Overview

overview

9

Static

static

3

155绿色�...��.url

windows7-x64

1

155绿色�...��.url

windows10-2004-x64

1

RemoveWate...64.exe

windows7-x64

1

RemoveWate...64.exe

windows10-2004-x64

1

TCPZ_Overview.CHS.htm

windows7-x64

3

TCPZ_Overview.CHS.htm

windows10-2004-x64

3

TCPZ_Overview.ENU.htm

windows7-x64

3

TCPZ_Overview.ENU.htm

windows10-2004-x64

3

TCPZ_Overview.ITA.htm

windows7-x64

3

TCPZ_Overview.ITA.htm

windows10-2004-x64

1

tcpz.exe

windows7-x64

9

tcpz.exe

windows10-2004-x64

9

tcpz64.exe

windows7-x64

9

tcpz64.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2024 05:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tcpz64.exe

  • Size

    737KB

  • MD5

    7368655a99d81b2b2ae2e13765421313

  • SHA1

    6b8144df8ce9f6566ec6fff77844c2622ba45b22

  • SHA256

    aa3688a07bfbe5df55d5fc26d5ace38d48c9882d5038df4b91c85cadac02584c

  • SHA512

    c63886f057869e677af01c63f7cdc82d78c271dc77277c4fad744df0be35b694be6eb653f907aa2f0c0d0e83a3e7440ae9ef4e4b98244a9545a11e40609e0c89

  • SSDEEP

    6144:u+S9Re4T87LZcOXp6O1+MhUdMhOHHw59Kmlxf0Y8P0oH9EQZJLLaTu6yVAuPa9bO:DSW4gZ6+Xf0oQLL6yY9Cokf

Score
9/10
defense_evasionevasionransomware

Malware Config

Signatures

  • Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
    ransomwareevasion
  • Enables test signing to bypass driver trust controls 1 TTPs 1 IoCs

    Allows any signed driver to load without validation against a trusted certificate authority.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tcpz64.exe
    "C:\Users\Admin\AppData\Local\Temp\tcpz64.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2144
    • C:\Windows\System32\bcdedit.exe
      "C:\Windows\System32\bcdedit.exe" -set TESTSIGNING ON
      2⤵
      • Modifies boot configuration data using bcdedit
      • Enables test signing to bypass driver trust controls
      PID:2840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tcpz.ini
    Filesize

    110B

    MD5

    419f1082bacb71e29bde91be7391b18f

    SHA1

    fa613ba2e627181aa297b5e70a13ab914daad92b

    SHA256

    533356878de81f8528ae44f4f4be904ef24f7fac3b153797a0ee72ac59d825e6

    SHA512

    53b921ff6af6ebeaf932e4d18872c4a6dd70ee82edaae20b4559393a055403d207adf46db9b8246cc4abbaba74972b90acbb607700a2c30f033c3c4c49d4e723

    Download Submit