Overview

overview

7

Static

static

3

B-TMS.exe

windows7-x64

7

B-TMS.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/07/2024, 11:55

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    B-TMS.exe

  • Size

    19.0MB

  • MD5

    2bbb2666e3c9250e42f8457af2c7e4d5

  • SHA1

    b9734a3542462abb48496e60ccd1db93c6b42397

  • SHA256

    4934f294870afade9a8f3e78dd329a2a597588ed5d11ef7b09e0a82862b09ca8

  • SHA512

    589c736418d4277809a64cad0ca0c825f8b47eb5b8cd7341fbc0b5f6f6d7a54b0c5bcf9d32102a13adf49db903117a1f07aaabfa5ecc95d8637debe44ad2d850

  • SSDEEP

    393216:D1ZwrNyZnBinon+lQPZ8CtYmoBkJEv8o2eyeLbczs3XCKTbr9J:RhwnDl+EHbpb7BTX3

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\B-TMS.exe
    "C:\Users\Admin\AppData\Local\Temp\B-TMS.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4412
    • C:\Users\Admin\AppData\Local\Temp\is-7H4C5.tmp\B-TMS.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-7H4C5.tmp\B-TMS.tmp" /SL5="$6011C,19253364,721408,C:\Users\Admin\AppData\Local\Temp\B-TMS.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3356
      • C:\Program Files (x86)\B-TMS\B-TMS Commander\Btmscmd.exe
        "C:\Program Files (x86)\B-TMS\B-TMS Commander\Btmscmd.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:3048

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\B-TMS\B-TMS Commander\Btmscmd.exe
          Filesize

          5.8MB

          MD5

          68d6bfed055921268f353f8bfe78fcee

          SHA1

          26a7d0418a3ab52ae66431adf6997ec8bdbfc764

          SHA256

          f1465a1e431c942f70ec0f2eb902a67cd2aff73d5cb9424428afb26effec3dcb

          SHA512

          fa128e48be1272a681166322acd9a0d6bb5235e1cf9aff237a6e144578bf6f13ae8ba446f1c7e0793307d3385e69cee76a4c61fca7f403b0fe3c97e29de2f003

          Download Submit

        • C:\Program Files (x86)\B-TMS\B-TMS Commander\ToolkitPro1820vc150.dll
          Filesize

          11.3MB

          MD5

          e4c32a5dfe75f95ce6c5cd940ba82f7e

          SHA1

          585b8401c28bbd7271cd6ab19c8c6e36af4f73ea

          SHA256

          87f6e58019ade0dafa07baf9c33a3225ce6b21a76395fe76d98de42b56ad596d

          SHA512

          486739f3afa241e8e9e6d402745dffc7345bfb3009acc06cdec109ce03201de68fefcd20a46550be8352309155aa37eba5f9807ded85e191e4d063d0a84cc108

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\is-7H4C5.tmp\B-TMS.tmp
          Filesize

          2.4MB

          MD5

          84db4b4205f705da71471dc6ecc061f5

          SHA1

          b90bac8c13a1553d58feef95a2c41c64118b29cf

          SHA256

          647983ebde53e0501ff1af8ef6190dfeea5ccc64caf7dce808f1e3d98fb66a3c

          SHA512

          c5803b63d33bb409433b496b83ca2a7359b4b1835815386206283b3af5c54d7d1cb9e80244a888638c7703c4bf54e1b2c11be6836f20b9fea157ab92bfbf365a

          Download Submit

        • memory/3356-6-0x0000000000400000-0x0000000000679000-memory.dmp

          Filesize

          2.5MB

          Download

        • memory/3356-9-0x0000000000400000-0x0000000000679000-memory.dmp

          Filesize

          2.5MB

          Download

        • memory/3356-65-0x0000000000400000-0x0000000000679000-memory.dmp

          Filesize

          2.5MB

          Download

        • memory/3356-68-0x0000000000400000-0x0000000000679000-memory.dmp

          Filesize

          2.5MB

          Download

        • memory/4412-0-0x0000000000400000-0x00000000004BE000-memory.dmp

          Filesize

          760KB

          Download

        • memory/4412-2-0x0000000000401000-0x00000000004A9000-memory.dmp

          Filesize

          672KB

          Download

        • memory/4412-8-0x0000000000400000-0x00000000004BE000-memory.dmp

          Filesize

          760KB

          Download

        • memory/4412-69-0x0000000000400000-0x00000000004BE000-memory.dmp

          Filesize

          760KB

          Download