6da4ea12dc68301c66e9ec188a97cd2bdc657e1970e33937e1df86ba3eb76d3d

Analysis

max time kernel
20s
max time network
23s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2025, 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Timrex Perm/Timrex Perm/Download this first/3.exe
Size

4.2MB
MD5

339fe5621a6f481b823b21b6584c72d0
SHA1

8681ab09b386acbed0570480d54cd04edfed7a20
SHA256

9ad7e69763b7391791a92fba39fbfadfa3aa69d50a7801d2edc01f00d3577c9a
SHA512

e21bee36d6900680a57353282d98abb55e9513c27cc95be76b502b2ce94e1debb0a1cb478cbc803d6ecf366bbad070a4d8d3cc3068f8eeb963143f11f2caf351
SSDEEP

98304:9EbikxfQ6Fcg4r3n38Y3cTe7KLxGpvgGyLR4nweLSPbm1lztkmiZnv3wO5:0xfzcD3n38Y3ue7+xG5gNLRNkt5Ev3T5

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation	3.exe

Executes dropped EXE 1 IoCs

pid	Process
3180	vs_setup_bootstrapper.exe

Loads dropped DLL 21 IoCs

pid	Process
3180	vs_setup_bootstrapper.exe
3180	vs_setup_bootstrapper.exe
3180	vs_setup_bootstrapper.exe
3180	vs_setup_bootstrapper.exe
3180	vs_setup_bootstrapper.exe
3180	vs_setup_bootstrapper.exe
3180	vs_setup_bootstrapper.exe
3180	vs_setup_bootstrapper.exe
3180	vs_setup_bootstrapper.exe
3180	vs_setup_bootstrapper.exe
3180	vs_setup_bootstrapper.exe
3180	vs_setup_bootstrapper.exe
3180	vs_setup_bootstrapper.exe
3180	vs_setup_bootstrapper.exe
3180	vs_setup_bootstrapper.exe
3180	vs_setup_bootstrapper.exe
3180	vs_setup_bootstrapper.exe
3180	vs_setup_bootstrapper.exe
3180	vs_setup_bootstrapper.exe
3180	vs_setup_bootstrapper.exe
3180	vs_setup_bootstrapper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	vs_setup_bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vs_setup_bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getmac.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vs_setup_bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vs_setup_bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	vs_setup_bootstrapper.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3180	vs_setup_bootstrapper.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 3180	3600	3.exe	86
PID 3600 wrote to memory of 3180	3600	3.exe	86
PID 3600 wrote to memory of 3180	3600	3.exe	86
PID 3180 wrote to memory of 368	3180	vs_setup_bootstrapper.exe	87
PID 3180 wrote to memory of 368	3180	vs_setup_bootstrapper.exe	87
PID 3180 wrote to memory of 368	3180	vs_setup_bootstrapper.exe	87

C:\Users\Admin\AppData\Local\Temp\Timrex Perm\Timrex Perm\Download this first\3.exe
"C:\Users\Admin\AppData\Local\Temp\Timrex Perm\Timrex Perm\Download this first\3.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Users\Admin\AppData\Local\Temp\10dea8aeb1fef54b57\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\10dea8aeb1fef54b57\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:C:\Users\Admin\AppData\Local\Temp\Timrex Perm\Timrex Perm\Download this first\3.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\Admin\AppData\Local\Temp\Timrex Perm\Timrex Perm\Download this first"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3180
- - C:\Windows\SysWOW64\getmac.exe
    "getmac"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\10dea8aeb1fef54b57\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll

Filesize
18KB

MD5
6240940009abe0240203a943741f22b2

SHA1
21d7eaa572a701d2c463f1421b1b4dbb4355e91d

SHA256
62d8143505b130e7dcd2488384c19827787f9370c132d0c05957e16c28c70447

SHA512
4360785a85aa89aa303fb5a4e15233287457b6c46fb0a96e25b89703cc305fe76d0424fc93187da9dc25596b75c33ac9cc171ae37d599b0d914a3e22b0f0f9ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\10dea8aeb1fef54b57\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Native.dll

