b0fcddf7e2136c3a682e35fb9bb564db44e297fbee5ece3b604d805286207ece

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tcpz.exe
Size

421KB
MD5

11d94b8c08add90829ea2b2c6d68bb76
SHA1

d1f3dd48835f67172b7f77ec07f8e30b713b149e
SHA256

2ad20c26380b36a0b9ff0e5d346a1b92c15c28f89e7e49e752f4432aa906e75d
SHA512

462146ba5e017c2ec5933529ae95933c6d965ac41ede574f6e48038e8326924ea696f8a9686b463e12e6cf0827c4f55f4116fb7fdba1f74fdf2d465bb6c4a57c
SSDEEP

3072:le/2TCkMuN/+vBEVSNBF6lib/yTmKy5OpeQwrIk8avRsX37EWbNuSQtAOZvszIcu:lAaN/+52SNBQ+yTm40Db+GdDTiblvE

Score

9^/10

defense_evasion discovery evasion ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2604	bcdedit.exe

Enables test signing to bypass driver trust controls 1 TTPs 1 IoCs

Allows any signed driver to load without validation against a trusted certificate authority.

defense_evasion

Code Signing Policy Modification

T1553.006

pid	Process
2604	bcdedit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tcpz.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2664	tcpz.exe
2664	tcpz.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2604	2664	tcpz.exe	30
PID 2664 wrote to memory of 2604	2664	tcpz.exe	30
PID 2664 wrote to memory of 2604	2664	tcpz.exe	30
PID 2664 wrote to memory of 2604	2664	tcpz.exe	30

C:\Users\Admin\AppData\Local\Temp\tcpz.exe
"C:\Users\Admin\AppData\Local\Temp\tcpz.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\System32\bcdedit.exe
  "C:\Windows\System32\bcdedit.exe" -set TESTSIGNING ON
  2⤵
  - Modifies boot configuration data using bcdedit
  - Enables test signing to bypass driver trust controls
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Code Signing Policy Modification

T1553.006

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact