d1b9e3a7e548eedbbe122287b8589f1eb42023f77e8f7d6856dc1644f038f617

Analysis

max time kernel
95s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tcmd1103x64.exe
Size

6.2MB
MD5

2bc1009b18915f773803aa5ce0c8c5aa
SHA1

e7ce87c81da0ed4eda263c0bc1a6e87ea2f5b6ec
SHA256

d1b9e3a7e548eedbbe122287b8589f1eb42023f77e8f7d6856dc1644f038f617
SHA512

cecff47bc915b4ca56ca6e524a78835adbe1d14d822f4e1fb7746fc9f5aeaa6ec50a4f2607b7b9a587165d30bce025395421a70832dfd08514fe44531d8d997c
SSDEEP

196608:fuoi4HImqMBbtrrxzf04DC4CycKkPpOMLvo:Gcz3uZlxOMk

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_HUN.MNU	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_NOR.MNU	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\UNRAR64.DLL	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_ROM.INC	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\LANGUAGE\WCMD_SVN.LNG	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\FILTER64\SoundTouchDLL_x64.dll	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\FILTER64\vmr9rotator.dll	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\DESCRIPT.ION	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\LANGUAGE\WCMD_CZ.INC	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\LANGUAGE\WCMD_DUT.LNG	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\LANGUAGE\WCMD_ENG.MNU	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\WCMZIP64.DLL	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\SFXHEAD.SFX	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\NOCLOSE64.EXE	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\TCMDX32.EXE	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_DAN.MNU	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_DEU.LNG	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_SWE.INC	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\LANGUAGE\WCMD_ROM.MNU	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\HISTORY.TXT	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\VERTICAL.BAR	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\LANGUAGE\WCMD_DAN.MNU	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_ITA.MNU	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\NO.BAR	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\WCMICONS.DLL	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\WCMICONS.INC	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\LANGUAGE\WCMD_SK.MNU	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\LANGUAGE\WCMD_CHN.LNG	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\TCUNIN64.WUL	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\TOTALCMD64.EXE.MANIFEST	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\LANGUAGE\WCMD_HUN.INC	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_POL.LNG	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_RUS.INC	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\LANGUAGE\WCMD_ROM.LNG	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_KOR.LNG	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\LANGUAGE\WCMD_KOR.INC	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_UKR.MNU	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\HISTORY.TXT	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\TOTALCMD.CHM	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_CZ.LNG	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_ROM.LNG	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\TCLZMA64.DLL	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\LIBDEFLATE64.DLL	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\DEFAULT.BAR	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\WCUNINST.WUL	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\WCMICONS.DLL	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_CZ.INC	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_SK.MNU	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\TCUNINST.WUL	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\TCMADM64.EXE	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\TCshareWin10x64.dll	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\LANGUAGE\WCMD_DEU.INC	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\LANGUAGE\WCMD_ROM.INC	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\LANGUAGE\WCMD_POL.MNU	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\LANGUAGE\WCMD_HUN.LNG	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\LANGUAGE\WCMD_SWE.MNU	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\DESCRIPT.ION	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\WCMICON2.DLL	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_CZ.MNU	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\LANGUAGE\WCMD_DAN.LNG	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\LANGUAGE\WCMD_ESP.MNU	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\FILTER64\AutoPitch.dll	tcmd1103x64.exe
File created	C:\Program Files\totalcmd\TCLZMA64.DLL	tcmd1103x64.exe
File opened for modification	C:\Program Files\totalcmd\CGLPT64.SYS	tcmd1103x64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
572	tcmd1103x64.exe
572	tcmd1103x64.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	572	tcmd1103x64.exe
Token: SeDebugPrivilege	572	tcmd1103x64.exe
Token: SeDebugPrivilege	572	tcmd1103x64.exe
Token: SeDebugPrivilege	572	tcmd1103x64.exe
Token: SeDebugPrivilege	572	tcmd1103x64.exe
Token: SeDebugPrivilege	572	tcmd1103x64.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
572	tcmd1103x64.exe

C:\Users\Admin\AppData\Local\Temp\tcmd1103x64.exe
"C:\Users\Admin\AppData\Local\Temp\tcmd1103x64.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\totalcmd\TOTALCMD64.EXE

Filesize
9.9MB

MD5
010b1b115950c530717128a665f090ee

SHA1
bdabfdfc91f6ad541da2c6cd4a7abcb59f3e72c6

SHA256
aa7d04a9fad39fb4745804a90489ef5c283b9ec780d8f577106042c9e0ed78eb

SHA512
f52e2389dddc3d24ce64345a347813b6eed455e24d11c50fe31f0c197f36732bc0657e88bfb1f6abc3fbee60605e48cc7398d2bfb94733a5a11cbd2274779dd6

Download Submit