0ef5d45d1e24490ce6f64d99961603bd2c0308bfbd87b5d1a3aa2c2a23e7d84b

Analysis

max time kernel
142s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLCSuite2v1_0_9.exe
Size

244.4MB
MD5

bf9e07a9538d4bf9b18d24003a8826aa
SHA1

a937695079faeccf7d5b6354f3bdc74d228f3d17
SHA256

0ef5d45d1e24490ce6f64d99961603bd2c0308bfbd87b5d1a3aa2c2a23e7d84b
SHA512

d4c81d7162da9821ac5ae695c6ff19702cbf74dc7960b3b05a37edb647ddaf2668cb153912e183ba5cafe8ccd8577d7d013d71fb650331c9464b1a887273f1eb
SSDEEP

6291456:dT1aOWHmaDQMem9w77uAHLTvkoWJC/SBUCiNeo7PekJPgh:biHmaDhu3uAXAC/SB097GJ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
832	TLCSuite2v1_0_9.exe

Loads dropped DLL 1 IoCs

pid	Process
832	TLCSuite2v1_0_9.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TLCSuite2v1_0_9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TLCSuite2v1_0_9.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 832	4748	TLCSuite2v1_0_9.exe	84
PID 4748 wrote to memory of 832	4748	TLCSuite2v1_0_9.exe	84
PID 4748 wrote to memory of 832	4748	TLCSuite2v1_0_9.exe	84

C:\Users\Admin\AppData\Local\Temp\TLCSuite2v1_0_9.exe
"C:\Users\Admin\AppData\Local\Temp\TLCSuite2v1_0_9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\Temp\{006FCDDB-F334-405E-BA84-B78DB31092B8}\.cr\TLCSuite2v1_0_9.exe
  "C:\Windows\Temp\{006FCDDB-F334-405E-BA84-B78DB31092B8}\.cr\TLCSuite2v1_0_9.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\TLCSuite2v1_0_9.exe" -burn.filehandle.attached=536 -burn.filehandle.self=532
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\{006FCDDB-F334-405E-BA84-B78DB31092B8}\.cr\TLCSuite2v1_0_9.exe

Filesize
616KB

MD5
b6241b70e9a5c8457b9259d7cfd7fef8

SHA1
cafae96bda748aacb12d988d2a1aceaadbd06b50

SHA256
b58a87f32ec9203d9595601cfa2b7360d1099efa0d891176a8432b5fbc0b677f

SHA512
2f36441700438c115f84480b8919c85bed9e3dabcccb0e7768614f13f847f7854638a892cfafac2315a3e74f184ba017a7ab29a5200a1a3775e1ff5f86c15f02

Download Submit
C:\Windows\Temp\{EBCDB4A4-EC1D-47D5-8B2F-637C15B3DF18}\.ba\logo.png

Filesize
1KB

MD5
53af064055d6b9285eaa89855c144d41

SHA1
7e5f5e7d0d609da70b6d7010041a03903cbfa63f

SHA256
349b196f9c441f1a4f931bf96c3ff44027a407c701538823607f395cc6015703

SHA512
bade182aad018965faade572fe7d90311f4d6597aba225530abf03aa7c9f781c98bb9c32b55dcedabf737c02b8504d704ee9e7552a85cc4d6400947db3ee43e4

Download Submit
C:\Windows\Temp\{EBCDB4A4-EC1D-47D5-8B2F-637C15B3DF18}\.ba\wixstdba.dll

Filesize
184KB

MD5
fe7e0bd53f52e6630473c31299a49fdd

SHA1
f706f45768bfb95f4c96dfa0be36df57aa863898

SHA256
2bea14d70943a42d344e09b7c9de5562fa7e109946e1c615dd584da30d06cc80

SHA512
feed48286b1e182996a3664f0facdf42aae3692d3d938ea004350c85764db7a0bea996dfddf7a77149c0d4b8b776fb544e8b1ce5e9944086a5b1ed6a8a239a3c

Download Submit