Filesize
115KB

MD5
7ee93c9293b25b94360c0bb61a0978d3

SHA1
2cd3c71473da6f2cff01f63ea3245e0c7794d15c

SHA256
7424bdcd743c2784e4043f7c489697b6cae3c7dae17b7190967b5522dd3d9bb7

SHA512
0523a771b3685604aab6088d194be5c3555011bd9a57f622f12fba1c6749f7974fc358563a54a85932dfd5be7cf342148fc972bbbabad5d8a5f421fd2e6ca367

Download Submit
C:\Users\Admin\AppData\Local\Temp\10dea8aeb1fef54b57\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll

Filesize
46KB

MD5
355c1a112bc0f859b374a4b1c811c1e7

SHA1
b9a58bb26f334d517ab777b6226fef86a67eb4dd

SHA256
cc52e19735d6152702672feb5911c8ba77f60fdc73df5ed0d601b37415f3a7ed

SHA512
f1e858f97dabeb8e9648d1eb753d6fcd9e2bab378259c02b3e031652e87c29fbabfc48d209983f7074dfc256afd42fa1d8184805534037771a71db517fe16c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10dea8aeb1fef54b57\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll

Filesize
581KB

MD5
b952eda0274f5fe9651312bbdbd35c36

SHA1
a1ca4f102124ffed512b2fd818ef21f29a094f95

SHA256
e8028eb8af8ccc9b78fc688c96e91eb45add8d9f72ce90c365a1eab1f812fe08

SHA512
8192b534adc3442ab23f8c040c4b67a907125ea86ee3f9e6b65f80aa731242b53e174eb394a05599b0e50f6f435f26b93c99b363adcf16724edf83917db79e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10dea8aeb1fef54b57\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll

Filesize
307KB

MD5
484742c8c65f83e4b272692fa7badb3c

SHA1
fa16f4159547404ade16f8c1abcc8f6978da9abd

SHA256
78531f435198f0b0e0170f1b2d683e7785e5c1ad133b76b6b471a036d6e1d4ac

SHA512
1f47ef544ac5837766befebabab6d8122e3e28aef68e877794fa8ef9ca9583be011386c1eb8fbb566cea40b32b9268f3880f3f8f3c9ff8c78b0b3015d99a775c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10dea8aeb1fef54b57\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll

Filesize
1.4MB

MD5
27f5c28bb57287a8f0187d7eee17bda8

SHA1
5b04cd155ee665609cc10c7e8cb72951843d3a5e

SHA256
cc3219b8b031286813871debe27e4d1ed3b2d8caac612d30c8a2cfca4806f41b

SHA512
d9973d51adcf9b683a1a67844fb81c796346fbe268ad4d85b91b02dd06bb584903ca5bb9588ac64118e8893203c1bb3ddf1a6d1246032c3fd9a82b189f82ecd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\10dea8aeb1fef54b57\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll

Filesize
950KB

MD5
903f254110813906331bef23e680bb9d

SHA1
6e4adfae4281d0b5bd0d8efd8f8eb919e974bd7d

SHA256
148081b9aaaee96125f7d2f09acffb95d7ce1c50d4e7b4b3ca8f3e372e2b8425

SHA512
150f5b438199faf8922390bc2cf93684de4a134e9c82f0e608954f02c47f630c8be22afe0349bd049bb1bc57dcd0951f9cf119713087940a769e076bae00c662

Download Submit
C:\Users\Admin\AppData\Local\Temp\10dea8aeb1fef54b57\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll

Filesize
62KB

MD5
2dc1dc66b267a3470add7fab88b78069

SHA1
dbe80047475b503791038ed7e47389c062c15c72

SHA256
b044863f98af8d28f4f2f5e2dccb945c57439e1575afb37110e1eec306a6c89c

SHA512
44ef73aab50dcc13ccd94c0353c366818afb27ce73772d722755b04add0c4f294c7814c84da6069d9aa6136f2a48683c25062dcddd1664e8d32fed1b38ceca21

Download Submit
C:\Users\Admin\AppData\Local\Temp\10dea8aeb1fef54b57\vs_bootstrapper_d15\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\10dea8aeb1fef54b57\vs_bootstrapper_d15\System.Memory.dll

