e4b210caea4432928727e860786c36e5ef6ecacced4b00374a049342d4b62183

Analysis

max time kernel
299s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TSConfig.exe
Size

1.5MB
MD5

48c9a0c76b44a5f2729c876085adba4e
SHA1

8a5bee1995153d6069fb322ed23dec2de461f0df
SHA256

b5f9377bd27fcf48fb3d81d0196021681739f42a198e8340c27d55192d4bd3ac
SHA512

75873d0d41e16f5c9c58784f5eff2749f33be720f6f235e9da69c08d688d07c9a879f0fa4e365a172c3c61408c5fdef391b139aca70c3f6560fed3c4a181238d
SSDEEP

24576:fY+Ag1SNPX13A9N9sLhqMFb3crrwrK00cjncHgPeR:qg1e5AGqMBgp00icHgPeR

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3572 set thread context of 996	3572	TSConfig.exe	83

Executes dropped EXE 1 IoCs

pid	Process
3572	TSConfig.exe

Loads dropped DLL 8 IoCs

pid	Process
3572	TSConfig.exe
3572	TSConfig.exe
3572	TSConfig.exe
3572	TSConfig.exe
3572	TSConfig.exe
3572	TSConfig.exe
3572	TSConfig.exe
3572	TSConfig.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TSConfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TSConfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	38	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4860	TSConfig.exe
3572	TSConfig.exe
3572	TSConfig.exe
996	cmd.exe
996	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3572	TSConfig.exe
996	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 3572	4860	TSConfig.exe	82
PID 4860 wrote to memory of 3572	4860	TSConfig.exe	82
PID 4860 wrote to memory of 3572	4860	TSConfig.exe	82
PID 3572 wrote to memory of 996	3572	TSConfig.exe	83
PID 3572 wrote to memory of 996	3572	TSConfig.exe	83
PID 3572 wrote to memory of 996	3572	TSConfig.exe	83
PID 3572 wrote to memory of 996	3572	TSConfig.exe	83
PID 996 wrote to memory of 4088	996	cmd.exe	93
PID 996 wrote to memory of 4088	996	cmd.exe	93
PID 996 wrote to memory of 4088	996	cmd.exe	93
PID 996 wrote to memory of 4088	996	cmd.exe	93
PID 996 wrote to memory of 4088	996	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\TSConfig.exe
"C:\Users\Admin\AppData\Local\Temp\TSConfig.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Users\Admin\AppData\Roaming\Oraclequick_v4_x64\TSConfig.exe
  C:\Users\Admin\AppData\Roaming\Oraclequick_v4_x64\TSConfig.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:996
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2f46b285

Filesize
8.0MB

MD5
bc8882a42a1312d5fc2ed86388cfbb11

SHA1
d7868adbdecf2b16e42536c163dfea88958bba8b

SHA256
840123441ed38b8b90420a4f6b52ec1f1cad6b1411917ff85544f299c7d743e5

SHA512
ebe9489e3a0b9356253b2669845838e55c479dfa10bed6e11dce78e376897a033559aefa58fb035ade91efabc4beaafc40afef019cf26241aa0262dd88e05ee7

Download Submit
C:\Users\Admin\AppData\Roaming\Oraclequick_v4_x64\FNP_Act_Installer.dll

Filesize
3.2MB

MD5
818abbbd3717505c01e4e8277406af8f

SHA1
4374b855c5a37e89daa37791d1a4f2c635bf66e7

SHA256
bc0acdfb672ad01ad3b658ee51e2ee6523d56ea4bc4c066b390cf9b494e2aa69

SHA512
7c73ec9b15e82964573db1b7d3996677b244b6efa64cab60cefff6d995d3ea3e6e89c1578c5b5a266b964a19336ce5b956a4a4f37be12b4907dbee827b6613b9

Download Submit
C:\Users\Admin\AppData\Roaming\Oraclequick_v4_x64\ISUIServices.dll

Filesize
7.1MB

MD5
8ff059505a66e89bcc87dbb93e41ff0d

SHA1
6594bca59b503dcd85071872f598bc442c1afebe

SHA256
37b0f6eb77b5bdc02ace904a0c9dbaba29a0e966f96839bacca52d207815adbd

SHA512
a5df05981f0ae4b16d3934f8525840fe0d219f728ce5dd83073d2503f279cb6cabee47ccd96825efbf12dd0999220cca9460a796024dabb20c95ae3917bf11d3

