Overview
overview
10Static
static
3TidyMe.exe
windows7-x64
7TidyMe.exe
windows10-2004-x64
10$PLUGINSDI...er.dll
windows7-x64
1$PLUGINSDI...er.dll
windows10-2004-x64
1$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/app-64.7z
windows7-x64
3$PLUGINSDIR/app-64.7z
windows10-2004-x64
3LICENSE.electron.txt
windows7-x64
1LICENSE.electron.txt
windows10-2004-x64
1LICENSES.c...m.html
windows7-x64
1LICENSES.c...m.html
windows10-2004-x64
1TidyMe.exe
windows7-x64
7TidyMe.exe
windows10-2004-x64
7chrome_100...nt.pak
windows7-x64
3chrome_100...nt.pak
windows10-2004-x64
3chrome_200...nt.pak
windows7-x64
3chrome_200...nt.pak
windows10-2004-x64
3d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1icudtl.dat
windows7-x64
3icudtl.dat
windows10-2004-x64
3libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
1libGLESv2.dll
windows10-2004-x64
1locales/af.pak
windows7-x64
3locales/af.pak
windows10-2004-x64
3locales/am.pak
windows7-x64
3Analysis
-
max time kernel
56s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
08-07-2024 11:24
Static task
static1
Behavioral task
behavioral1
Sample
TidyMe.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral2
Sample
TidyMe.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/app-64.7z
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/app-64.7z
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
LICENSE.electron.txt
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral12
Sample
LICENSE.electron.txt
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
LICENSES.chromium.html
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral14
Sample
LICENSES.chromium.html
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
TidyMe.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral16
Sample
TidyMe.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
chrome_100_percent.pak
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral18
Sample
chrome_100_percent.pak
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
chrome_200_percent.pak
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral20
Sample
chrome_200_percent.pak
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
ffmpeg.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral23
Sample
ffmpeg.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
icudtl.dat
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral25
Sample
icudtl.dat
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
libEGL.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral27
Sample
libEGL.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
libGLESv2.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral29
Sample
libGLESv2.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
locales/af.pak
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral31
Sample
locales/af.pak
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
locales/am.pak
Resource
win7-20240704-en
windows7-x64
General
-
Target
TidyMe.exe
-
Size
150.7MB
-
MD5
0771b3d0b51d227be62e2e61275cf43e
-
SHA1
005e0fca1a0712cc244a7c95e6e8e06b6df79ba5
-
SHA256
db3298bb7f3637c5fbbf9370cc5dafdde8f4f4e51c3377ded584cbb373a15e74
-
SHA512
bd3556ddb142f8fd066e4a6aa52849c980b7121d7746db97376804cbac937ff3e41807a02d65f92cd48098f2a1ffe6b9c23046d087128bdf62f3b5cf58360308
-
SSDEEP
1572864:PlAhthKM29V6LLWANUB9IinJn1cpGN4vM+JlhrZnQ9I4FdUrczKrk4Ze2OC2+:ktSD64Jnqrt5v2
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\Geo\Nation TidyMe.exe Key value queried \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\Geo\Nation TidyMe.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe Token: SeShutdownPrivilege 572 TidyMe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 2652 572 TidyMe.exe 28 PID 572 wrote to memory of 3040 572 TidyMe.exe 29 PID 572 wrote to memory of 3040 572 TidyMe.exe 29 PID 572 wrote to memory of 3040 572 TidyMe.exe 29 PID 572 wrote to memory of 1964 572 TidyMe.exe 30 PID 572 wrote to memory of 1964 572 TidyMe.exe 30 PID 572 wrote to memory of 1964 572 TidyMe.exe 30 PID 572 wrote to memory of 2716 572 TidyMe.exe 31 PID 572 wrote to memory of 2716 572 TidyMe.exe 31 PID 572 wrote to memory of 2716 572 TidyMe.exe 31 PID 572 wrote to memory of 2716 572 TidyMe.exe 31 PID 572 wrote to memory of 2716 572 TidyMe.exe 31 PID 572 wrote to memory of 2716 572 TidyMe.exe 31 PID 572 wrote to memory of 2716 572 TidyMe.exe 31 PID 572 wrote to memory of 2716 572 TidyMe.exe 31 PID 572 wrote to memory of 2716 572 TidyMe.exe 31 PID 572 wrote to memory of 2716 572 TidyMe.exe 31 PID 572 wrote to memory of 2716 572 TidyMe.exe 31 PID 572 wrote to memory of 2716 572 TidyMe.exe 31 PID 572 wrote to memory of 2716 572 TidyMe.exe 31 PID 572 wrote to memory of 2716 572 TidyMe.exe 31 PID 572 wrote to memory of 2716 572 TidyMe.exe 31 PID 572 wrote to memory of 2716 572 TidyMe.exe 31 PID 572 wrote to memory of 2716 572 TidyMe.exe 31 PID 572 wrote to memory of 2716 572 TidyMe.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\TidyMe.exe"C:\Users\Admin\AppData\Local\Temp\TidyMe.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Users\Admin\AppData\Local\Temp\TidyMe.exe"C:\Users\Admin\AppData\Local\Temp\TidyMe.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\TidyMe" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1020 --field-trial-handle=1136,i,2443247602049566046,18070226149861945824,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:2652
-
-
C:\Users\Admin\AppData\Local\Temp\TidyMe.exe"C:\Users\Admin\AppData\Local\Temp\TidyMe.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\TidyMe" --mojo-platform-channel-handle=1244 --field-trial-handle=1136,i,2443247602049566046,18070226149861945824,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵PID:3040
-
-
C:\Users\Admin\AppData\Local\Temp\TidyMe.exe"C:\Users\Admin\AppData\Local\Temp\TidyMe.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\TidyMe" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1496 --field-trial-handle=1136,i,2443247602049566046,18070226149861945824,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:12⤵
- Checks computer location settings
PID:1964
-
-
C:\Users\Admin\AppData\Local\Temp\TidyMe.exe"C:\Users\Admin\AppData\Local\Temp\TidyMe.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\TidyMe" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1432 --field-trial-handle=1136,i,2443247602049566046,18070226149861945824,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:2716
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23