Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 01:05
Static task
static1
Behavioral task
behavioral1
Sample
ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe
Resource
win7-20240729-en
General
-
Target
ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe
-
Size
26.2MB
-
MD5
e9a61d220a0df35ea009b602eec9a9a7
-
SHA1
e9ef755041a907cd394d23da33784ab4a12c75a7
-
SHA256
ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531
-
SHA512
de8787231952a993f0c98c8f5268e171aa7c34b7722ed36e4ab4e418e116b67bab455069ce3507e5df3c9d66831b9c0f423bde6c8573161530e3f90a66a0b266
-
SSDEEP
393216:kgIRvV8Y6xX3F+Gt/SArbLAE+/HnC/XZ1LF8HhZhpVLiQ2V8BWmy9DEtNhE:D6OY6pBSArYLC/p1Lg/pVOhyBS9ehE
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2936 yqyfghg.exe 2920 LineInst.exe 15228 Tlctl.exe 12764 Tlctl.exe -
Loads dropped DLL 8 IoCs
pid Process 2776 ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe 2776 ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe 2776 ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe 2776 ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe 2776 ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe 2776 ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe 2776 ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe 2776 ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: Tlctl.exe File opened (read-only) \??\U: Tlctl.exe File opened (read-only) \??\W: Tlctl.exe File opened (read-only) \??\B: Tlctl.exe File opened (read-only) \??\M: Tlctl.exe File opened (read-only) \??\R: Tlctl.exe File opened (read-only) \??\V: Tlctl.exe File opened (read-only) \??\S: Tlctl.exe File opened (read-only) \??\X: Tlctl.exe File opened (read-only) \??\Y: Tlctl.exe File opened (read-only) \??\K: Tlctl.exe File opened (read-only) \??\L: Tlctl.exe File opened (read-only) \??\O: Tlctl.exe File opened (read-only) \??\Q: Tlctl.exe File opened (read-only) \??\J: Tlctl.exe File opened (read-only) \??\N: Tlctl.exe File opened (read-only) \??\P: Tlctl.exe File opened (read-only) \??\Z: Tlctl.exe File opened (read-only) \??\E: Tlctl.exe File opened (read-only) \??\G: Tlctl.exe File opened (read-only) \??\H: Tlctl.exe File opened (read-only) \??\I: Tlctl.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Tlctl.exe yqyfghg.exe File opened for modification C:\Windows\SysWOW64\Tlctl.exe yqyfghg.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 38 IoCs
pid Process 2936 yqyfghg.exe 2936 yqyfghg.exe 2936 yqyfghg.exe 2936 yqyfghg.exe 15228 Tlctl.exe 15228 Tlctl.exe 2936 yqyfghg.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yqyfghg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LineInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tlctl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tlctl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 12728 cmd.exe 12892 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Tlctl.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Tlctl.exe -
Modifies data under HKEY_USERS 11 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie Tlctl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" Tlctl.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Tlctl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Tlctl.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Tlctl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Tlctl.exe Key created \REGISTRY\USER\.DEFAULT\Software Tlctl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft Tlctl.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Tlctl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings Tlctl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" Tlctl.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 12892 PING.EXE -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe 12764 Tlctl.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2936 yqyfghg.exe Token: 33 12764 Tlctl.exe Token: SeIncBasePriorityPrivilege 12764 Tlctl.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2776 wrote to memory of 2936 2776 ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe 30 PID 2776 wrote to memory of 2936 2776 ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe 30 PID 2776 wrote to memory of 2936 2776 ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe 30 PID 2776 wrote to memory of 2936 2776 ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe 30 PID 2776 wrote to memory of 2920 2776 ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe 31 PID 2776 wrote to memory of 2920 2776 ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe 31 PID 2776 wrote to memory of 2920 2776 ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe 31 PID 2776 wrote to memory of 2920 2776 ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe 31 PID 2776 wrote to memory of 2920 2776 ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe 31 PID 2776 wrote to memory of 2920 2776 ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe 31 PID 2776 wrote to memory of 2920 2776 ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe 31 PID 2936 wrote to memory of 12728 2936 yqyfghg.exe 33 PID 2936 wrote to memory of 12728 2936 yqyfghg.exe 33 PID 2936 wrote to memory of 12728 2936 yqyfghg.exe 33 PID 2936 wrote to memory of 12728 2936 yqyfghg.exe 33 PID 15228 wrote to memory of 12764 15228 Tlctl.exe 34 PID 15228 wrote to memory of 12764 15228 Tlctl.exe 34 PID 15228 wrote to memory of 12764 15228 Tlctl.exe 34 PID 15228 wrote to memory of 12764 15228 Tlctl.exe 34 PID 12728 wrote to memory of 12892 12728 cmd.exe 36 PID 12728 wrote to memory of 12892 12728 cmd.exe 36 PID 12728 wrote to memory of 12892 12728 cmd.exe 36 PID 12728 wrote to memory of 12892 12728 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe"C:\Users\Admin\AppData\Local\Temp\ab6bd75d672429a1ecbe7010082b3455b2b0b24952554788a5d1b33af0c77531.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\yqyfghg.exe"C:\Users\Admin\AppData\Local\Temp\yqyfghg.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\yqyfghg.exe > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:12728 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:12892
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\LineInst.exe"C:\Users\Admin\AppData\Local\Temp\LineInst.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2920
-
-
C:\Windows\SysWOW64\Tlctl.exeC:\Windows\SysWOW64\Tlctl.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:15228 -
C:\Windows\SysWOW64\Tlctl.exeC:\Windows\SysWOW64\Tlctl.exe -acsi2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:12764
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD56eb8c366315498feabd796786a621bcb
SHA13074fbe6287be713de51280d8277ab2f4b707155
SHA256626db8bea999709c8faead0ec9d60025604676fcc44130abe6c1168b90989b3b
SHA512dc28756c56c8ceffde09717e71212c5335e7cd1195105f6d5955a8ea3419e11b63669b03c5eba1a72be84adc9d92b0a3250a991b7c6a59817d3ffd21fc452733
-
Filesize
1004KB
MD5587e3bc21efaf428c87331decc9bfeb3
SHA1a5b8ebeab4e3968673a61a95350b7f0bf60d7459
SHA256b931c5686cc09b2183bba197dc151b8e95ca6151e39fb98954352340c0b31120
SHA512ffae2dab5caf16dc7dfd0a97a8ff6349a466bc57ee043d1ac4d53e011498e39b9a855295d10207ba578c6857abebd445d378e83aa2ff6ec247713d81b370d0ca
-
Filesize
27.5MB
MD5fc7f52ba7722c4beecbc550e6376a53f
SHA148649e85ae0181dee896cfa40369d8887bb0fb49
SHA2567c3763106ba7b5f96ee7fc4411278737db191faf19bd0d5fd3cc4cc63f3f110a
SHA512a401e6d587e25ac24fb47dce47468eb24250edaf5477d21d6eea7d7b8881916273034705d346519d530d61927ae80ce347d26852e71a89bb62b47747a6408c92