94985615c3a4143304e8f85e41d9f1bd2281d073d47ade04dcac1f63d31305c2

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/01/2025, 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

freeSpoofer/tools/tmac/Installer.exe
Size

189KB
MD5

34636047a124a3bdb21ff9c2b9402250
SHA1

49ecf948cfd6e85f38007b4267792d75031da015
SHA256

0d3390d29cde2d1f4b147d70fc7008abe2107c5cfdc0d1bfa746a180b70e03fe
SHA512

607d9a123c9b0a3fb74503e78255ac2033177f36903272660f9f650639496662d16177f47e61204e699172ba4233cda23442be538e6a07a2e39632eb709c0e9d
SSDEEP

3072:68dMhw/SymvBpLYDhU6Fh/S1PcU8MsGlUbLB:6I/tmvBpLYDhU6q1PcUnsGubl

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1992	Installer.exe

Loads dropped DLL 4 IoCs

pid	Process
1768	Installer.exe
1992	Installer.exe
1992	Installer.exe
1992	Installer.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\oui.db	Installer.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\normal_footer_back_h30.jpg	Installer.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\logo.gif	Installer.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\EULA.txt	Installer.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\Installer.exe	Installer.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\TMAC.exe	Installer.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\Read Me.txt	Installer.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\index.css	Installer.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\help.html	Installer.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\Default.tpf	Installer.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\CLIHelp.txt	Installer.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\normal_logo_back.jpg	Installer.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\normal_back_blue_w800.jpg	Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1768	Installer.exe
1992	Installer.exe
1992	Installer.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 1992	1768	Installer.exe	30
PID 1768 wrote to memory of 1992	1768	Installer.exe	30
PID 1768 wrote to memory of 1992	1768	Installer.exe	30
PID 1768 wrote to memory of 1992	1768	Installer.exe	30
PID 1768 wrote to memory of 1992	1768	Installer.exe	30
PID 1768 wrote to memory of 1992	1768	Installer.exe	30
PID 1768 wrote to memory of 1992	1768	Installer.exe	30
PID 1992 wrote to memory of 2728	1992	Installer.exe	32
PID 1992 wrote to memory of 2728	1992	Installer.exe	32
PID 1992 wrote to memory of 2728	1992	Installer.exe	32
PID 1992 wrote to memory of 2728	1992	Installer.exe	32
PID 1992 wrote to memory of 2728	1992	Installer.exe	32
PID 1992 wrote to memory of 2728	1992	Installer.exe	32
PID 1992 wrote to memory of 2728	1992	Installer.exe	32

C:\Users\Admin\AppData\Local\Temp\freeSpoofer\tools\tmac\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\freeSpoofer\tools\tmac\Installer.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Users\Admin\AppData\Local\Temp\1107904314.99481\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\1107904314.99481\Installer.exe" /u
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\7092553973.19794.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7092553973.19794.bat

Filesize
380B

MD5
91332154e8731417ded1f4c6601da595

SHA1
dd003b1f6156e389e07419d98ab05a97ec3ed37c

SHA256
e1486b075f6697f294fe1b156f87477b53398fe4d4750a135ed17b914ac55eec

SHA512
47cb28f9f5e750df6d82d0dc58642af489c7d3fdaaa4f2b61291c210036459ca93d0040d82ae32a7b20ad1e0c39aa5fc47653e0b1931af6edf95084471d7de73

Download Submit
\Users\Admin\AppData\Local\Temp\1107904314.99481\Installer.exe

Filesize
189KB

MD5
34636047a124a3bdb21ff9c2b9402250

SHA1
49ecf948cfd6e85f38007b4267792d75031da015

SHA256
0d3390d29cde2d1f4b147d70fc7008abe2107c5cfdc0d1bfa746a180b70e03fe

SHA512
607d9a123c9b0a3fb74503e78255ac2033177f36903272660f9f650639496662d16177f47e61204e699172ba4233cda23442be538e6a07a2e39632eb709c0e9d

Download Submit