5d7815f717d121179818ab39dd8264e6b7f79524568db6415f659cafd5f0416c

General

Target

TSPComboExtractor.exe
Size

1.7MB
MD5

5eb2e5c621b6f18978a62d7bba94397d
SHA1

abb47cf8ec2823cd99d3087c2bc34a0f5122c0a6
SHA256

5d7815f717d121179818ab39dd8264e6b7f79524568db6415f659cafd5f0416c
SHA512

71875682964958a3455c886af1ee5c92f47f57314443c1f0d6f959756a2e8ec481039323dbcbd3f1391d5893a5954bc71e73635f364f191140c457a95f36287e
SSDEEP

24576:ZQ9u98/1Xx+nuiSgGKTxpI8KEXyYLjo9wWr+NA6GQoj1F2ZaIvuonX60:8ITpKbQjNWrf6GQy7+97q0

Score

7^/10

agilenet discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

TSPComboExtractor.exe

pid process

1952 TSPComboExtractor.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1952-1-0x0000000005270000-0x0000000005380000-memory.dmp	agile_net

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

TSPComboExtractor.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TSPComboExtractor.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TSPComboExtractor.exe

Modifies registry class 33 IoCs

Processes:

TSPComboExtractor.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	TSPComboExtractor.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	TSPComboExtractor.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	TSPComboExtractor.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	TSPComboExtractor.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	TSPComboExtractor.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	TSPComboExtractor.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	TSPComboExtractor.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	TSPComboExtractor.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	TSPComboExtractor.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	TSPComboExtractor.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	TSPComboExtractor.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	TSPComboExtractor.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	TSPComboExtractor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	TSPComboExtractor.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	TSPComboExtractor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	TSPComboExtractor.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	TSPComboExtractor.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	TSPComboExtractor.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	TSPComboExtractor.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	TSPComboExtractor.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	TSPComboExtractor.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	TSPComboExtractor.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	TSPComboExtractor.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	TSPComboExtractor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	TSPComboExtractor.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings	TSPComboExtractor.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	TSPComboExtractor.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	TSPComboExtractor.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	TSPComboExtractor.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	TSPComboExtractor.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	TSPComboExtractor.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	TSPComboExtractor.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	TSPComboExtractor.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

Processes:

TSPComboExtractor.exe

pid	process
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe
1952	TSPComboExtractor.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

TSPComboExtractor.exe

description	pid	process
Token: 33	1952	TSPComboExtractor.exe
Token: SeIncBasePriorityPrivilege	1952	TSPComboExtractor.exe
Token: SeDebugPrivilege	1952	TSPComboExtractor.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

TSPComboExtractor.exe

pid process

1952 TSPComboExtractor.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

TSPComboExtractor.exe

pid process

1952 TSPComboExtractor.exe

C:\Users\Admin\AppData\Local\Temp\TSPComboExtractor.exe
"C:\Users\Admin\AppData\Local\Temp\TSPComboExtractor.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d.dll

Filesize
124KB

MD5
86517901ec66f1fadc9ce6facaea9e31

SHA1
9ba130c485b2f59b7b11458b06792d6346bcdc91

SHA256
3b576950cff4d67a724f8df9d0db1f3f3195f54aca0cae86e9dc928cc0be022c

SHA512
bdffd3784a4d4ce9f58c60dade510f06d67943475a9bb01a38e89e57486b299d7e2cd35cf22f1d295bdb3ea854c6563e4774c15fdf2726f1f9c5b10f13f5df2f

Download Submit
memory/1952-15-0x0000000005680000-0x0000000005C24000-memory.dmp

Filesize
5.6MB

Download
memory/1952-26-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/1952-1-0x0000000005270000-0x0000000005380000-memory.dmp

Filesize
1.1MB

Download
memory/1952-4-0x0000000004F60000-0x0000000004FF2000-memory.dmp

Filesize
584KB

Download
memory/1952-5-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/1952-6-0x0000000005000000-0x0000000005026000-memory.dmp

Filesize
152KB

Download
memory/1952-7-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/1952-8-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/1952-3-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/1952-2-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/1952-17-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/1952-16-0x0000000005D00000-0x0000000005D0A000-memory.dmp

Filesize
40KB

Download
memory/1952-18-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/1952-19-0x0000000000400000-0x000000000064D000-memory.dmp

Filesize
2.3MB

Download
memory/1952-20-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/1952-22-0x000000007468E000-0x000000007468F000-memory.dmp

Filesize
4KB

Download
memory/1952-23-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/1952-25-0x0000000000400000-0x000000000064D000-memory.dmp

Filesize
2.3MB

Download
memory/1952-0-0x000000007468E000-0x000000007468F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads