Overview
overview
10Static
static
3TidyMe.exe
windows7-x64
7TidyMe.exe
windows10-2004-x64
10$PLUGINSDI...er.dll
windows7-x64
1$PLUGINSDI...er.dll
windows10-2004-x64
1$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/app-64.7z
windows7-x64
3$PLUGINSDIR/app-64.7z
windows10-2004-x64
3LICENSE.electron.txt
windows7-x64
1LICENSE.electron.txt
windows10-2004-x64
1LICENSES.c...m.html
windows7-x64
1LICENSES.c...m.html
windows10-2004-x64
1TidyMe.exe
windows7-x64
7TidyMe.exe
windows10-2004-x64
7chrome_100...nt.pak
windows7-x64
3chrome_100...nt.pak
windows10-2004-x64
3chrome_200...nt.pak
windows7-x64
3chrome_200...nt.pak
windows10-2004-x64
3d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1icudtl.dat
windows7-x64
3icudtl.dat
windows10-2004-x64
3libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
1libGLESv2.dll
windows10-2004-x64
1locales/af.pak
windows7-x64
3locales/af.pak
windows10-2004-x64
3locales/am.pak
windows7-x64
3Analysis
-
max time kernel
119s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
08-07-2024 11:24
Static task
static1
Behavioral task
behavioral1
Sample
TidyMe.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
TidyMe.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240705-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240705-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/app-64.7z
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/app-64.7z
Resource
win10v2004-20240704-en
Behavioral task
behavioral11
Sample
LICENSE.electron.txt
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
LICENSE.electron.txt
Resource
win10v2004-20240704-en
Behavioral task
behavioral13
Sample
LICENSES.chromium.html
Resource
win7-20240705-en
Behavioral task
behavioral14
Sample
LICENSES.chromium.html
Resource
win10v2004-20240704-en
Behavioral task
behavioral15
Sample
TidyMe.exe
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
TidyMe.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral17
Sample
chrome_100_percent.pak
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
chrome_100_percent.pak
Resource
win10v2004-20240704-en
Behavioral task
behavioral19
Sample
chrome_200_percent.pak
Resource
win7-20240705-en
Behavioral task
behavioral20
Sample
chrome_200_percent.pak
Resource
win10v2004-20240704-en
Behavioral task
behavioral21
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral22
Sample
ffmpeg.dll
Resource
win7-20240704-en
Behavioral task
behavioral23
Sample
ffmpeg.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral24
Sample
icudtl.dat
Resource
win7-20240705-en
Behavioral task
behavioral25
Sample
icudtl.dat
Resource
win10v2004-20240704-en
Behavioral task
behavioral26
Sample
libEGL.dll
Resource
win7-20240704-en
Behavioral task
behavioral27
Sample
libEGL.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral28
Sample
libGLESv2.dll
Resource
win7-20240704-en
Behavioral task
behavioral29
Sample
libGLESv2.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral30
Sample
locales/af.pak
Resource
win7-20240705-en
Behavioral task
behavioral31
Sample
locales/af.pak
Resource
win10v2004-20240704-en
Behavioral task
behavioral32
Sample
locales/am.pak
Resource
win7-20240704-en
General
-
Target
locales/af.pak
-
Size
340KB
-
MD5
198092a7a82efced4d59715bd3e41703
-
SHA1
ac3cdfba133330fce825816b2f9579ac240dc176
-
SHA256
d63222c4a20fa9741f5262634cf9751f22fbb4fcd9d3138d7c8d49e0efb57fba
-
SHA512
590dcc02bc3411fa585321a09f2033ca1839dd67b083622be412d60683c2c086aac81a27bc56029101f6158515cc6ae4def39d3f246b7499b30d02690904af0d
-
SSDEEP
6144:ptbDrUln/WiOvz9P5D4uEmv0XPjC6nAcbaK6pgwwexhsVxS42K6tA3pU5tpwDw44:ptfOOiOvzg/mCPjC6nAcbipgwwePSS4C
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\.pak\ = "pak_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\pak_auto_file\shell\Read rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\pak_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\pak_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\.pak rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\pak_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\pak_auto_file\shell\Read\command rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2604 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2604 AcroRd32.exe 2604 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2660 wrote to memory of 1812 2660 cmd.exe 32 PID 2660 wrote to memory of 1812 2660 cmd.exe 32 PID 2660 wrote to memory of 1812 2660 cmd.exe 32 PID 1812 wrote to memory of 2604 1812 rundll32.exe 33 PID 1812 wrote to memory of 2604 1812 rundll32.exe 33 PID 1812 wrote to memory of 2604 1812 rundll32.exe 33 PID 1812 wrote to memory of 2604 1812 rundll32.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\locales\af.pak1⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\af.pak2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\af.pak"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2604
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5dd9c36589b88b3b39420ba1dbc14c10c
SHA1cfbe0156e2cee7536013be912e78bb347555fff5
SHA256b9f129ad0f3e393d32f653a5b41a63b2c96ecafb896a3de7951cfff456d513e3
SHA512b6dfc4b6f629cdc46dc0586e6c31dfa5993bf71f40bafb8f318dd5599dc12e27ac52efec70a239c9fcf3d4306d0d2fb0acf2a4bf0b619d03048f5a0f42d4d4cb