Analysis
-
max time kernel
119s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 09:09
Behavioral task
behavioral1
Sample
c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe
Resource
win10v2004-20241007-en
General
-
Target
c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe
-
Size
30KB
-
MD5
342c4c4f892f98b00b29035f9e483e10
-
SHA1
01323c60ad0f23039a8dee51c86c550d0b971519
-
SHA256
c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c
-
SHA512
b7d14a3eefb27871caa5cd6550731ff30dc3e174f78d089405edefd8b9ef22f31ec47ee44bc3f12ffde5e0ea2c54cd1061eb1f41e8ff82cb73389042b682f423
-
SSDEEP
768:tQbuQRy2UjmUndnlTttxDn+3jiSkjRY6AB7kKfYoJ+ifBEewqu:QuQRylaUDTDxDXjy6AB7koYy2Gu
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "24064" tmoopeg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "24064" tmoopeg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "24064" tmoopeg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "24064" tmoopeg.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5850414A-4f54-4959-5850-414A4F544959} tmoopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5850414A-4f54-4959-5850-414A4F544959}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" tmoopeg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5850414A-4f54-4959-5850-414A4F544959}\IsInstalled = "1" tmoopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5850414A-4f54-4959-5850-414A4F544959}\StubPath = "C:\\Windows\\system32\\acberab.exe" tmoopeg.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ouctisuc.exe" tmoopeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe tmoopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" tmoopeg.exe -
Executes dropped EXE 2 IoCs
pid Process 2148 tmoopeg.exe 2136 tmoopeg.exe -
Loads dropped DLL 3 IoCs
pid Process 2380 c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe 2380 c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe 2148 tmoopeg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "24064" tmoopeg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "24064" tmoopeg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "24064" tmoopeg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "24064" tmoopeg.exe -
description ioc Process Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger tmoopeg.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" tmoopeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} tmoopeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify tmoopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" tmoopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\atvofeak.dll" tmoopeg.exe -
Drops file in System32 directory 17 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\tmoopeg.exe tmoopeg.exe File created C:\Windows\SysWOW64\tmoopeg.exe c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe File opened for modification C:\Windows\SysWOW64\rmass.exe tmoopeg.exe File opened for modification C:\Windows\SysWOW64\aset32.exe tmoopeg.exe File opened for modification C:\Windows\SysWOW64\ahuy.exe tmoopeg.exe File opened for modification C:\Windows\SysWOW64\ouctisuc.exe tmoopeg.exe File created C:\Windows\SysWOW64\ouctisuc.exe tmoopeg.exe File opened for modification C:\Windows\SysWOW64\winrnt.exe tmoopeg.exe File opened for modification C:\Windows\SysWOW64\RECOVER32.DLL tmoopeg.exe File opened for modification C:\Windows\SysWOW64\acberab.exe tmoopeg.exe File created C:\Windows\SysWOW64\acberab.exe tmoopeg.exe File created C:\Windows\SysWOW64\atvofeak.dll tmoopeg.exe File opened for modification C:\Windows\SysWOW64\gymspzd.dll tmoopeg.exe File opened for modification C:\Windows\SysWOW64\tmoopeg.exe c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe File opened for modification C:\Windows\SysWOW64\atvofeak.dll tmoopeg.exe File opened for modification C:\Windows\SysWOW64\idbg32.exe tmoopeg.exe File opened for modification C:\Windows\SysWOW64\ntdbg.exe tmoopeg.exe -
resource yara_rule behavioral1/memory/2380-0-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral1/files/0x00080000000120ff-1.dat upx behavioral1/memory/2380-11-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral1/memory/2148-45-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral1/memory/2136-56-0x0000000000400000-0x0000000000417000-memory.dmp upx -
Drops file in Program Files directory 8 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\System\aset32.exe tmoopeg.exe File opened for modification C:\Program Files (x86)\Common Files\System\ahuy.exe tmoopeg.exe File opened for modification C:\Program Files (x86)\Common Files\System\idbg32.exe tmoopeg.exe File opened for modification C:\Program Files (x86)\Common Files\System\ntdbg.exe tmoopeg.exe File opened for modification C:\Program Files (x86)\Common Files\System\RECOVER32.DLL tmoopeg.exe File opened for modification C:\Program Files (x86)\Common Files\System\gymspzd.dll tmoopeg.exe File opened for modification C:\Program Files (x86)\Common Files\System\winrnt.exe tmoopeg.exe File opened for modification C:\Program Files (x86)\Common Files\System\rmass.exe tmoopeg.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmoopeg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2136 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe 2148 tmoopeg.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2380 c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe Token: SeDebugPrivilege 2148 tmoopeg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2148 2380 c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe 30 PID 2380 wrote to memory of 2148 2380 c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe 30 PID 2380 wrote to memory of 2148 2380 c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe 30 PID 2380 wrote to memory of 2148 2380 c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe 30 PID 2148 wrote to memory of 436 2148 tmoopeg.exe 5 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 2136 2148 tmoopeg.exe 31 PID 2148 wrote to memory of 2136 2148 tmoopeg.exe 31 PID 2148 wrote to memory of 2136 2148 tmoopeg.exe 31 PID 2148 wrote to memory of 2136 2148 tmoopeg.exe 31 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21 PID 2148 wrote to memory of 1236 2148 tmoopeg.exe 21
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:436
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1236
-
C:\Users\Admin\AppData\Local\Temp\c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe"C:\Users\Admin\AppData\Local\Temp\c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\tmoopeg.exe"C:\Windows\system32\tmoopeg.exe"3⤵
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Indicator Removal: Clear Persistence
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\tmoopeg.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2136
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD50e46ba04c355a5baeea9babc07022926
SHA178ca79d2a3090e2d2a3d8e6ecca0401ae082b019
SHA2564f4925a18a6a570cf7ccec6582e1ac599568e29be93b1619292759f841833816
SHA512390edb6593f0cc0a35125bde390ad996537c2e518d8bddb570897abe513bbb6c7b390eaab0259a3f9bc14929c7ae2255880b160664dfa5a0b7279fa5edc0e18e
-
Filesize
5KB
MD5c8521a5fdd1c9387d536f599d850b195
SHA1a543080665107b7e32bcc1ed19dbfbc1d2931356
SHA256fa8f77b6daf775d66de9d27c1d896168a792057358e518c00e72b8964b966ca5
SHA512541500e2cd502852a007d29badc1a1848d187245f78ec272281bab290cc6e308f0ae6d1b96863e0c30a176b16c6cf7e63e08a8de81a84615e4710e7164a805cd
-
Filesize
33KB
MD598560999b59e2f6d53f61311cdbe0abc
SHA1385de8786b39b255de1315e2f52b03e930732359
SHA256fbfd555bddb2916732779084835ed827b67438c627cd55622acd2f5c7f6b1876
SHA51277c459c6b2d1f50f99eee9032479f56c69a2ed2bb082234dafa269703a6c689f96cc762c196820ae80b27e74350604049d4aaf146a9abaa19e7670202789d8a0
-
Filesize
30KB
MD5342c4c4f892f98b00b29035f9e483e10
SHA101323c60ad0f23039a8dee51c86c550d0b971519
SHA256c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c
SHA512b7d14a3eefb27871caa5cd6550731ff30dc3e174f78d089405edefd8b9ef22f31ec47ee44bc3f12ffde5e0ea2c54cd1061eb1f41e8ff82cb73389042b682f423