Analysis
-
max time kernel
120s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 09:09
Behavioral task
behavioral1
Sample
c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe
Resource
win7-20240903-en
windows7-x64
15 signatures
120 seconds
Behavioral task
behavioral2
Sample
c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
120 seconds
General
-
Target
c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe
-
Size
30KB
-
MD5
342c4c4f892f98b00b29035f9e483e10
-
SHA1
01323c60ad0f23039a8dee51c86c550d0b971519
-
SHA256
c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c
-
SHA512
b7d14a3eefb27871caa5cd6550731ff30dc3e174f78d089405edefd8b9ef22f31ec47ee44bc3f12ffde5e0ea2c54cd1061eb1f41e8ff82cb73389042b682f423
-
SSDEEP
768:tQbuQRy2UjmUndnlTttxDn+3jiSkjRY6AB7kKfYoJ+ifBEewqu:QuQRylaUDTDxDXjy6AB7koYy2Gu
Malware Config
Signatures
-
Processes:
tmoopeg.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "24064" tmoopeg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "24064" tmoopeg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "24064" tmoopeg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "24064" tmoopeg.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
tmoopeg.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A54534C-4c52-4648-5A54-534C4C524648}\IsInstalled = "1" tmoopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A54534C-4c52-4648-5A54-534C4C524648}\StubPath = "C:\\Windows\\system32\\acberab.exe" tmoopeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A54534C-4c52-4648-5A54-534C4C524648} tmoopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A54534C-4c52-4648-5A54-534C4C524648}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" tmoopeg.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
Processes:
tmoopeg.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe tmoopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" tmoopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ouctisuc.exe" tmoopeg.exe -
Executes dropped EXE 2 IoCs
Processes:
tmoopeg.exetmoopeg.exepid Process 5008 tmoopeg.exe 1484 tmoopeg.exe -
Processes:
tmoopeg.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "24064" tmoopeg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "24064" tmoopeg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "24064" tmoopeg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "24064" tmoopeg.exe -
Processes:
tmoopeg.exedescription ioc Process Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger tmoopeg.exe -
Modifies WinLogon 2 TTPs 5 IoCs
Processes:
tmoopeg.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} tmoopeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify tmoopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" tmoopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\atvofeak.dll" tmoopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" tmoopeg.exe -
Drops file in System32 directory 17 IoCs
Processes:
c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exetmoopeg.exedescription ioc Process File created C:\Windows\SysWOW64\tmoopeg.exe c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe File opened for modification C:\Windows\SysWOW64\atvofeak.dll tmoopeg.exe File opened for modification C:\Windows\SysWOW64\aset32.exe tmoopeg.exe File opened for modification C:\Windows\SysWOW64\idbg32.exe tmoopeg.exe File opened for modification C:\Windows\SysWOW64\ouctisuc.exe tmoopeg.exe File opened for modification C:\Windows\SysWOW64\acberab.exe tmoopeg.exe File opened for modification C:\Windows\SysWOW64\winrnt.exe tmoopeg.exe File opened for modification C:\Windows\SysWOW64\rmass.exe tmoopeg.exe File opened for modification C:\Windows\SysWOW64\ntdbg.exe tmoopeg.exe File opened for modification C:\Windows\SysWOW64\tmoopeg.exe c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe File created C:\Windows\SysWOW64\ouctisuc.exe tmoopeg.exe File created C:\Windows\SysWOW64\acberab.exe tmoopeg.exe File opened for modification C:\Windows\SysWOW64\gymspzd.dll tmoopeg.exe File opened for modification C:\Windows\SysWOW64\tmoopeg.exe tmoopeg.exe File created C:\Windows\SysWOW64\atvofeak.dll tmoopeg.exe File opened for modification C:\Windows\SysWOW64\ahuy.exe tmoopeg.exe File opened for modification C:\Windows\SysWOW64\RECOVER32.DLL tmoopeg.exe -
Processes:
