Overview

overview

7

Static

static

3

TORA Opera...up.exe

windows7-x64

7

TORA Opera...up.exe

windows10-2004-x64

7

COMCAT.dll

windows7-x64

3

COMCAT.dll

windows10-2004-x64

3

COMDLG32.dll

windows7-x64

3

COMDLG32.dll

windows10-2004-x64

3

DBGRID32.dll

windows7-x64

3

DBGRID32.dll

windows10-2004-x64

3

MSFLXGRD.dll

windows7-x64

3

MSFLXGRD.dll

windows10-2004-x64

3

SETUP1.exe

windows7-x64

3

SETUP1.exe

windows10-2004-x64

3

ST6UNST.exe

windows7-x64

3

ST6UNST.exe

windows10-2004-x64

3

VB6STKIT.dll

windows7-x64

3

VB6STKIT.dll

windows10-2004-x64

3

asycfilt.dll

windows7-x64

3

asycfilt.dll

windows10-2004-x64

3

msvbvm60.dll

windows7-x64

3

msvbvm60.dll

windows10-2004-x64

3

oleaut32.dll

windows7-x64

3

oleaut32.dll

windows10-2004-x64

3

olepro32.dll

windows7-x64

3

olepro32.dll

windows10-2004-x64

3

stdole2.dll

windows7-x64

1

stdole2.dll

windows10-2004-x64

1

tora.exe

windows7-x64

3

tora.exe

windows10-2004-x64

3

Resubmissions

27-10-2024 16:36

241027-t4cgaazgqn 7

19-10-2024 00:17

241019-ak9swsxfrr 7

30-09-2024 17:27

240930-v1devaxbll 7

30-09-2024 17:00

240930-vh8g9szdqg 7

30-09-2024 16:44

240930-t8tlcsvgjk 7

29-09-2024 17:22

240929-vxj38awgng 7

29-09-2024 16:13

240929-tn9rvavalh 7

29-09-2024 01:09

240929-bhyhhsterq 7

Analysis

  • max time kernel
    146s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-09-2024 01:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TORA Operations Research Software/setup.exe

  • Size

    137KB

  • MD5

    35561a7acb299a7278e8706fd6e01aa0

  • SHA1

    41e1f323eb44cb474bf04567bed95f4767502131

  • SHA256

    978123c86b1cbc981770fbd8bdfc58ef4030f8d9b3adf06b71b928cc0394c073

  • SHA512

    0d7784c6e9c175027f627b522cafedd87d0f85afb16fb86f9c91a7a045894621e0c9b50d785132e5d5d44c1d21cb76b669960d64212b34c07863039c9b6e499b

  • SSDEEP

    3072:RqwmOGqM8OROAO5UTS7vdWcoWxg7YjcZJQgh9/J:Rq0M8OQAO5WSocVxgGcj/

Score
7/10
discovery

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 8 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TORA Operations Research Software\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\TORA Operations Research Software\setup.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2652
    • C:\Windows\Setup1.exe
      Setup1.exe "C:\Users\Admin\AppData\Local\Temp\TORA Operations Research Software\" "C:\WINDOWS\ST6UNST.000" "C:\WINDOWS\st6unst.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2152
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2932
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x4fc
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2484
    • C:\Program Files (x86)\vbTora98\tora.exe
      "C:\Program Files (x86)\vbTora98\tora.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2568
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      1⤵
      • System Location Discovery: System Language Discovery
      PID:788

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\vbTora98\ST6UNST.LOG
      Filesize

      2KB

      MD5

      178bb4856169722b869c5da96c3e64fb

      SHA1

      dd37119f4adc982e7d53ba9f32976e651b709b81

      SHA256

      021cf472c8256eb6324035e03517b19610c1a50ef6ac158043f1bb2158659dab

      SHA512

      5e71c34b0ff590e2355c683b0f4e371e5bfa3fd5139c01e304b62e7b005119ded383a61b85f029b32b0053c7d76131cfda4e8051adfc9a915a404e6bb74b7dcf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\msftqws.pdw\COMCAT.DLL
      Filesize

      21KB

      MD5

      3b180da2b50b954a55fe37afba58d428

      SHA1

      c2a409311853ad4608418e790621f04155e55000

      SHA256

      96d04cdfaf4f4d7b8722b139a15074975d4c244302f78034b7be65df1a92fd03

      SHA512

      cf94ad749d91169078b8829288a2fc8de86ec2fe83d89dc27d54d03c73c0deca66b5d83abbeaa1ff09d0acac4c4352be6502945b5187ecde952cbb08037d07e8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\msftqws.pdw\COMDLG32.OCX
      Filesize

