Overview

overview

10

Static

static

3

TikTokDesktop18.exe

windows7-x64

8

TikTokDesktop18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    30/11/2024, 21:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TikTokDesktop18.exe

  • Size

    17.9MB

  • MD5

    81f6b6fe3201c3941bd49243c5896811

  • SHA1

    8bd0d5bb78255fc9f2dcf70fde14dba16c66551c

  • SHA256

    fa4f1c0b324654420f8758b8ab1d7e0db22f0eacbff0d2e14413ed904ca54aaf

  • SHA512

    f3d22c84fb70a2c851f533037b74c45248b9074aa3042371672c89c3ee5229bbdbbc193e54840adbc5f17672430fbbc0b94dd12c8014f3a3ec93fece24e54d4f

  • SSDEEP

    393216:7bbTRUBXu2+WlsaxtBXu2+WlsaxtBXu2+WlsaxtBXu2+Wlsax:7PKBX4mtfBX4mtfBX4mtfBX4mt

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe
    "C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\XfkHhGue'"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\XfkHhGue
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2828
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2744
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1224
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1092
      2⤵
      • Program crash
      PID:2920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    7a8bd43fd8beced77162230179b3a87f

    SHA1

    c1f3a4fae8502fd125af29299522ffdc15a71562

    SHA256

    518f4a6ccb20e3bac3bbca3adc5ffc4aeabf61fbc4ad298f83aa52b58147aab0

    SHA512

    ffddfff6c998dfc797d0875fb08dc8b98bd98c61c1461e160c6c5403fc6e7a23847b2855aa60bbf46146345f7b0fda1f380d29e88d9357e89d672f7a041234f0

    Download Submit

  • memory/2016-9-0x0000000071310000-0x00000000718BB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2016-5-0x0000000071311000-0x0000000071312000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2016-6-0x0000000071310000-0x00000000718BB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2016-7-0x0000000071310000-0x00000000718BB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2016-8-0x0000000071310000-0x00000000718BB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2016-15-0x0000000071310000-0x00000000718BB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2388-0-0x00000000745FE000-0x00000000745FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2388-2-0x00000000745F0000-0x0000000074CDE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2388-1-0x00000000000D0000-0x00000000012BA000-memory.dmp

    Filesize

    17.9MB

    Download

  • memory/2388-37-0x00000000745FE000-0x00000000745FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2388-38-0x00000000745F0000-0x0000000074CDE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2388-39-0x00000000745F0000-0x0000000074CDE000-memory.dmp

    Filesize

    6.9MB

    Download