Download Submit
C:\Users\Admin\AppData\Roaming\Oraclequick_v4_x64\MSIMG32.dll

Filesize
3KB

MD5
ae2fb3295fd4bee1e651b7b6639d7bfe

SHA1
4ac939d67002aabccf7a5878302a37b8079dda12

SHA256
c1f88d099af72cae6f6baaf7473da78279dc50b112f7fb68f93b5c3f29051c45

SHA512
90c2adc288547a2fec7bf6865b1341f2708ecf1e9ca78e0e440de008c5b032192998a42de0359f267e51d7ed8ee6a8e3ecc007d002d394cc5629cb81d94e9db9

Download Submit
C:\Users\Admin\AppData\Roaming\Oraclequick_v4_x64\MSVCP140.dll

Filesize
437KB

MD5
dc739066c9d0ca961cba2f320cade28e

SHA1
81ed5f7861e748b90c7ae2d18da80d1409d1fa05

SHA256
74e9268a68118bb1ac5154f8f327887715960ccc37ba9dabbe31ecd82dcbaa55

SHA512
4eb181984d989156b8703fd8bb8963d7a5a3b7f981fe747c6992993b7a1395a21f45dbedf08c1483d523e772bdf41330753e1771243b53da36d2539c01171cf1

Download Submit
C:\Users\Admin\AppData\Roaming\Oraclequick_v4_x64\TSConfig.exe

Filesize
1.5MB

MD5
48c9a0c76b44a5f2729c876085adba4e

SHA1
8a5bee1995153d6069fb322ed23dec2de461f0df

SHA256
b5f9377bd27fcf48fb3d81d0196021681739f42a198e8340c27d55192d4bd3ac

SHA512
75873d0d41e16f5c9c58784f5eff2749f33be720f6f235e9da69c08d688d07c9a879f0fa4e365a172c3c61408c5fdef391b139aca70c3f6560fed3c4a181238d

Download Submit
C:\Users\Admin\AppData\Roaming\Oraclequick_v4_x64\ToolkitPro1840vc140U.dll

Filesize
11.4MB

MD5
4fd7b7bfea443fd09ef3bff0d1ae5e1a

SHA1
aef5c5d6d1639d2c084c235b1f308c8ff51048e1

SHA256
c725fceaa2d1a47189c9ae72720ce04682e64ad35c2310b83e560550817741f4

SHA512
7fb686be0a858e8e493ce1dbbc058070d4338a768fff0c0f05915183d4be5023fd362926d0eb6a9c4cedb2d7c2f5519e472298cbf3e2ea0980b5f0c7772bf0b3

Download Submit
C:\Users\Admin\AppData\Roaming\Oraclequick_v4_x64\bandstand.psd

Filesize
7.4MB

MD5
160e42a1263f4ad93daa02de52ec3149

SHA1
21b192b8a4b0b8b6528b3ebe44d3722446c696e6

SHA256
92982679e0c8c32139243e9df2a4245825208205527ac8d3725c5959a0495d7e

SHA512
0b7d84ab31fbb12a6d1d7dbfad9af6259b62a0fd1df53af832e8a58b9ab422de951a69120ed9e06c3032524246ef5ee61dcff9d579914891d82246c597d2c1b9

Download Submit
C:\Users\Admin\AppData\Roaming\Oraclequick_v4_x64\hitch.psd

Filesize
38KB

MD5
293e46882b972ae4b53c8086f395ce36

SHA1
cb90150e763eded282f825d9e9f79a7f5df50484

SHA256
b9771fc5d6b937224f254a925771d80155cbaf24b33802cbb5af86760d0c162b

SHA512
b614d029eb327513ef83fe020e3eb0ada001d9f310ecddb15e260a22dde282b786ace501504f14b1e6d51eb935c3234ed210a8e0e207d1c1faa4dfd03bf6a5a6

Download Submit
C:\Users\Admin\AppData\Roaming\Oraclequick_v4_x64\mfc140u.dll

Filesize
4.6MB

MD5
266c6a0adda7ca07753636b1f8a69f7f

SHA1
996cc22086168cd47a19384117ee61e9eb03f99a

SHA256
3f8176bbc33f75fbcc429800461d84bcdb92d766d968220a9cc31f4cf6987271

SHA512
016c3197a089e68145741a74d6fb2749d45d0760cdb471c9c4efc17b365b0c0dfddd7ca331d5a6fad441485c382b382eab6ed9aca80640a540fed36c6905125c

Download Submit
C:\Users\Admin\AppData\Roaming\Oraclequick_v4_x64\vcruntime140.dll

Filesize
88KB

MD5
1d4ff3cf64ab08c66ae9a4013c89a3ac

SHA1
f9ee15d0e9b0b7e04ff4c8a5de5afcffe8b2527b

SHA256
65f620bc588d95fe2ed236d1602e49f89077b434c83102549eed137c7fdc7220

SHA512
65fbd68843280e933620c470e524fba993ab4c48ede4bc0917b4ebe25da0408d02daec3f5afcd44a3ff8aba676d2eff2dda3f354029d27932ef39c9fdea51c26

Download Submit
memory/996-43-0x00007FFDF1550000-0x00007FFDF1745000-memory.dmp

Filesize
2.0MB

Download
memory/996-45-0x0000000073020000-0x000000007319B000-memory.dmp

Filesize
1.5MB

Download
memory/3572-33-0x00000000024D0000-0x0000000002BFA000-memory.dmp

Filesize
7.2MB

Download
memory/3572-38-0x0000000073020000-0x000000007319B000-memory.dmp

Filesize
1.5MB

Download
memory/3572-39-0x00007FFDF1550000-0x00007FFDF1745000-memory.dmp

Filesize
2.0MB

Download
memory/3572-40-0x0000000073020000-0x000000007319B000-memory.dmp

Filesize
1.5MB

Download
memory/4088-53-0x0000000000E00000-0x000000000158B000-memory.dmp

Filesize
7.5MB

Download
memory/4088-63-0x0000000000E00000-0x000000000158B000-memory.dmp

Filesize
7.5MB

Download
memory/4088-79-0x0000000000E00000-0x000000000158B000-memory.dmp

Filesize
7.5MB

Download
memory/4088-49-0x0000000000E00000-0x000000000158B000-memory.dmp

Filesize
7.5MB

Download
memory/4088-51-0x00007FFDF1550000-0x00007FFDF1745000-memory.dmp

Filesize
2.0MB

Download
memory/4088-78-0x0000000000E00000-0x000000000158B000-memory.dmp

Filesize
7.5MB

Download
memory/4088-55-0x0000000000E00000-0x000000000158B000-memory.dmp

Filesize
7.5MB

Download
memory/4088-56-0x0000000000E00000-0x000000000158B000-memory.dmp

Filesize
7.5MB

Download
memory/4088-57-0x0000000000E00000-0x000000000158B000-memory.dmp

Filesize
7.5MB

Download
memory/4088-59-0x0000000000E00000-0x000000000158B000-memory.dmp

Filesize
7.5MB

Download
memory/4088-60-0x0000000000E00000-0x000000000158B000-memory.dmp

Filesize
7.5MB

Download
memory/4088-61-0x0000000000E00000-0x000000000158B000-memory.dmp

Filesize
7.5MB

Download
memory/4088-62-0x0000000000E00000-0x000000000158B000-memory.dmp

Filesize
7.5MB

Download
memory/4088-77-0x0000000000E00000-0x000000000158B000-memory.dmp

Filesize
7.5MB

Download
memory/4088-65-0x0000000000E00000-0x000000000158B000-memory.dmp

Filesize
7.5MB

Download
memory/4088-66-0x0000000000E00000-0x000000000158B000-memory.dmp

Filesize
7.5MB

Download
memory/4088-67-0x0000000000E00000-0x000000000158B000-memory.dmp

Filesize
7.5MB

Download
memory/4088-68-0x0000000000E00000-0x000000000158B000-memory.dmp

Filesize
7.5MB

Download
memory/4088-69-0x0000000000E00000-0x000000000158B000-memory.dmp

Filesize
7.5MB

Download
memory/4088-70-0x0000000000E00000-0x000000000158B000-memory.dmp

Filesize
7.5MB

Download
memory/4088-71-0x0000000000E00000-0x000000000158B000-memory.dmp

Filesize
7.5MB

Download
memory/4088-72-0x0000000000E00000-0x000000000158B000-memory.dmp

Filesize
7.5MB

Download
memory/4088-73-0x0000000000E00000-0x000000000158B000-memory.dmp

Filesize
7.5MB

Download
memory/4088-74-0x0000000000E00000-0x000000000158B000-memory.dmp

Filesize
7.5MB

Download
memory/4088-75-0x0000000000E00000-0x000000000158B000-memory.dmp

Filesize
7.5MB

Download
memory/4860-4-0x00007FFDF1550000-0x00007FFDF1745000-memory.dmp

Filesize
2.0MB

Download
memory/4860-2-0x0000000002550000-0x0000000002C7A000-memory.dmp

Filesize
7.2MB

Download
memory/4860-3-0x0000000072C60000-0x0000000072DDB000-memory.dmp

Filesize
1.5MB

Download