      137KB

      MD5

      d76f0eab36f83a31d411aeaf70da7396

      SHA1

      9bc145b54500fb6fbea9be61fbdd90f65fd1bc14

      SHA256

      46f4fdb12c30742ff4607876d2f36cf432cdc7ec3d2c99097011448fc57e997c

      SHA512

      9c22bc6b2e7dbcd344809085894b768cfa76e8512062c5bbf3caeaa2771c6b7ce128bd5a0b6e385a5da777d0d822a5b2191773cc0ddb05abe1fa935fa853d79d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\msftqws.pdw\DBGRID32.OCX
      Filesize

      513KB

      MD5

      ec2f4fce368dade257d89a1bde1de380

      SHA1

      7026e068eaaa6c46a29d1cbf50b057a1744d67ce

      SHA256

      6cc3e18193118e5d5e0d9a3c765ff2e649a99641b55a79abf1463ed5d46928db

      SHA512

      cdf1d5e4d7270a7a582edaf16dfda3253d31df48b3af6e333c716b1459fce3b62c14f8b002e77daa07c5a075b05efd3ba3b7073c45b830d0a86d20f7d22f1f52

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\msftqws.pdw\MSFLXGRD.OCX
      Filesize

      238KB

      MD5

      07bae8106a135df779abc46ec603ea09

      SHA1

      be98c98a35da6ced57b7fc3c2fc933efa84b4273

      SHA256

      4e592240b745546c15e95e26b2547cec86352a49ee1ef79b3e3d28df8b5a0e70

      SHA512

      6ab494ea9e1c633969d5fe6c14411ec20f7073e464e2738c545deefbdc5fb84fb26ff3e9641236cf1afb4d90633437cd312ff5c665c0c8f462c101a957fffbeb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\msftqws.pdw\VB6STKIT.DLL
      Filesize

      99KB

      MD5

      cff867572b44212b01b711c1fa009537

      SHA1

      3978c9f7a3d77c0bdff4353949e2143757eebc79

      SHA256

      df6e2f111773adec3b33dcb0b31e2a4d21ef7d51740706335f411e2c999c0e6b

      SHA512

      1b77ef24b1efb4939e4625deb1f8ebccc3c2edbb49b412dadb8a3c293a265c77ea84d8eb725d3af5bb84d9c040a91debe5890f57ed8750147e91f30c1a0630c4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\msftqws.pdw\asycfilt.dll
      Filesize

      63KB

      MD5

      0bc326cd99125724987ceec7405496b6

      SHA1

      cfd440400244c182fd064508e873d62529d285f3

      SHA256

      e701cb227daa19c9b91ecf9975a12351bc4d73454b894695a6c5f74f65b9b77a

      SHA512

      efcad7817908ae1d503e7c1797e190b8b541cda62eb063aba4c96c0e7012803a3f2070cee597122974b84ad6c26c1c5508c57839df07a3fb140b817ef6fa7994

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\msftqws.pdw\msvbvm60.dll
      Filesize

      1.3MB

      MD5

      e949eee7d1be07e32267fe10d9992c38

      SHA1

      a4241fd4850a6e2fa36ef788a34283a23b85fbbb

      SHA256

      fa75a67b0d6a8829993397c3a893c182641a8c4806bb1e46553dbad7f7aaf5d4

      SHA512

      22a789ff7fa41eb739c11a7a9e24f7db86b477650d0c89d937811ebb8a044093019c0728429c9880ee4d76d9bdcaa1d6dbd95ed7b623db619eba0f715586a35c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\msftqws.pdw\oleaut32.dll
      Filesize

      540KB

      MD5

      b3742dee858b243e77c73d2b8f7c8223

      SHA1

      7a132127eb3efeca8f6bc3f20e49b5011b5ae5df

      SHA256

      4397d0fe3ef2cdb85dd811b8743c7700bd4e6d8d3365dcba5286aa10adb2c24a

      SHA512

      277f8f2750a562d5f8168c608928d232a3755662628bf7bb9ed17819786a0e7234534f5e028f4e1e0a2bec0468be5c12c56770c60713f06ac96422581fe26774

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\msftqws.pdw\olepro32.dll
      Filesize

      81KB

      MD5

      b48d3193dd1474dcbcc32bf4779ac698

      SHA1

      4a39d43aea0766c159a32c311c9eb2e06dbf8c03

      SHA256

      54d7ee1e4b43d2590b3b9b4a412717bfecfcce46f9dda68dba4695f135faa7b5

      SHA512

      fdb0691dfb26d43708f8f12f6b75e2097570ba27a0040e0f8ecac30ef9307dedcf425cbec671a0178916675503542a7fa670fb5515ec231509d5aabd0047debb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\msftqws.pdw\stdole2.tlb
      Filesize