Filesize
138KB

MD5
f09441a1ee47fb3e6571a3a448e05baf

SHA1
3c5c5df5f8f8db3f0a35c5ed8d357313a54e3cde

SHA256
bf3fb84664f4097f1a8a9bc71a51dcf8cf1a905d4080a4d290da1730866e856f

SHA512
0199ae0633bccfeaefbb5aed20832a4379c7ad73461d41a9da3d6dc044093cc319670e67c4efbf830308cbd9a48fb40d4a6c7e472dcc42eb745c6ba813e8e7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\10dea8aeb1fef54b57\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll

Filesize
17KB

MD5
c610e828b54001574d86dd2ed730e392

SHA1
180a7baafbc820a838bbaca434032d9d33cceebe

SHA256
37768488e8ef45729bc7d9a2677633c6450042975bb96516e186da6cb9cd0dcf

SHA512
441610d2b9f841d25494d7c82222d07e1d443b0da07f0cf735c25ec82f6cce99a3f3236872aec38cc4df779e615d22469666066ccefed7fe75982eefada46396

Download Submit
C:\Users\Admin\AppData\Local\Temp\10dea8aeb1fef54b57\vs_bootstrapper_d15\detection.json

Filesize
8KB

MD5
782f4beae90d11351db508f38271eb26

SHA1
f1e92aea9e2cd005c2fb6d4face0258d4f1d8b6c

SHA256
c828a2e5b4045ce36ecf5b49d33d6404c9d6f865df9b3c9623787c2332df07d9

SHA512
0a02beeca5c4e64044692b665507378e6f8b38e519a17c3ceccca1e87f85e1e2e7b3598e598fc84c962d3a5c723b28b52ee0351faaec82a846f0313f3c21e0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\10dea8aeb1fef54b57\vs_bootstrapper_d15\vs_setup_bootstrapper.config

Filesize
620B

MD5
9782b354e186ed3fefa10faeff60a200

SHA1
b87892f0ecf152be15a1db482cdffa6ce095fa54

SHA256
cff9e299fc76c8a40e873da6b2105090e3c6b77f5d1e3157bccbfcb1a4773db7

SHA512
d8e93674078fc865fac98f0186f62c55a9f16441568774bf173f2d80a02bed9f136cdf2658b563ed6f2aec16af5dfb32ac0e8e9e5e54c6e77929df48012f1df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10dea8aeb1fef54b57\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

Filesize
404KB

MD5
e24ef04ddb8a5474314d34cbd3ffa0c2

SHA1
399b9c3336116df479793d322f8c1e884e154fff

SHA256
49fc3ec8ab51c8f05591ee0ff0d9040bed994dbc3ef9a417a188c6d69a56952f

SHA512
7e845f995cf5bc448f9accf4bc6a9c26a1354ec72b138348e0d474465a101cc77ff4f2801c1b58e48819053f80e7fdb0d0cf25664c2483314cb33b0d312d67e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10dea8aeb1fef54b57\vs_bootstrapper_d15\vs_setup_bootstrapper.exe.config

Filesize
3KB

MD5
72f9933c6e247a13353d9725cd22c2da

SHA1
5b76599644e7c70cd5f08e5a80cec225c891a9da

SHA256
1f423b67ee6ca6a714507ab08fbd383b6d442bd98d321f0a640d533d5a516650

SHA512
afc7b5959506d197246fb482b0a2ca8f1ebfb5957234e547151d1e7a40047a2974768ccdf5c321a984685d99d4f7a1b0fbfb7fe81c40387a229808e45814a6de

Download Submit
C:\Users\Admin\AppData\Local\Temp\10dea8aeb1fef54b57\vs_bootstrapper_d15\vs_setup_bootstrapper.json

Filesize
162B

MD5
ad891c3b02a02419dc60db8c273a8315

SHA1
141a08ca0e25d56bdb35fc71e1c767667079114a

SHA256
186c4b16ee009564819730b358dbdbb0792fc27e602698c5f0a16e20104647c7

SHA512
64cdaf1d6d1b4072e24f3926f91103abf946ff044cda34a9070586c2d2927bcdfc53381c955e447a38965ee426373259759025f97b715158afc429080956196f

