e06e7863d70d633589135d5f8801a19b09280d6bfb34cb3dec65d74ebebf6633

Analysis

max time kernel
91s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2024, 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_2_/TenioDL/TenioDL.exe
Size

333KB
MD5

ce472064b917fdd429b07d10880c487f
SHA1

0c092116d67a5447f1f632c4e0e65a3b516a892c
SHA256

bdf2209a2cb6a7b9c3a0be4a7a0abdf988f446a4232973c6204ee2e4a2ed632a
SHA512

2b158fc4498e3756c17c8b44d2fc2464d62c639b6d425e72301c0f9b6f359a67e011d647c8de698c9e794cef0e65cb9efda34b63ed060611d97b0eadbf3c88d7
SSDEEP

6144:9TqmoyUiZ4Q5ihITwRYoOhQYtm5p4qpBtV/A5MGdTKLUaAxkBbOC+OJOh69A:9loyDZ4Q5ihRYEYtm5p4qpBtVo5MGdTh

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	TenioDL.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4568	icacls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid	TenioDL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\metnsd	TenioDL.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid\SequenceID = c64ca2e73512d44ab26a9db41a96f9f4	TenioDL.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 4568	3500	TenioDL.exe	86
PID 3500 wrote to memory of 4568	3500	TenioDL.exe	86
PID 3500 wrote to memory of 4568	3500	TenioDL.exe	86

C:\Users\Admin\AppData\Local\Temp\$_2_\TenioDL\TenioDL.exe
"C:\Users\Admin\AppData\Local\Temp\$_2_\TenioDL\TenioDL.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Windows\SysWOW64\icacls.exe
  "C:\Windows\System32\icacls.exe" C:\Users\Admin\AppData\Roaming\Tencent\Config\ /t /setintegritylevel low
  2⤵
  - Modifies file permissions
  PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Tencent\Config\p2p_common.ini

Filesize
94B

MD5
ed2fa3cbeaf211cf787a03ee588247a5

SHA1
33b05258abbb3f0e72430bf75419a17a121c6d43

SHA256
3e38ea446d3e1a0bb696ca82fab4615c0f4bda2fd2b446030483806dd5ee294d

SHA512
69f6cc535abab26a96dc58d2fc7044a0bef0a446db7ab467008286222753cd40f09141ef79593387ca44a9f9e0251985658a52c75487a125a2c7b61d48261d91

Download Submit
memory/3500-0-0x00000000022C0000-0x000000000232D000-memory.dmp

Filesize
436KB

Download
memory/3500-2-0x0000000002370000-0x00000000023B8000-memory.dmp

Filesize
288KB

Download
memory/3500-4-0x00000000023D0000-0x00000000023F6000-memory.dmp

Filesize
152KB

Download
memory/3500-6-0x0000000003050000-0x00000000030BE000-memory.dmp

Filesize
440KB

Download