d51d112f071390cb95010575572bdf3e0ad0a25b6b4bf83b41d6c59086cfedf7

General

Target

tg_proX64.exe
Size

70.9MB
MD5

a15fe81c0d0661a089e2d3d78213d52c
SHA1

049d9028f66a46d2f5127c1ce44feac95f6581a7
SHA256

d51d112f071390cb95010575572bdf3e0ad0a25b6b4bf83b41d6c59086cfedf7
SHA512

9bb25d15214ee6d897293bdd8c6e88deb2f8a2d2cf8d74abd4855c56049b09af41016d2d8f827fe072be36e3a1d6e2b19e4b36adc839e3a43e306b688cfcbf47
SSDEEP

1572864:T8VnWS8+lvp0kdu8RojQ5qATl2iUUeC/oIH4ecuiAxBtg:T8JyM6XjomiReMoIH4eoga

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2712	tg_proX64.tmp
2544	svcorenos.exe

Loads dropped DLL 11 IoCs

pid	Process
2676	tg_proX64.exe
2712	tg_proX64.tmp
1232	Process not Found
1232	Process not Found
1232	Process not Found
2544	svcorenos.exe
2544	svcorenos.exe
2544	svcorenos.exe
1232	Process not Found
1232	Process not Found
1232	Process not Found

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tg_proX64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tg_proX64.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2712	tg_proX64.tmp
2712	tg_proX64.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2712	tg_proX64.tmp

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2712	2676	tg_proX64.exe	30
PID 2676 wrote to memory of 2712	2676	tg_proX64.exe	30
PID 2676 wrote to memory of 2712	2676	tg_proX64.exe	30
PID 2676 wrote to memory of 2712	2676	tg_proX64.exe	30
PID 2676 wrote to memory of 2712	2676	tg_proX64.exe	30
PID 2676 wrote to memory of 2712	2676	tg_proX64.exe	30
PID 2676 wrote to memory of 2712	2676	tg_proX64.exe	30
PID 2712 wrote to memory of 2544	2712	tg_proX64.tmp	32
PID 2712 wrote to memory of 2544	2712	tg_proX64.tmp	32
PID 2712 wrote to memory of 2544	2712	tg_proX64.tmp	32
PID 2712 wrote to memory of 2544	2712	tg_proX64.tmp	32

C:\Users\Admin\AppData\Local\Temp\tg_proX64.exe
"C:\Users\Admin\AppData\Local\Temp\tg_proX64.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\is-9312V.tmp\tg_proX64.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9312V.tmp\tg_proX64.tmp" /SL5="$30120,73296718,797696,C:\Users\Admin\AppData\Local\Temp\tg_proX64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Users\Admin\AppData\Local\Programs\TGprozhver\svcorenos.exe
    "C:\Users\Admin\AppData\Local\Programs\TGprozhver\svcorenos.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Programs\TGprozhver\checkUpdater.cfg

Filesize
18.4MB

MD5
3de39b89ac8560ca121fec31ef952bc4

SHA1
771ba8254037708a91d714689d08eeaa64eb6570

SHA256
2fee036810339596c2b690977bcec0c1d9fe2079f1260de80b18057eb35f0ce2

SHA512
92d38671ec1f1a49d256d085f3ee0155615c8b86a6f5ee4a6d0da8772db2b893edf769d2017fdc21627773133da2c4255ded2b1b63b7d1e54745b57ce6cb2f4f

Download Submit
\Users\Admin\AppData\Local\Programs\TGprozhver\libcurl.dll

Filesize
556KB

MD5
6b2548cc404f3dd55634efa291fa98d0

SHA1
a076a60d99d70fd8aa7664a2534445a502febe27

SHA256
7ae384b8695d7a9c2b6640927cb6ac592229aef9ebeeb80b91d556777c6dfb5d

SHA512
14068e9e7d5f7e4494ffa75d369068234cdb050286d3356298e0387cf13d7681c0d68b57b6b299958c86ee3ae1dc3e54adc4c376e7b869d7d76fc2e91ed95009

Download Submit
\Users\Admin\AppData\Local\Programs\TGprozhver\svcorenos.exe

Filesize
2.2MB

MD5
6cf29dbf1fa710cccf6ba1c4c01f6b85

SHA1
a1debdb076c8c655e3d78c6ae82f1beba386a2ba

SHA256
f85ce4492e1354f8310027c5f70ef73aae654fcd8fd9a58034e4f82a41a9826b

SHA512
ebcc6599c33a80bb3e5c627a5f861fc9742d8558c4551544109288f80155885791a3f701af1aa7a4513cc5d121b77678a4cd46ca38a7bdd3cf7288e58e01f4f5

Download Submit
\Users\Admin\AppData\Local\Programs\TGprozhver\zlibwapi.dll

Filesize
6.2MB

MD5
9c34ad9143eae99e157961a41f43b9d1

SHA1
63d1d2798eccafc5ba6e308d1200eef620d65a8d

SHA256
1f9dc739a9e45fe5b8fa43bfea41c3d45212df95f21b952c7f969dbc0b57d389

SHA512
0229041ae0b8ebc44d313cc81a5d12a6e4d55123eec346652f9bf09df60537194cb34d0f2f39a7ecafd18e8678016b924d8f686d46a73da5f64ac00c7ae165c0

Download Submit
\Users\Admin\AppData\Local\Temp\is-9312V.tmp\tg_proX64.tmp

Filesize
3.2MB

MD5
3f8d4835277b10465e0747b3d1c61fc7

SHA1
90561bc4041a447dff572401666680975943661d

SHA256
7b207e9fc0e6e7410b61c79534f3675945acd163e861a63649b7c3ad331c7ca4

SHA512
eea8e64f5a2c88c237b70a23d1025d2740dc2898ae6d77e63f898748273ff72d0c5564744729faec1d544ae10af2f5cab84643ae9bcd87ca7e1df1769feacdcc

Download Submit
memory/2544-101-0x000007FEF5080000-0x000007FEF5A49000-memory.dmp

Filesize
9.8MB

Download
memory/2544-117-0x00000000064B0000-0x000000000887F000-memory.dmp

Filesize
35.8MB

Download
memory/2544-115-0x00000000064B0000-0x000000000887F000-memory.dmp

Filesize
35.8MB

Download
memory/2544-111-0x0000000002D40000-0x0000000003FAB000-memory.dmp

Filesize
18.4MB

Download
memory/2676-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/2676-105-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2676-89-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2676-0-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2712-104-0x00000000012F0000-0x0000000001631000-memory.dmp

Filesize
3.3MB

Download
memory/2712-8-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2712-91-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2712-90-0x00000000012F0000-0x0000000001631000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing