Overview

overview

6

Static

static

1

tailscale-....0.exe

windows11-21h2-x64

6

Analysis

  • max time kernel
    40s
  • max time network
    48s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    21/09/2024, 23:07

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    tailscale-setup-full-1.74.0.exe

  • Size

    64.0MB

  • MD5

    a2d870d2f4a6e6f9971ead293b44e530

  • SHA1

    b05d3da1df50d8a14f2092b680f9fd6ee507c3f8

  • SHA256

    54eba2001cbf568de4c9fd72c1a9810ba09b077686798b2fcd7b7c54980c2e92

  • SHA512

    a148afeb100fac5b63aaf0f2c966a2c124d5065627545b9eb38cf2636f49a9195001d96df72e3acf71e55b8247a218f3d7db8e61e31ced3ccc14c610a6d970c2

  • SSDEEP

    1572864:EPVBBFHiPvkYVTlhye4v6qsboWfwRbUU/ROa4pDvkFf97i1WP1AT:W9CnHVTlhye4vts8Wf2YU/ROaWT8V7iF

Score
6/10
discoverypersistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Windows directory 5 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\tailscale-setup-full-1.74.0.exe
    "C:\Users\Admin\AppData\Local\Temp\tailscale-setup-full-1.74.0.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:464
    • C:\Windows\Temp\{A9CB7736-B170-41D6-BEEB-F4813F4E22BA}\.cr\tailscale-setup-full-1.74.0.exe
      "C:\Windows\Temp\{A9CB7736-B170-41D6-BEEB-F4813F4E22BA}\.cr\tailscale-setup-full-1.74.0.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\tailscale-setup-full-1.74.0.exe" -burn.filehandle.attached=580 -burn.filehandle.self=728
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3540
      • C:\Windows\Temp\{01E49AA0-EE6F-43FE-9E9B-FA05E74D2A26}\.be\tailscale-setup-full-1.74.0.exe
        "C:\Windows\Temp\{01E49AA0-EE6F-43FE-9E9B-FA05E74D2A26}\.be\tailscale-setup-full-1.74.0.exe" -q -burn.elevated BurnPipe.{1B958E2B-1CCA-4B08-B20D-7FD2F9F1E03E} {A37107C0-E73C-4758-B05C-5BFB4BD6385F} 3540
        3⤵
        • Adds Run key to start application
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:3516
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3628
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:1824
  • C:\Windows\system32\srtasks.exe
    C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:564
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5084
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 42BD32686F67217974D4A0F64146171E
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1376
    • C:\Windows\System32\MsiExec.exe
      C:\Windows\System32\MsiExec.exe -Embedding 9748F313B8394F66EEE8C3BF5F8A4921
      2⤵
      • Loads dropped DLL
      PID:1116

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
          Filesize

          10KB

          MD5

          a73ea6e1db27acedbe4055c448f82ef7

          SHA1

          01769a266d26c4b4b374099606e86b8874ddd55f

          SHA256

          c3059c62596021e555ec7901361fcde75078ad931bcac6027539930bef8b77d9

          SHA512

          f9cfe99077e40ac3ff11ab39020d6e159ec06cf50f9b1d156858198d48851d29de8882a18609a17dd30ddea421c6c415683b8d7b14fa30a51ddd1cd76032deb4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Tailscale_20240921230813_000_MsiAMD64.log
          Filesize

          2KB

          MD5

          8989bf9aaacc7fed97fa0f88aad394d0

          SHA1

          5cfe6228141645d25432069cd2c8a31dfaf743fd

          SHA256

          7518d219eb94e1f80333750bdcdb88cd111c860a8ab2e6d6c5de7937a928b7dd

          SHA512

          9f0fd65b8ebe5ab155b79bb5d659ebcbf5407bfce3f1a8c41e5d902adffe04f3df1aff6b8b720f885f7305bad41108d24e0130d590f1e6d5435d0c485f695cb8

          Download Submit

        • C:\Windows\Installer\MSI3822.tmp
          Filesize

          234KB

          MD5

          8edc1557e9fc7f25f89ad384d01bcec4

          SHA1

          98e64d7f92b8254fe3f258e3238b9e0f033b5a9c

          SHA256

          78860e15e474cc2af7ad6e499a8971b6b8197afb8e49a1b9eaaa392e4378f3a5

          SHA512

          d26c9dce3c3d17583ffb5dbcd3989f93b096a7f64a37a2701a474c1bf4b8c8b1e922c352d33f24e411f1c793e1b4af11a3aec1de489087d481b1b636df2050cd

          Download Submit

        • C:\Windows\Installer\MSI3871.tmp
          Filesize

          4.3MB

          MD5

          95defda60895e6496aed33cb38cba2f0

          SHA1

          3a4daa4269eafd77b0c74525f2159b781aea1257

          SHA256

          23bf3434922487444ff669743c72261de1c3d1d3a7d130eaaf9090dffb0f5003

          SHA512

          5a81192c376d751451253487aedafba5915551d8b147580e5c3c7c99281d9fc8e65ede6f942d17a13619a3529a5aa4ceea3a395ec6d52907ec88c7f75e4ba385

          Download Submit

        • C:\Windows\Temp\{01E49AA0-EE6F-43FE-9E9B-FA05E74D2A26}\.ba\logo.png
          Filesize

          1KB

          MD5

          d739db7a35fc73cbc433b7d1c676eab9

          SHA1

          48d4ae61b123e49905048ca3c3f7ee0d6391e67d

          SHA256

          5d990e6ac3757c43e8ec6e4e86a4abd21cb1746aa9d518c0ed3c755eb6abf63f

          SHA512

          eaf19cba296268c2fd8ae218e4baa98dad481f52323dfe4ca31a7a4c29f1860ea306d02f2d20a9ca2c1c769703aedd3222016efef92a948d82225c8e34ca77ea

          Download Submit

        • C:\Windows\Temp\{01E49AA0-EE6F-43FE-9E9B-FA05E74D2A26}\.ba\wixstdba.dll
          Filesize

          205KB

          MD5

          87c8a7ea44e8ee0d9358e25b7dcd397d

          SHA1

          0e2021be823fee499175d2c0d68346d15c02a376

          SHA256

          b7de0a0ca3a94738747abd708e30ba1f9638a8c8b7d8173c76d4f39fae3d9346

          SHA512

          98b5bbe5bb3ec331a0025e3da209296050b2f695be5a4b90b5c939f8fbbaada6dd93483eba779c10151546c2798aab5282fa619a55ec0cf04f56a03795a0a3f5

          Download Submit

        • C:\Windows\Temp\{01E49AA0-EE6F-43FE-9E9B-FA05E74D2A26}\MsiAMD64
          Filesize

          27.5MB

          MD5

          334d1b6abdd858ae963e04cc3bd5680c

          SHA1

          4681f67e3249c448b0f0ea3e35e264ff0b3703aa

          SHA256

          3b83eb00fb03551f661ae5528cca0e6e091ac7f089e5e418d1a527af0fa07060

          SHA512

          3222c3ea3f60659a3698313b50daaffefe469f27f889cffe8179d3b41fe28c108e247f7023d2744177b30ab0432cc2e596c00c284a0fbe21d7377c9782ca56be

          Download Submit

        • C:\Windows\Temp\{A9CB7736-B170-41D6-BEEB-F4813F4E22BA}\.cr\tailscale-setup-full-1.74.0.exe
          Filesize

          736KB

          MD5

          481063c3418546d24e0e8ab4f039453e

          SHA1

          b1c6ce83e5e81dc7c6486fa13d9de1bc0b6c3c64

          SHA256

          731c09bda7fe7a95555165133fa8e516cba7a5cc9470200b8034074bc651a9bb

          SHA512

          68f6eb13dffa2dff8ad9ee3c354f16c1e98383509924529c81fa4f604b92c08e2ab107a4215ca005cacd02ae54efd457a6ce5c4a00f6d25b95ee1d3dd89f522d

          Download Submit

        • memory/1116-70-0x00007FFC39940000-0x00007FFC39DD4000-memory.dmp

          Filesize

          4.6MB

          Download