8f903358f508

    SHA256

    815bb4dbd19256de95f2ea72409bccecda3b66608a5df4f7c341b950a002c8cd

    SHA512

    9ff36b49cd594ae4020e31a2784942d26accdd073c968be72a862a4b70961a466d0cd37d2a6cd200c0bbb7d42730bca967adbdba74289d4425cb769561b9a31d

  • C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\Res\logo_connection.png
    Filesize

    88KB

    MD5

    a301240dd556b69dbe96a3548f1549d9

    SHA1

    8c14c8cff1318718d15f4499a4266b0576c0f739

    SHA256

    0be2fc885c46a87989f3983bdfa4818ca1c9572585f024ef683dd5f4fd9d9f20

    SHA512

    22e8140145c1ec7e5260649ffbc6beff66585787881cc00c32cd27032c18d6b186a77d31798413b13d54f1ae32be1062c6755d93fce56ca1ff81af1c46dcefb8

  • C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\TixVideoCapture64.dll
    Filesize

    856KB

    MD5

    5cd4a9fda43b696e906d45a49932de6c

    SHA1

    ead765c10c6ada15366fca80bd812096b6c70f3f

    SHA256

    1408ae76d5851596db247f5ba48270eba8719fc8945c76523dd99c2007402143

    SHA512

    f2ef3e7844b072a553ef828098f7422d9e73acc9425be84d04bae1550df22fa6ce80fc24061b739222899fa85d9d056600ce4be7c6031c5597b7fc45121cb861

  • C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\TixVoiceEngine64.dll
    Filesize

    2.1MB

    MD5

    059fa1187ff9eed92b5e69c127da5460

    SHA1

    189456807b6d6c8a9fcea974235ba217890c5a66

    SHA256

    14d5d785e4bb572f944529b4a7041897670a929669d86d2175cf371c88339072

    SHA512

    fcc94c2c31bd9e81ef8ec392677751a8a31581749e01f4891c18cb96e68566586d60ffcfec8a2f2a8d9e377ebf4a415cdb6bc652950a5b4b717e993c8d8b87bd

  • C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\VCRUNTIME140.dll
    Filesize

    96KB

    MD5

    297ed3dc0a70d18831c404207f0bbeec

    SHA1

    7bb96f36fbb4a45a4b0ac3d6006f2a7c3ed7586a

    SHA256

    3129efefe22c6b1ca3975b5f336a66c6595ca01d2aac024d16456cb3a855af28

    SHA512

    196dd8262eaf81ea637a278b94f9a173798a7ee5e96b6adcb95733080134be99f1d9ee81911af585a708e18418ffbf6c89e8d6b77313f6776b19241f1b3a5d7f

  • C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\VCRUNTIME140_1.dll
    Filesize

    37KB

    MD5

    cd01126ceef33fc1ccaf080eb2456b0a

    SHA1

    9315febfd7253d348628c8a5ad61cddf1b758d8b

    SHA256

    fc05184048aa5a21541a7156ad2b3b0d636f7276a5085d64cca34d6df2fc6fce

    SHA512

    ddeeb996fc0febd9b247789b14bf652580398f2abe2eace9db5b638763e88c05715e57e6d90110ef2dbcdb0d3d824647acd487a222be965edaf5b011c219796d

  • C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\W3DClient.exe
    Filesize

    37.4MB

    MD5

    309fdd8e3e467bd507d0b0047d095046

    SHA1

    3429b3f7dd3e5bf3d8f5ef9e3486f6a3d54240f6

    SHA256

    bfc2a6195ecfc6dfb5f8f7626e3ae4f0199a292032fbf083714c7e039f4d404b

    SHA512

    59c71d95638364ac7fb80c7da98c165e4df137022ad8743454e979d9b19d91fa1d00b25eae53adf7e33b3f97c567f0c1918403e162d8157006011d1b50581798

  • C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\WebView2Loader_x64.dll
    Filesize

    138KB

    MD5

    17a22b6d75259d43a66bb876f17b29ee

    SHA1

    fa0ab5df1a100d2395d5bc18cbb0e2a10b6823af

    SHA256

    b8eed761e68d1d28c5c7621b4ac31bdc4ab2edb2395b84bf7b03c9e7b35c0908

    SHA512

    5b9d1220fe6cf4497e046136c0491c64bf978caac8ae42a29dd1b0b3e47138039eac813601ccd569f9847c2b6c8f3e24dd6a2b68a9fb488277c3c9f4e082864d

  • C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\libcrypto-3-x64.dll
    Filesize

    4.7MB

    MD5

    60226f4d749f39412f4c6a31a80f9312

    SHA1

    fa337d0cb02f1797c7bb8d069a1b06629cdfc7f9

    SHA256

    80bdb06d9670d5ab1bef3db438c77ced55ff6f659cb6599b82ca7c18b0960dd7

    SHA512

    0d73dbfbdb7d4c932471cc32d30f41d309eb2e6b8737a3a2059ec62eab4138a79f3ecc85fcdd672e0fbfd805cf17e30fa90c27ce254018b4e4ef054f9e392da6

  • C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\libssl-3-x64.dll
    Filesize

    726KB

    MD5

    4b18d47218662e4cd80318d2b7ed8d74

    SHA1

    25e7825b5d66069ef40f7164d1e53c5e16e96efb

    SHA256

    48fb7e228ecaa8cee0589360fa2e9d7fd0109e99096df333cf212fcc681853c1

    SHA512

    6c309a03c987d8dfc356760ef320071848fde54926f35f440ddc434b43f03da8c1e8002d3821e4ae9ecf0d0f7636d67d95287fccbf38a5e98ccd64e54a4085a7

  • C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\sk4d.dll
    Filesize

    19.0MB

    MD5

    9cc8f7e6b2760a85341dfe7b68e7685a

    SHA1

    23417d72e84cca2e73a1c2ae6f55f514d0481db7

    SHA256

    0ff39c2b830ee8aa185b3e65ea54adb40781219455f2c375d68b80407ed8e7d2

    SHA512

    502ac71f1e4e6f5148db634f94a4c2dada5b99a0558b12b2c1af06ad68113dfe8b1eb8021529b35158f0e7777229a8f8863abf81b9de09b14124649588b07193

  • C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\tixeo_quic.x64.dll
    Filesize

    2.3MB

    MD5

    a4a1e90fe200c9d615d26784e3b71c41

    SHA1

    d942e9c7186f350ebb460a0d75b5bb96ffbc31b9

    SHA256

    3b4d909c511e5e06df0d802332d6088470d39e8c46325655453660e4a70cc0c9

    SHA512

    12a3e5e2ffd5b9a259caa2c8462b639f6223eb9db853bb3f7bd0e0217f9ff938b81560f054ea2e3245a4da89a7f9275d84aa0b24f5396e5cabc59105edbf4422

  • C:\Users\Admin\AppData\Local\tixeoclient\config.ini
    Filesize

    1KB

    MD5

    0ac1d5f17cf8576e1bd1c59431d37526

    SHA1

    5a14550518db0d44ac8e74159df250571a2ce64f

    SHA256

    37274b024e77fc60a18239b3a2c57086f7292ad8b83acff8f46b5f18e0ff4bfa

    SHA512

    738c20a8db12c76d34ec909878a969e028569008cbcdcc8531e130e693c111d5110f5ca7e6c4d9b0bb9ac8c85718f904a168d95d1deb8b480c4fe5e3008df14b

  • memory/1556-163-0x0000000000400000-0x00000000004BE000-memory.dmp
    Filesize

    760KB

  • memory/1556-165-0x0000000000400000-0x00000000004BE000-memory.dmp
    Filesize

    760KB

  • memory/2864-156-0x0000000000400000-0x0000000000415000-memory.dmp
    Filesize

    84KB

  • memory/2864-153-0x0000000000400000-0x0000000000415000-memory.dmp
    Filesize

    84KB

  • memory/2864-168-0x0000000000400000-0x0000000000415000-memory.dmp
    Filesize

    84KB

  • memory/3180-207-0x00000000002A0000-0x00000000028C2000-memory.dmp
    Filesize

    38.1MB

  • memory/3180-210-0x00000000002A0000-0x00000000028C2000-memory.dmp
    Filesize

    38.1MB

  • memory/3180-217-0x00000000002A0000-0x00000000028C2000-memory.dmp
    Filesize

    38.1MB

  • memory/3180-216-0x00000000002A0000-0x00000000028C2000-memory.dmp
    Filesize

    38.1MB

  • memory/3180-212-0x00000000002A0000-0x00000000028C2000-memory.dmp
    Filesize

    38.1MB

  • memory/3180-204-0x00000000002A0000-0x00000000028C2000-memory.dmp
    Filesize

    38.1MB

  • memory/3180-205-0x00000000002A0000-0x00000000028C2000-memory.dmp
    Filesize

    38.1MB

  • memory/3180-206-0x00000000002A0000-0x00000000028C2000-memory.dmp
    Filesize

    38.1MB

  • memory/3180-208-0x00000000002A0000-0x00000000028C2000-memory.dmp
    Filesize

    38.1MB

  • memory/4020-181-0x0000000000400000-0x00000000004BE000-memory.dmp
    Filesize

    760KB

  • memory/4020-6-0x0000000000400000-0x00000000004BE000-memory.dmp
    Filesize

    760KB

  • memory/4592-0-0x0000000000400000-0x0000000000415000-memory.dmp
    Filesize

    84KB

  • memory/4592-2-0x0000000000401000-0x000000000040C000-memory.dmp
    Filesize

    44KB

  • memory/4592-184-0x0000000000400000-0x0000000000415000-memory.dmp
    Filesize

    84KB