Download Submit
memory/3180-136-0x00000000058E0000-0x0000000005930000-memory.dmp

Filesize
320KB

Download
memory/3180-174-0x00000000733C0000-0x0000000073B70000-memory.dmp

Filesize
7.7MB

Download
memory/3180-145-0x0000000005C60000-0x0000000005C72000-memory.dmp

Filesize
72KB

Download
memory/3180-140-0x0000000005EA0000-0x0000000005F52000-memory.dmp

Filesize
712KB

Download
memory/3180-149-0x0000000005E10000-0x0000000005E36000-memory.dmp

Filesize
152KB

Download
memory/3180-153-0x00000000059D0000-0x00000000059D8000-memory.dmp

Filesize
32KB

Download
memory/3180-132-0x00000000057D0000-0x00000000057D8000-memory.dmp

Filesize
32KB

Download
memory/3180-124-0x0000000005840000-0x00000000058D4000-memory.dmp

Filesize
592KB

Download
memory/3180-157-0x00000000061A0000-0x00000000061B0000-memory.dmp

Filesize
64KB

Download
memory/3180-128-0x00000000059E0000-0x0000000005AD2000-memory.dmp

Filesize
968KB

Download
memory/3180-120-0x0000000005430000-0x0000000005598000-memory.dmp

Filesize
1.4MB

Download
memory/3180-116-0x00000000008F0000-0x0000000000958000-memory.dmp

Filesize
416KB

Download
memory/3180-165-0x0000000006380000-0x00000000063A2000-memory.dmp

Filesize
136KB

Download
memory/3180-166-0x00000000064F0000-0x0000000006844000-memory.dmp

Filesize
3.3MB

Download
memory/3180-167-0x00000000074A0000-0x0000000007506000-memory.dmp

Filesize
408KB

Download
memory/3180-168-0x00000000075B0000-0x0000000007642000-memory.dmp

Filesize
584KB

Download
memory/3180-169-0x0000000007C00000-0x00000000081A4000-memory.dmp

Filesize
5.6MB

Download
memory/3180-172-0x0000000008570000-0x000000000862A000-memory.dmp

Filesize
744KB

Download
memory/3180-114-0x00000000733CE000-0x00000000733CF000-memory.dmp

Filesize
4KB

Download
memory/3180-141-0x00000000733C0000-0x0000000073B70000-memory.dmp

Filesize
7.7MB

Download
memory/3180-175-0x0000000008550000-0x0000000008558000-memory.dmp

Filesize
32KB

Download
memory/3180-176-0x000000000A680000-0x000000000A688000-memory.dmp

Filesize
32KB

Download
memory/3180-177-0x00000000733C0000-0x0000000073B70000-memory.dmp

Filesize
7.7MB

Download
memory/3180-178-0x000000000ACA0000-0x000000000ACD8000-memory.dmp

Filesize
224KB

Download
memory/3180-179-0x000000000AC80000-0x000000000AC8E000-memory.dmp

Filesize
56KB

Download
memory/3180-180-0x00000000733C0000-0x0000000073B70000-memory.dmp

Filesize
7.7MB

Download
memory/3180-181-0x00000000733C0000-0x0000000073B70000-memory.dmp

Filesize
7.7MB

Download
memory/3180-182-0x00000000733C0000-0x0000000073B70000-memory.dmp

Filesize
7.7MB

Download
memory/3180-183-0x00000000733C0000-0x0000000073B70000-memory.dmp

Filesize
7.7MB

Download
memory/3180-184-0x00000000733C0000-0x0000000073B70000-memory.dmp

Filesize
7.7MB

Download
memory/3180-188-0x00000000733CE000-0x00000000733CF000-memory.dmp

Filesize
4KB

Download
memory/3180-189-0x00000000733C0000-0x0000000073B70000-memory.dmp

Filesize
7.7MB

Download
memory/3180-190-0x00000000733C0000-0x0000000073B70000-memory.dmp

Filesize
7.7MB

Download
memory/3180-191-0x00000000733C0000-0x0000000073B70000-memory.dmp

Filesize
7.7MB

Download
memory/3180-192-0x00000000733C0000-0x0000000073B70000-memory.dmp

Filesize
7.7MB

Download
memory/3180-193-0x00000000733C0000-0x0000000073B70000-memory.dmp

Filesize
7.7MB

Download
memory/3180-197-0x00000000733C0000-0x0000000073B70000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads