6da4ea12dc68301c66e9ec188a97cd2bdc657e1970e33937e1df86ba3eb76d3d

Sharing

Copy URL

Twitter E-mail

General

Target

Timrex Perm.rar
Size

27.6MB
Sample

250201-np89taslfl
MD5

9dfb14a94f9b44496bbc121b91b599dd
SHA1

3f03275758397c3b973cbb26097e443187697993
SHA256

6da4ea12dc68301c66e9ec188a97cd2bdc657e1970e33937e1df86ba3eb76d3d
SHA512

a91fdff74acec91b3d0f8aa1cde4e318c1fe5a9be75b41c240622613304a5d23f232b6793108edfd17783bc95aac1cd6c036187bea0286b59e6d355fbb1c1ece
SSDEEP

786432:famZpHiM5Qdrzy9TMH9X/x5pCBk9QTeVPqJ0opok5h4n6:CmDCTre9yXJ58dI00qQ6

Score

7^/10

Malware Config

Targets

- Target
  
  Timrex Perm/Timrex Perm/Download this first/1.exe
- Size
  
  24.2MB
- MD5
  
  101b0b9f74cdc6cdbd2570bfe92e302c
- SHA1
  
  2e6bae42c2842b4f558bd68099479b929bb7d910
- SHA256
  
  4dfe83c91124cd542f4222fe2c396cabeac617bb6f59bdcbdf89fd6f0df0a32f
- SHA512
  
  ccf4fd7da2c3440f1bc7fcac67c8a12599eab8d5c015affdc2e439fa30f5c7868ef5f52ede058361faae37ccc4af2c17c0adf30b8e1f852bb7106d0ec7162506
- SSDEEP
  
  786432:urp+Ty2SfUfnbu+zMFy/7zYgWXRLTArzttOaaFC:Sp+Ty2SfWnPzMFO7zYgWBLbFC
Score

7^/10

discovery persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral1
- Target
  
  Timrex Perm/Timrex Perm/Download this first/2.exe
- Size
  
  288KB
- MD5
  
  2cbd6ad183914a0c554f0739069e77d7
- SHA1
  
  7bf35f2afca666078db35ca95130beb2e3782212
- SHA256
  
  2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f
- SHA512
  
  ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10
- SSDEEP
  
  6144:kWK8fc2liXmrLxcdRDLiH1vVRGVOhMp421/7YQV:VcvgLARDI1KIOzO0
Score

7^/10

discovery persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral2
- Target
  
  Timrex Perm/Timrex Perm/Download this first/3.exe
- Size
  
  4.2MB
- MD5
  
  339fe5621a6f481b823b21b6584c72d0
- SHA1
  
  8681ab09b386acbed0570480d54cd04edfed7a20
- SHA256
  
  9ad7e69763b7391791a92fba39fbfadfa3aa69d50a7801d2edc01f00d3577c9a
- SHA512
  
  e21bee36d6900680a57353282d98abb55e9513c27cc95be76b502b2ce94e1debb0a1cb478cbc803d6ecf366bbad070a4d8d3cc3068f8eeb963143f11f2caf351
- SSDEEP
  
  98304:9EbikxfQ6Fcg4r3n38Y3cTe7KLxGpvgGyLR4nweLSPbm1lztkmiZnv3wO5:0xfzcD3n38Y3ue7+xG5gNLRNkt5Ev3T5
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral3
- Target
  
  Timrex Perm/Timrex Perm/Perm.exe
- Size
  
  22KB
- MD5
  
  281698d0a353c1310cd43952998d11c0
- SHA1
  
  8d7588a8d40e933585f13b371822a06c9864e845
- SHA256
  
  17c29bbf8c4d0a602e1e6cd8010955cdcc1514e3114a46a0ac3278d0e7fc9819
- SHA512
  
  e5f6b2d7bdcd3688cf8a2deb159fcf66b4fac9afe033e6b83d0f861a5f1dc5b236b67fe261e614d1ac2cba55ae2fc9575424ab34f65002e2427f02aa085dfff4
- SSDEEP
  
  384:QGGuN6cMKifIYCuD59Z+J/rMLGk79jle1eOLQDa91VHHqTZfTnlYc3qeU0:rGuNlifh1D5KJ/rMKk7SkqQD8VqFlYc+
Score

6^/10
- Legitimate hosting services abused for malware hosting/C2
behavioral4
- Target
  
  Timrex Perm/Timrex Perm/Serial checker/Timrex Serials.bat
- Size
  
  1KB
- MD5
  
  61642a48b84b0f8468ee36cf53cd07d8
- SHA1
  
  87117498362cb37d3cbdd2db9894f4d85a445dcd
- SHA256
  
  a1bea8a38f623f883dacbf4793c307d7a8347715a796ac93332cb3afb8188b6d
- SHA512
  
  3e1be534f810e87fa917f26e7797ef6adb3ec3c5572f6f1c74650449dbf22cd6bd4f6c39c4bab1ef1b13a4a67da9f0e461c6ec308cc1e55b8027d9830723271a
Score

1^/10
behavioral5
- Target
  
  Timrex Perm/Timrex Perm/Wifi & Bluetooth disabler/Disabler [Run Admin].bat
- Size
  
  1001B
- MD5
  
  f231be56f8dd034fd9e62fe67b120dec
- SHA1
  
  c0a4b9d91f5934f00a6cc28cdad56dfee45d3116
- SHA256
  
  ff5735d7157d43beaf0ea13eae9dc29619d9384a79c0009c7b0ada9d722f0a30
- SHA512
  
  0da567136e8e24ed1cdcd27633ba2f68c26c9fcc3038d1d7a041516e187d97c9a1fc22eb57552f4a4378e58daeb297991e95f388530fa38e12c67ddcf50b22dd
Score

1^/10
behavioral6
- Target
  
  Timrex Perm/Timrex Perm/defender control/Defender_Settings.vbs
- Size
  
  313B
- MD5
  
  b0bf0a477bcca312021177572311e666
- SHA1
  
  ea77332d7779938ae8e92ad35d6dea4f4be37a92
- SHA256
  
  af42a17d428c8e9d6f4a6d3393ec268f4d12bbfd01a897d87275482a45c847e9
- SHA512
  
  09366608f2670d2eb0e8ddcacd081a7b2d7b680c4cdd02494d08821dbdf17595b30e88f6ce0888591592e7caa422414a895846a268fd63e8243074972c9f52d8
Score

1^/10
behavioral7
- Target
  
  Timrex Perm/Timrex Perm/defender control/dControl.exe
- Size
  
  447KB
- MD5
  
  58008524a6473bdf86c1040a9a9e39c3
- SHA1
  
  cb704d2e8df80fd3500a5b817966dc262d80ddb8
- SHA256
  
  1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326
- SHA512
  
  8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31
- SSDEEP
  
  6144:Vzv+kSn74iCmfianQGDM3OXTWRDy9GYQDUmJFXIXHrsUBnBTF8JJCYrYNsQJzfgu:Vzcn7EanlQiWtYhmJFSwUBLcQZfgiD
Score

5^/10

discovery upx
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks installed software on the system

Enumerates connected drives

Drops file in System32 directory

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

AutoIT Executable

UPX packed file

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8