Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/11/2024, 09:12
Behavioral task
behavioral1
Sample
c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe
Resource
win7-20240903-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe
-
Size
30KB
-
MD5
342c4c4f892f98b00b29035f9e483e10
-
SHA1
01323c60ad0f23039a8dee51c86c550d0b971519
-
SHA256
c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c
-
SHA512
b7d14a3eefb27871caa5cd6550731ff30dc3e174f78d089405edefd8b9ef22f31ec47ee44bc3f12ffde5e0ea2c54cd1061eb1f41e8ff82cb73389042b682f423
-
SSDEEP
768:tQbuQRy2UjmUndnlTttxDn+3jiSkjRY6AB7kKfYoJ+ifBEewqu:QuQRylaUDTDxDXjy6AB7koYy2Gu
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "24064" tmoopeg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "24064" tmoopeg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "24064" tmoopeg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "24064" tmoopeg.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A54534C-4c52-4648-5A54-534C4C524648} tmoopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A54534C-4c52-4648-5A54-534C4C524648}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" tmoopeg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A54534C-4c52-4648-5A54-534C4C524648}\IsInstalled = "1" tmoopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A54534C-4c52-4648-5A54-534C4C524648}\StubPath = "C:\\Windows\\system32\\acberab.exe" tmoopeg.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe tmoopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" tmoopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ouctisuc.exe" tmoopeg.exe -
Executes dropped EXE 2 IoCs
pid Process 3300 tmoopeg.exe 3092 tmoopeg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "24064" tmoopeg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "24064" tmoopeg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "24064" tmoopeg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "24064" tmoopeg.exe -
description ioc Process Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger tmoopeg.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" tmoopeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} tmoopeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify tmoopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" tmoopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\atvofeak.dll" tmoopeg.exe -
Drops file in System32 directory 17 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\rmass.exe tmoopeg.exe File opened for modification C:\Windows\SysWOW64\idbg32.exe tmoopeg.exe File opened for modification C:\Windows\SysWOW64\tmoopeg.exe tmoopeg.exe File created C:\Windows\SysWOW64\tmoopeg.exe c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe File opened for modification C:\Windows\SysWOW64\ahuy.exe tmoopeg.exe File opened for modification C:\Windows\SysWOW64\ntdbg.exe tmoopeg.exe File created C:\Windows\SysWOW64\acberab.exe tmoopeg.exe File created C:\Windows\SysWOW64\atvofeak.dll tmoopeg.exe File opened for modification C:\Windows\SysWOW64\aset32.exe tmoopeg.exe File opened for modification C:\Windows\SysWOW64\gymspzd.dll tmoopeg.exe File opened for modification C:\Windows\SysWOW64\winrnt.exe tmoopeg.exe File opened for modification C:\Windows\SysWOW64\RECOVER32.DLL tmoopeg.exe File opened for modification C:\Windows\SysWOW64\tmoopeg.exe c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe File opened for modification C:\Windows\SysWOW64\ouctisuc.exe tmoopeg.exe File created C:\Windows\SysWOW64\ouctisuc.exe tmoopeg.exe File opened for modification C:\Windows\SysWOW64\acberab.exe tmoopeg.exe File opened for modification C:\Windows\SysWOW64\atvofeak.dll tmoopeg.exe -
resource yara_rule behavioral2/memory/2044-0-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral2/files/0x000c000000023b2b-5.dat upx behavioral2/memory/2044-8-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral2/memory/3092-18-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral2/memory/3300-43-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral2/memory/3092-48-0x0000000000400000-0x0000000000417000-memory.dmp upx -
Drops file in Program Files directory 8 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\System\aset32.exe tmoopeg.exe File opened for modification C:\Program Files (x86)\Common Files\System\ahuy.exe tmoopeg.exe File opened for modification C:\Program Files (x86)\Common Files\System\idbg32.exe tmoopeg.exe File opened for modification C:\Program Files (x86)\Common Files\System\ntdbg.exe tmoopeg.exe File opened for modification C:\Program Files (x86)\Common Files\System\RECOVER32.DLL tmoopeg.exe File opened for modification C:\Program Files (x86)\Common Files\System\gymspzd.dll tmoopeg.exe File opened for modification C:\Program Files (x86)\Common Files\System\winrnt.exe tmoopeg.exe File opened for modification C:\Program Files (x86)\Common Files\System\rmass.exe tmoopeg.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmoopeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmoopeg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3092 tmoopeg.exe 3092 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe 3300 tmoopeg.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2044 c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe Token: SeDebugPrivilege 3300 tmoopeg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2044 wrote to memory of 3300 2044 c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe 83 PID 2044 wrote to memory of 3300 2044 c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe 83 PID 2044 wrote to memory of 3300 2044 c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe 83 PID 3300 wrote to memory of 612 3300 tmoopeg.exe 5 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3092 3300 tmoopeg.exe 84 PID 3300 wrote to memory of 3092 3300 tmoopeg.exe 84 PID 3300 wrote to memory of 3092 3300 tmoopeg.exe 84 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56 PID 3300 wrote to memory of 3520 3300 tmoopeg.exe 56
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:612
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe"C:\Users\Admin\AppData\Local\Temp\c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe"2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\tmoopeg.exe"C:\Windows\system32\tmoopeg.exe"3⤵
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Windows security modification
- Indicator Removal: Clear Persistence
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\tmoopeg.exe--k33p4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3092
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD527251083addb9fbc3f2f9e60e4a2f5d3
SHA18b7a72adb7cb5b21d5f9abda1d41889ef5f16e1b
SHA256380f083fab7f9bc7f9f13cce6fe34be79034859145d0448fa3c59c0a84c97c2c
SHA512939136fdf4367378c58793dba024d1a3939f247fff8c0166d515588176d4e5e2be496312275274466d07a222a489b9efee8b4f97ea10386e7b2e8b7285b16c23
-
Filesize
5KB
MD5c8521a5fdd1c9387d536f599d850b195
SHA1a543080665107b7e32bcc1ed19dbfbc1d2931356
SHA256fa8f77b6daf775d66de9d27c1d896168a792057358e518c00e72b8964b966ca5
SHA512541500e2cd502852a007d29badc1a1848d187245f78ec272281bab290cc6e308f0ae6d1b96863e0c30a176b16c6cf7e63e08a8de81a84615e4710e7164a805cd
-
Filesize
33KB
MD5b6435aa2cf0f32c0ce24b71e6f031e19
SHA1eac799981adcae37bf089f86e2f93c48fdfa7cfe
SHA256ae3b83ea7d626a7eb464b67685a471b507877bb905c3d584d1e9ff51c8dac794
SHA512df0e93cff569185240c1625b3cbea4635672683210c1ff2e0532dcfc1a7b4124d9c256d4cd86da0c3e89325466874c1bbf9606b2c11e92d41ff810e1a525637a
-
Filesize
30KB
MD5342c4c4f892f98b00b29035f9e483e10
SHA101323c60ad0f23039a8dee51c86c550d0b971519
SHA256c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c
SHA512b7d14a3eefb27871caa5cd6550731ff30dc3e174f78d089405edefd8b9ef22f31ec47ee44bc3f12ffde5e0ea2c54cd1061eb1f41e8ff82cb73389042b682f423