8e985ce8d5e8fd51551f9d043daf7a8ed94284b347afd09906cf5de4a8eaa7a7

Analysis

max time kernel
57s
max time network
53s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/10/2024, 02:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

TGMacro.exe
Size

1.1MB
MD5

42b9eb8bf1d2d2aabda3977656af4364
SHA1

23f44de466b8dd6c22946492e11d987920541bff
SHA256

b9f7da1c4a8f358d38be737a6c5f847b9e15be75e6a3602390b6d99be5358968
SHA512

1adcab31d50d6a2fa7254a5ce8cfa92e1e539441d79721cf2bbdf578f04b042e99a5687a9c9b7ffdb9de62d51532582fc9d37ff5985afdb436b3bda08e36e783
SSDEEP

6144:nHHj/z4FzwtihGPA5dpUymFEymFEymFEymFEymFTymF8ymFYRM3GWOBymqP8:Hgz9hrnssssjajRM3BOo4

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CD91E661-82C2-11EF-B12A-E61828AB23DD} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1884	TGMacro.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1884	TGMacro.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1980	iexplore.exe
1884	TGMacro.exe
1884	TGMacro.exe
1884	TGMacro.exe
1884	TGMacro.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1884	TGMacro.exe
1884	TGMacro.exe
1884	TGMacro.exe
1884	TGMacro.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1980	iexplore.exe
1980	iexplore.exe
1164	IEXPLORE.EXE
1164	IEXPLORE.EXE
1164	IEXPLORE.EXE
1164	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 1980	1884	TGMacro.exe	30
PID 1884 wrote to memory of 1980	1884	TGMacro.exe	30
PID 1884 wrote to memory of 1980	1884	TGMacro.exe	30
PID 1980 wrote to memory of 1164	1980	iexplore.exe	31
PID 1980 wrote to memory of 1164	1980	iexplore.exe	31
PID 1980 wrote to memory of 1164	1980	iexplore.exe	31
PID 1980 wrote to memory of 1164	1980	iexplore.exe	31

C:\Users\Admin\AppData\Local\Temp\TGMacro.exe
"C:\Users\Admin\AppData\Local\Temp\TGMacro.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://trksyln.net/Download/thankyou
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1980 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
088c4a3dd5accd8acc7ee13e87d2d43a

SHA1
40b0a326d6124677efd3864a52676cbf172b7b10

SHA256
95bfb7047f7400175bf74f2ff8d2527ffc451f0a16448b707037966bec466ebd

SHA512
7cad29116c6b18423dbe3148d54a9161778cb851765800199d0ee0799f167f179b65c563cce9195506ac7e3402186412676a46689b13eff57e519772bedce2dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd029127ab4054f905dfd421d2ca87f5

SHA1
98a9511d0f9cee9ae0b2932e28aec5e4d5cc0dd1

SHA256
c74964a2562543776a3ff9b4913e5c70b1d1762b34724960a80dab927932f1da

SHA512
b93eb897189940124a7e1bb3f2d5e6872a769220fec7fbaaecb990de6463de1d60bb89e32701c804f67aafae6ec7687717b9d1a260c0c173be52e147bd1aecc1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d541bf25315bc117a36facd8d3bbe5a

SHA1
083ac7a4f029e8978992df43bda4b21a6b9d58b0

SHA256
302615dd2960d3979082c16fd7044b30aeed66e26d0a47ce3313d29f35f7fc26

SHA512
dff7969ec5cbc16fb06ddec6378b1783c7843a1b42c50e79c0ad442148aec0a33c273d91bf3c4b94bcc3905b0933c2f547abbda464f10d09c33cd79d6693e837

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
211764e8311bd6049ff45a844e7a4264

SHA1
242e96e3fc24279e7194aeda2fe179b4b20c4e55

SHA256
633835162152538af248c499fd62fbba59f67d59afef7589bc8f0a561d6aad6f

SHA512
0494f3d45dac3ef6590f61996f78bd9c87b0f25200f85fa5f2effe8ef4ac2865f45829cc1c12611b2a2016140579a02ca8697407df59c3fe69e15ba9f2d47ed9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d2ba94d0e0a71b54a1c9854b72a88f5

SHA1
8b57145e034be7ba04e25ccb49fc1cf4acc9c138

SHA256
ad8d00692a2184432a4e4f0fe45e3750d1fef2b92538f35baefb3306a9f501da

SHA512
82a30c38246e0544836ca6ed29703249878a92e30eca50015107aaefa9c68a0eee081c56fbb2cb4491bbe3a6f567cbe8bdffd9088f6676d1ee746330e01628de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ace080d589f725aed5b53240e4bdfac

SHA1
fe935c21c6b215c5575cf9b83efb0a2645e62a42

SHA256
ab5898bb17cabbd0d33771cc9c3ea8095828a22dd1780a98b21635db1b272120

SHA512
fb0acfe9ab3bb8543137e85babe6106ecd63972c5ae252cf6c3d66ef7f72beb11c936f7d282cfaef208c2b5f47b1a5238428ce34e5aed8264a6aeccbea4dcaab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fb11595ee364042878d1e6a0147315e

SHA1
b2276cbfe898a3df357022b6231d2f924dfa593a

SHA256
42dbf8cb9ef904217ac332ce992e694e9582ea63a39d8dc478a4b40443511fca

SHA512
4ab1431713d53ca1808d96e8f67c4e11d991f8479cfc2d5f102363d91316a7ba904d3f49aec0ab2c6a24eb44a012cf8d3753fc627501a13643862b5ba5c40ff5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e271aeb986fda8a46a09a5dd7ff1987

SHA1
6195a3f4f877cbb75b4023019aebe5f1cc9a6dad

SHA256
298588f7f8da14cdec3bafad09e6acd5e5d969566aa2b636dbf178967a658a50

SHA512
f682b15dc3191e2976a0891633d9090cb86553e49695cb42598cc8ac5a03318b864472cf168152789b111ece2b484fba5ad48bac5e0b5465d8fa6d55b8fc7c0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
172f06030cbd60c60dee77b0dba28b9f

SHA1
89371034579b42afd8354850d45eaba05bc66635

SHA256
848acb2fe8fc6134013d480335b6efe32f792f6d6707ac67840c72664755a62c

SHA512
14d8243e0aa5dbfa5acb1126643ab61416d82ea64844db2deea046f378d09ff1878b978815d94f71404b6279e71d27dbf00239a0e71b45b002e68dbc1a611011

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6CF9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6D59.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1884-0-0x000007FEF5283000-0x000007FEF5284000-memory.dmp

Filesize
4KB

Download
memory/1884-27-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/1884-8-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/1884-7-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/1884-5-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/1884-3-0x0000000000340000-0x000000000034C000-memory.dmp

Filesize
48KB

Download
memory/1884-4-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/1884-2-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/1884-1-0x0000000000C20000-0x0000000000D40000-memory.dmp

Filesize
1.1MB

Download
memory/1884-450-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download