resource yara_rule behavioral2/memory/4260-0-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral2/files/0x000c000000023b50-5.dat upx behavioral2/memory/4260-6-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral2/memory/1484-16-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral2/memory/5008-42-0x0000000000400000-0x0000000000417000-memory.dmp upx -
Drops file in Program Files directory 8 IoCs
Processes:
tmoopeg.exedescription ioc Process File opened for modification C:\Program Files (x86)\Common Files\System\idbg32.exe tmoopeg.exe File opened for modification C:\Program Files (x86)\Common Files\System\ntdbg.exe tmoopeg.exe File opened for modification C:\Program Files (x86)\Common Files\System\RECOVER32.DLL tmoopeg.exe File opened for modification C:\Program Files (x86)\Common Files\System\gymspzd.dll tmoopeg.exe File opened for modification C:\Program Files (x86)\Common Files\System\winrnt.exe tmoopeg.exe File opened for modification C:\Program Files (x86)\Common Files\System\rmass.exe tmoopeg.exe File opened for modification C:\Program Files (x86)\Common Files\System\aset32.exe tmoopeg.exe File opened for modification C:\Program Files (x86)\Common Files\System\ahuy.exe tmoopeg.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
tmoopeg.exetmoopeg.exec010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmoopeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmoopeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
tmoopeg.exetmoopeg.exepid Process 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 1484 tmoopeg.exe 1484 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe 5008 tmoopeg.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exetmoopeg.exedescription pid Process Token: SeDebugPrivilege 4260 c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe Token: SeDebugPrivilege 5008 tmoopeg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exetmoopeg.exedescription pid Process procid_target PID 4260 wrote to memory of 5008 4260 c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe 83 PID 4260 wrote to memory of 5008 4260 c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe 83 PID 4260 wrote to memory of 5008 4260 c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe 83 PID 5008 wrote to memory of 1484 5008 tmoopeg.exe 84 PID 5008 wrote to memory of 1484 5008 tmoopeg.exe 84 PID 5008 wrote to memory of 1484 5008 tmoopeg.exe 84 PID 5008 wrote to memory of 616 5008 tmoopeg.exe 5 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56 PID 5008 wrote to memory of 3540 5008 tmoopeg.exe 56
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:616
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3540
-
C:\Users\Admin\AppData\Local\Temp\c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe"C:\Users\Admin\AppData\Local\Temp\c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe"2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\tmoopeg.exe"C:\Windows\system32\tmoopeg.exe"3⤵
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Windows security modification
- Indicator Removal: Clear Persistence
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\tmoopeg.exe--k33p4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1484
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD5cc230cdbe609effc28fd1490418f91c8
SHA178d8e49d51266a1bcca6fe547e19a8ffd0b1f289
SHA256d818d8badb22b9477ff04783ca96d533af5816299844dc106b2ae0ec108f1cf0
SHA51293fe294abd51d8408a6c70e891a4d9e6f9b90a87f5ab26472e884bd2efb84ccfa5b12b07cd0602beaf3a53d26484e5bc9465c019323dea716e0ba8805c8e6bc7
-
Filesize
5KB
MD5c8521a5fdd1c9387d536f599d850b195
SHA1a543080665107b7e32bcc1ed19dbfbc1d2931356
SHA256fa8f77b6daf775d66de9d27c1d896168a792057358e518c00e72b8964b966ca5
SHA512541500e2cd502852a007d29badc1a1848d187245f78ec272281bab290cc6e308f0ae6d1b96863e0c30a176b16c6cf7e63e08a8de81a84615e4710e7164a805cd
-
Filesize
33KB
MD5d962cefdfc686235d66d4efda4ca5944
SHA1a8d080ad94ffcbbdaf880cfb09a891303f67044a
SHA2562488fe4bd62407d43922cc78f2fdc7ec36e54c5d2ff11f84732bc3993e616647
SHA5122600f1ecfe9c50e2661b357b75050e107276fb38af2f26a1db7396a8e8db2de33dde494187f33bd09374af96baa895ccd313db647d0f84cc300be61a47461642
-
Filesize
30KB
MD5342c4c4f892f98b00b29035f9e483e10
SHA101323c60ad0f23039a8dee51c86c550d0b971519
SHA256c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c
SHA512b7d14a3eefb27871caa5cd6550731ff30dc3e174f78d089405edefd8b9ef22f31ec47ee44bc3f12ffde5e0ea2c54cd1061eb1f41e8ff82cb73389042b682f423