      17KB

      MD5

      0857394e30de11ca0cd9497e310d6469

      SHA1

      ba35fba3e44040e7b891fa814dceff94d1c1b114

      SHA256

      e2b26b1ad2d439dded0799d195ca918a03ccf22146690577e2704f871c098426

      SHA512

      05309e02b7c427f379f3235d2d7398d53ee35b3f1f9d7f28ad72607c82e0af6163a2def42734666f7e1fd0b67395031632aff9c9af36fb30c0175fad145f1185

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\msftqws.pdw\tora.exe
      Filesize

      1.1MB

      MD5

      2346349fc8e8e6db23c35fb0f87f6bf5

      SHA1

      3622e640ea66838282ef9b56596452fbb3e3e20e

      SHA256

      9a6e4f75fb820d8bf63d770a9c79f4717d1fc48ffba76940fc4dafa2320881fe

      SHA512

      1cf5739e153d13c0a916adafad4e1fe282094eb4688bd194c0453c13a04c0a3e6c8b044650c3d0695a98fb077209ea9c391cedeecc2be43ab542485cc1684078

      Download Submit

    • C:\WINDOWS\ST6UNST.000
      Filesize

      1KB

      MD5

      f25a1ca424a3062ec1e7fb3ea3249287

      SHA1

      6d016af9a9e6c2872725bc2db92fa92db29393e7

      SHA256

      95bdca6f55f181b25d8594a431ac7491b4d4283f3cfdb3f90ad472acfb2ff600

      SHA512

      1825344d162f4d145bad6dc28aada20e8a2ec5274b65f5dcf448ceb50c731695eec27d13a780619ce31ed9e139a739e531cdd5eae34c66895e378f2f245863b1

      Download Submit

    • C:\Windows\SETUP.LST
      Filesize

      3KB

      MD5

      f1b2cdbeb140f60882d961bc43a8df8f

      SHA1

      724774bcfd14fa2644bdd35b7a76fb02f24381a2

      SHA256

      274832c8ee77266af5bbad6552bba13a9d6db8fadadfd0b423555b30030442c6

      SHA512

      6982afaf7ebc14ddf10c4f9e7ccd213b49bafa0ce70f7a491f85e8cf1cadc31fa0e8a3d0e1dfb090d97765d5c23f43b8a0e25c432fd25bb72aa4cfbaa6982b26

      Download Submit

    • C:\Windows\ST6UNST.EXE
      Filesize

      71KB

      MD5

      996f83e516552ca3b51445bb994a6d38

      SHA1

      56fc6ba49195dedf735e6ce1b03ab36d72334f66

      SHA256

      7e60c894a8cead6880fd3ed040504d02304a0b961304e40741340e31f5fa973d

      SHA512

      5868100fdb274dbad44ea0996aa4ed0a930cce5c61ce55631869bd19ee09feb8a957bf2a4a87ba563f48bb65807dae5b2363c042d451843e9598b10f6c334d2f

      Download Submit

    • C:\Windows\Setup1.exe
      Filesize

      280KB

      MD5

      e40041e0ca436c712332edaa9db7df08

      SHA1

      deb8ead922f4f1acbadebf0db998f6ba2dc53db0

      SHA256

      6a15b76e1526e1fd6ebaecacc59c3e954d0feb0b566c81538ea6dad2edcffe16

      SHA512

      1111be364c3d81dc919d1e7ba7bd141cda6555844d889f00a2b2cb0ee5c19bd0b122ae4b574a3cdfa268668eebec43fa265b44e1b8fa28faaa335824647b8bc2

      Download Submit

    • C:\Windows\tora.CAB
      Filesize

      1.9MB

      MD5

      c13240f6e638b4065e72b0d67ce20d75

      SHA1

      f86f39c86c75c700481d031fc3c631102e57aad2

      SHA256

      96ebc498a2c51c05c14660a62adb0e97b73b72aa26608008464bb5d291f7c55c

      SHA512

      92bd0856021de57f38ef557e8e395443aca0cc9a44fc5b60668358c76a15bda95c129fc9bd5b55479b01945dafa7d963bda409775f3afffa710da79624a8989f

      Download Submit

    • memory/2568-318-0x0000000004B30000-0x0000000004B6B000-memory.dmp

      Filesize

      236KB

      Download

    • memory/2568-319-0x0000000004DF0000-0x0000000004E90000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2568-320-0x0000000005040000-0x000000000509C000-memory.dmp

      Filesize

      368KB

      Download

    • memory/2568-321-0x0000000005A70000-0x0000000005A86000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2568-322-0x0000000005980000-0x0000000005982000-memory.dmp

      Filesize

      8KB

      Download