Malware Analysis Report

2025-01-03 09:56

Sample ID 241106-kqtc7sxfll
Target tebo-ictview.4.0-patch.zip
SHA256 5217148419fc18f5b476d74431d7a437d0f4e2ca43017b8b69507d1e200b378b
Tags
qr link discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5217148419fc18f5b476d74431d7a437d0f4e2ca43017b8b69507d1e200b378b

Threat Level: Shows suspicious behavior

The file tebo-ictview.4.0-patch.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

qr link discovery

Loads dropped DLL

One or more HTTP URLs in qr code identified

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 08:48

Signatures

One or more HTTP URLs in qr code identified

qr link

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 08:48

Reported

2024-11-06 08:49

Platform

win7-20241010-en

Max time kernel

15s

Max time network

17s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\1. FILES SOURCE LINK.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\1. FILES SOURCE LINK.url"

Network

N/A

Files

memory/2708-0-0x0000000000320000-0x0000000000321000-memory.dmp

memory/2708-1-0x0000000000320000-0x0000000000321000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-06 08:48

Reported

2024-11-06 08:49

Platform

win10v2004-20241007-en

Max time kernel

30s

Max time network

13s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\1. FILES SOURCE LINK.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\1. FILES SOURCE LINK.url"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 172.202.163.200:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-06 08:48

Reported

2024-11-06 08:49

Platform

win7-20240903-en

Max time kernel

16s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe

"C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe"

Network

N/A

Files

memory/2956-1-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2956-0-0x0000000000400000-0x00000000004D5000-memory.dmp

\Users\Admin\AppData\Local\Temp\dup2patcher.dll

MD5 c23adb4c6ebb49de336656dacbb08409
SHA1 fe005669ca35deb73521c9905eb5722a528f2c61
SHA256 57a0ac99c64da6c10ef1ca5f3e007539aa3adf1e087fb3a396ccf23ebd22c5d7
SHA512 08c7b7a1f445790718e3d5521cbb1fe1b82c98e757df64c6e274e9c1f96a1efa5536e31d0370d7a3d7e5d40d35a4d66f58999d0ecea541de5f4f8da459f17dcf

memory/2956-5-0x00000000753E0000-0x0000000075438000-memory.dmp

\Users\Admin\AppData\Local\Temp\bassmod.dll

MD5 780d14604d49e3c634200c523def8351
SHA1 e208ef6f421d2260070a9222f1f918f1de0a8eeb
SHA256 844eb66a10b848d3a71a8c63c35f0a01550a46d2ff8503e2ca8947978b03b4d2
SHA512 a49c030f11da8f0cdc4205c86bec00653ec2f8899983cad9d7195fd23255439291aaec5a7e128e1a103efd93b8566e86f15af89eba4efebf9debce14a7a5564b

memory/2956-9-0x0000000000020000-0x0000000000021000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-06 08:48

Reported

2024-11-06 08:49

Platform

win10v2004-20241007-en

Max time kernel

34s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000004759104b10004c6f63616c003c0009000400efbe4759174966591a462e0000007ce10100000001000000000000000000000000000000fff029004c006f00630061006c00000014000000 C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000047591749120041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe4759174966591a462e00000069e10100000001000000000000000000000000000000fec635004100700070004400610074006100000042000000 C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000066591a46100054656d7000003a0009000400efbe4759174966591a462e0000007de10100000001000000000000000000000000000000969ecc00540065006d007000000014000000 C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe

"C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x310 0x2f4

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp

Files

memory/3996-0-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/3996-1-0x00000000001D0000-0x00000000001D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dup2patcher.dll

MD5 c23adb4c6ebb49de336656dacbb08409
SHA1 fe005669ca35deb73521c9905eb5722a528f2c61
SHA256 57a0ac99c64da6c10ef1ca5f3e007539aa3adf1e087fb3a396ccf23ebd22c5d7
SHA512 08c7b7a1f445790718e3d5521cbb1fe1b82c98e757df64c6e274e9c1f96a1efa5536e31d0370d7a3d7e5d40d35a4d66f58999d0ecea541de5f4f8da459f17dcf

memory/3996-4-0x0000000074DB0000-0x0000000074E08000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bassmod.dll

MD5 780d14604d49e3c634200c523def8351
SHA1 e208ef6f421d2260070a9222f1f918f1de0a8eeb
SHA256 844eb66a10b848d3a71a8c63c35f0a01550a46d2ff8503e2ca8947978b03b4d2
SHA512 a49c030f11da8f0cdc4205c86bec00653ec2f8899983cad9d7195fd23255439291aaec5a7e128e1a103efd93b8566e86f15af89eba4efebf9debce14a7a5564b

memory/3996-11-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/3996-14-0x0000000000400000-0x00000000004D5000-memory.dmp