Analysis
-
max time kernel
150s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2024, 03:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
939ed73bd36d9677191f2fb7987885e838b32b9b8c789e2a22bb5d64ad63e75bN.exe
Resource
win7-20240729-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
939ed73bd36d9677191f2fb7987885e838b32b9b8c789e2a22bb5d64ad63e75bN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
939ed73bd36d9677191f2fb7987885e838b32b9b8c789e2a22bb5d64ad63e75bN.exe
-
Size
77KB
-
MD5
10ac20988a4e81d18380114e62d1f050
-
SHA1
00fb2a4683519f0b2183cb62af8e6242ef1b7c8e
-
SHA256
939ed73bd36d9677191f2fb7987885e838b32b9b8c789e2a22bb5d64ad63e75b
-
SHA512
e8e107faab81cc3459c2f877172fa0ed0a3ce5ca821ec911d637b343c7f6aa2bb878cfb3726772b4b8e76021fc11ad04be4c47f0f7fdffd455b73bfd8173d590
-
SSDEEP
1536:0vbbcxMu15Bx8pEttgdO/mXpgWXOJgQmmogDcMH5fCVsJVafuegWXAi+oX9tWV0x:ybbcxx15Bx8pEttgdO/mXpgWXOJgQmmi
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tiofii.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation 939ed73bd36d9677191f2fb7987885e838b32b9b8c789e2a22bb5d64ad63e75bN.exe -
Executes dropped EXE 1 IoCs
pid Process 2256 tiofii.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiofii = "C:\\Users\\Admin\\tiofii.exe" tiofii.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 939ed73bd36d9677191f2fb7987885e838b32b9b8c789e2a22bb5d64ad63e75bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tiofii.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe 2256 tiofii.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3492 939ed73bd36d9677191f2fb7987885e838b32b9b8c789e2a22bb5d64ad63e75bN.exe 2256 tiofii.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3492 wrote to memory of 2256 3492 939ed73bd36d9677191f2fb7987885e838b32b9b8c789e2a22bb5d64ad63e75bN.exe 82 PID 3492 wrote to memory of 2256 3492 939ed73bd36d9677191f2fb7987885e838b32b9b8c789e2a22bb5d64ad63e75bN.exe 82 PID 3492 wrote to memory of 2256 3492 939ed73bd36d9677191f2fb7987885e838b32b9b8c789e2a22bb5d64ad63e75bN.exe 82 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81 PID 2256 wrote to memory of 3492 2256 tiofii.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\939ed73bd36d9677191f2fb7987885e838b32b9b8c789e2a22bb5d64ad63e75bN.exe"C:\Users\Admin\AppData\Local\Temp\939ed73bd36d9677191f2fb7987885e838b32b9b8c789e2a22bb5d64ad63e75bN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Users\Admin\tiofii.exe"C:\Users\Admin\tiofii.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77KB
MD530d7d9edbca7e6a7b8f09ccb71661134
SHA1bda9969bec08892f89124e4b8c3ca22fea78b8dc
SHA25665b6cd42e7a7d96d18fa3cab48f1d8c57559d15587df7bb2b75feb160053e9a1
SHA5120016d5b8d198803be9809e2b1fd23f95579098fd5db03b193e50fa098e7d528f59f144798b3638f2b1ac444ceb92c5ba3bc96afa36d36eae39b9ddfcba99d3a8