Analysis
-
max time kernel
357s -
max time network
357s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06-11-2024 08:50
Behavioral task
behavioral1
Sample
tebo-ictview.4.0-patch.zip
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
tebo-ictview.4.0-patch.zip
Resource
win10v2004-20241007-en
General
-
Target
tebo-ictview.4.0-patch.zip
-
Size
531KB
-
MD5
cad2506fdf50bc3cca25f582049984d0
-
SHA1
e141d367b764623ffb37801a3c7a4a15a07988df
-
SHA256
5217148419fc18f5b476d74431d7a437d0f4e2ca43017b8b69507d1e200b378b
-
SHA512
34e3431a681d7b890e3e78d32f9716fc51857600d0d57e865a5c30fda780c38415fc884f2b9fc3921c3f4705d19ca192dddb76671dc1d952485d904aa250e29f
-
SSDEEP
12288:uW+lzoSzhyYn+0gbmn9RY5fhvLddM93vQv0Os34:Dw5Fnxmmn4VxZ+3W014
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2708 tebo-ictview.4.0-patch.exe -
Loads dropped DLL 2 IoCs
pid Process 2708 tebo-ictview.4.0-patch.exe 2708 tebo-ictview.4.0-patch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tebo-ictview.4.0-patch.exe -
Modifies registry class 41 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" tebo-ictview.4.0-patch.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" tebo-ictview.4.0-patch.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell tebo-ictview.4.0-patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff tebo-ictview.4.0-patch.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" tebo-ictview.4.0-patch.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" tebo-ictview.4.0-patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots tebo-ictview.4.0-patch.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" tebo-ictview.4.0-patch.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" tebo-ictview.4.0-patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 tebo-ictview.4.0-patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 tebo-ictview.4.0-patch.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 tebo-ictview.4.0-patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff tebo-ictview.4.0-patch.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags tebo-ictview.4.0-patch.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings tebo-ictview.4.0-patch.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 tebo-ictview.4.0-patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff tebo-ictview.4.0-patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff tebo-ictview.4.0-patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 tebo-ictview.4.0-patch.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" tebo-ictview.4.0-patch.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" tebo-ictview.4.0-patch.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" tebo-ictview.4.0-patch.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU tebo-ictview.4.0-patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff tebo-ictview.4.0-patch.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 tebo-ictview.4.0-patch.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg tebo-ictview.4.0-patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 5c0031000000000066594b461020375a4f3435417e310000440008000400efbe66594b4666594b462a0000008022010000000b00000000000000000000000000000037007a004f0034003500410042003800300030003700000018000000 tebo-ictview.4.0-patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff tebo-ictview.4.0-patch.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "1" tebo-ictview.4.0-patch.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} tebo-ictview.4.0-patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c004346534616003100000000002359ad29122041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe2359ad292359ad292a000000ed0100000000020000000000000000000000000000004100700070004400610074006100000042000000 tebo-ictview.4.0-patch.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 tebo-ictview.4.0-patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 tebo-ictview.4.0-patch.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell tebo-ictview.4.0-patch.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 tebo-ictview.4.0-patch.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" tebo-ictview.4.0-patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff tebo-ictview.4.0-patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c003100000000002359e82a10204c6f63616c00380008000400efbe2359ad292359e82a2a000000000200000000020000000000000000000000000000004c006f00630061006c00000014000000 tebo-ictview.4.0-patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a0031000000000066594b46102054656d700000360008000400efbe2359ad2966594b462a00000001020000000002000000000000000000000000000000540065006d007000000014000000 tebo-ictview.4.0-patch.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 tebo-ictview.4.0-patch.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" tebo-ictview.4.0-patch.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2644 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2644 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 2644 7zFM.exe Token: 35 2644 7zFM.exe Token: SeSecurityPrivilege 2644 7zFM.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2644 7zFM.exe 2644 7zFM.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2708 tebo-ictview.4.0-patch.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2644 wrote to memory of 2708 2644 7zFM.exe 30 PID 2644 wrote to memory of 2708 2644 7zFM.exe 30 PID 2644 wrote to memory of 2708 2644 7zFM.exe 30 PID 2644 wrote to memory of 2708 2644 7zFM.exe 30 PID 2644 wrote to memory of 2708 2644 7zFM.exe 30 PID 2644 wrote to memory of 2708 2644 7zFM.exe 30 PID 2644 wrote to memory of 2708 2644 7zFM.exe 30
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.zip"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\7zO45AB8007\tebo-ictview.4.0-patch.exe"C:\Users\Admin\AppData\Local\Temp\7zO45AB8007\tebo-ictview.4.0-patch.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2708
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
413KB
MD5119b9c5d2a84b08854a8b1e9a73e0c58
SHA1745cb6992f799ffd57d7da45d4f7bf37559b69c4
SHA2562062474e6f0c7b7edf50aa3d7579301e42bc17efd77cc6fecc2edfa76d0a4930
SHA51289230f04edcaad3ae125e2611a1107e266b03405c8ad9972e685a8cf25f7912e8b01f4c264257f074dee24c22165f175593195e39b237603aba586db6d8c2358
-
Filesize
9KB
MD5780d14604d49e3c634200c523def8351
SHA1e208ef6f421d2260070a9222f1f918f1de0a8eeb
SHA256844eb66a10b848d3a71a8c63c35f0a01550a46d2ff8503e2ca8947978b03b4d2
SHA512a49c030f11da8f0cdc4205c86bec00653ec2f8899983cad9d7195fd23255439291aaec5a7e128e1a103efd93b8566e86f15af89eba4efebf9debce14a7a5564b
-
Filesize
255KB
MD5c23adb4c6ebb49de336656dacbb08409
SHA1fe005669ca35deb73521c9905eb5722a528f2c61
SHA25657a0ac99c64da6c10ef1ca5f3e007539aa3adf1e087fb3a396ccf23ebd22c5d7
SHA51208c7b7a1f445790718e3d5521cbb1fe1b82c98e757df64c6e274e9c1f96a1efa5536e31d0370d7a3d7e5d40d35a4d66f58999d0ecea541de5f4f8da459f17dcf