popup

Report - tpeinf.exe

Generic Malware Downloader Admin Tool (Sysinternals etc ...) UPX Malicious Library Malicious Packer PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.07.16 11:03 Machine s1_win7_x6401
Filename tpeinf.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
10
 Behavior Score
12.8
ZERO API file : malware
VT API (file) 59 detected (AIDetectMalware, Tiny, malicious, high confidence, score, Unsafe, Mint, Zard, V1z7, Genus, Attribute, HighConfidence, GenericRXAA, Convagent, jvzevg, CLASSIC, XPACK, origin, DLDER, Real Protect, Detected, ai score=100, Malware@#39haopuw30io5, Phorpiex, BScope, Caynamer, GdSda, Gencirc, a5jVzlzuyvs, Static AI, Malicious PE, susgen, Behavior, confidence, 100%, RK8PHU)
md5 cfb7fbf1d4b077a0e74ed6e9aab650a8
sha256 d93add71a451ec7c04c99185ae669e59fb866eb38f463e9425044981ed1bcae0
ssdeep 96:An2ZBONNkv90S32BOl7LN8cVHH/PtboynuYUBPCtL:An3NNazCE7dfP1oynfUBe
imphash 68ea642d9ea854cd557366cd6c8ee49a
impfuzzy 12:I4sXGXHX4GQGJvBBGy5hKvju6LIMLYLbFKSrOYEsy2WMCKIgL:WG3bTdBZ67HSrOF/2WEL
  Network IP location

Signature (21cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger File has been identified by 59 AntiVirus engines on VirusTotal as malicious
danger Disables Windows Security features
danger Stops Windows services
warning Generates some ICMP traffic
watch Attempts to disable Windows Auto Updates
watch Attempts to remove evidence of file being downloaded from the Internet
watch Communicates with host for which no DNS query was performed
watch Installs itself for autorun at Windows startup
watch Modifies security center warnings
watch Network activity contains more than one unique useragent
notice A process attempted to delay the analysis task.
notice An executable file was downloaded by the process tpeinf.exe
notice Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol
notice Creates executable files on the filesystem
notice Creates hidden or system file
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
info Checks if process is being debugged by a debugger
info The executable uses a known packer

Rules (13cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Admin_Tool_IN_Zero Admin Tool Sysinternals binaries (download)
watch Admin_Tool_IN_Zero Admin Tool Sysinternals binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch Network_Downloader File Downloader binaries (download)
watch Network_Downloader File Downloader binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (20cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://twizt.net/newtpp.exe
whois
Unknown 185.215.113.66 clean
http://185.215.113.66/2
whois
Unknown 185.215.113.66 26695 mailcious
http://twizt.net/peinstall.php
whois
Unknown 185.215.113.66 clean
http://185.215.113.66/1
whois
Unknown 185.215.113.66 26694 mailcious
twizt.net
whois
Unknown 185.215.113.66 malware
www.update.microsoft.com
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 20.72.235.82 clean
41.101.188.28
whois
DZ Telecom Algeria 41.101.188.28 clean
151.232.191.74
whois
IR Iran Telecommunication Company PJS 151.232.191.74 clean
5.232.85.255
whois
IR Iran Telecommunication Company PJS 5.232.85.255 clean
2.182.90.75
whois
IR Information Technology Company (ITC) 2.182.90.75 clean
2.181.30.194
whois
IR Iran Telecommunication Company PJS 2.181.30.194 clean
77.95.2.142
whois
TJ Tajik Academician Research and Educational Network Association 77.95.2.142 clean
188.213.178.116
whois
IR Iran Telecommunication Company PJS 188.213.178.116 clean
20.109.209.108
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 20.109.209.108 clean
190.202.1.132
whois
VE CANTV Servicios, Venezuela 190.202.1.132 clean
89.218.44.218
whois
KZ JSC Kazakhtelecom 89.218.44.218 clean
151.232.168.137
whois
IR Iran Telecommunication Company PJS 151.232.168.137 clean
178.130.83.254
whois
YE Public Telecommunication Corporation 178.130.83.254 clean
95.59.118.94
whois
KZ JSC Kazakhtelecom 95.59.118.94 clean
185.215.113.66
whois
Unknown 185.215.113.66 malware

Suricata ids

ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC
ET POLICY PE EXE or DLL Windows file download HTTP

PE API

IAT(Import Address Table) Library

SHLWAPI.dll
 0x402070 PathFileExistsW
MSVCRT.dll
 0x40202c __setusermatherr
 0x402030 _adjust_fdiv
 0x402034 __p__commode
 0x402038 __p__fmode
 0x40203c _initterm
 0x402040 _except_handler3
 0x402044 _controlfp
 0x402048 __getmainargs
 0x40204c _acmdln
 0x402050 exit
 0x402054 _XcptFilter
 0x402058 _exit
 0x40205c srand
 0x402060 rand
 0x402064 memset
 0x402068 __set_app_type
WININET.dll
 0x402080 InternetOpenUrlA
 0x402084 InternetReadFile
 0x402088 InternetOpenA
 0x40208c InternetCloseHandle
 0x402090 InternetOpenW
 0x402094 InternetOpenUrlW
urlmon.dll
 0x40209c URLDownloadToFileW
KERNEL32.dll
 0x402000 CloseHandle
 0x402004 DeleteFileW
 0x402008 CreateFileW
 0x40200c ExpandEnvironmentStringsW
 0x402010 GetTickCount
 0x402014 GetModuleHandleA
 0x402018 GetStartupInfoA
 0x40201c Sleep
 0x402020 CreateProcessW
 0x402024 WriteFile
USER32.dll
 0x402078 wsprintfW

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure