| File name: | TumarCSP.zip |
| Full analysis: | https://app.any.run/tasks/d83ff9b9-041d-4988-9546-5437467430bb |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | February 26, 2019, 06:03:17 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | AE1EED7DC901EE9B39525A4F49C48CEA |
| SHA1: | E8ED9C2CAEB70A15E983B17CEA0235EE6223D75B |
| SHA256: | 584E804E484FCAC4B4B532495CB6FF2BE5F512C64E3D1F7320406E1CD3E140FA |
| SSDEEP: | 196608:RPw7yXjnnk3+u0s+L8eYzF5VyuBqj4Pb0eOC61tX7fyy9WErjoUb3hPVkX7Cdl6:lWujnru0s+Ye4FDyz4j03C61t+eHrjob |
MALICIOUS
Application was dropped or rewritten from another process
- TumarCSP.exe (PID: 3120)
- TumarCSP.exe (PID: 3140)
- SetupCSPx64.exe (PID: 1836)
- CertMgr.exe (PID: 3324)
- CertMgr.exe (PID: 3188)
- CertMgr.exe (PID: 4036)
- CertMgr.exe (PID: 2232)
- TumCPProcess.exe (PID: 3648)
- tumsrv204.exe (PID: 3988)
- TumProcess.exe (PID: 2956)
- TumService.exe (PID: 2652)
- TumService.exe (PID: 2344)
- TumService.exe (PID: 2668)
Changes the autorun value in the registry
- TumarCSP.tmp (PID: 3796)
- SetupCSPx64.tmp (PID: 3680)
Changes settings of System certificates
- CertMgr.exe (PID: 3324)
- CertMgr.exe (PID: 2232)
- CertMgr.exe (PID: 3188)
- CertMgr.exe (PID: 4036)
- TumProcess.exe (PID: 2956)
- certutil.exe (PID: 564)
- certutil.exe (PID: 2216)
Changes AppInit_DLLs value (autorun option)
- SetupCSPx64.tmp (PID: 3680)
Changes internet zones settings
- regedit.exe (PID: 3808)
Loads dropped or rewritten executable
- TumProcess.exe (PID: 2956)
- certutil.exe (PID: 564)
- certutil.exe (PID: 2216)
- SetupCSPx64.exe (PID: 1836)
- conhost.exe (PID: 616)
- TumCPProcess.exe (PID: 3648)
- conhost.exe (PID: 3188)
- certutil.exe (PID: 3968)
- TumarCSP.exe (PID: 3140)
- TumarCSP.exe (PID: 3120)
- DllHost.exe (PID: 3568)
- WinRAR.exe (PID: 3932)
Starts NET.EXE for service management
- cmd.exe (PID: 3296)
SUSPICIOUS
Executable content was dropped or overwritten
- TumarCSP.exe (PID: 3120)
- TumarCSP.exe (PID: 3140)
- TumarCSP.tmp (PID: 3796)
- SetupCSPx64.exe (PID: 1836)
- SetupCSPx64.tmp (PID: 3680)
Reads Windows owner or organization settings
- TumarCSP.tmp (PID: 3796)
- SetupCSPx64.tmp (PID: 3680)
Reads the Windows organization settings
- TumarCSP.tmp (PID: 3796)
- SetupCSPx64.tmp (PID: 3680)
Creates files in the Windows directory
- SetupCSPx64.tmp (PID: 3680)
- TumCPProcess.exe (PID: 3648)
- TumService.exe (PID: 2668)
- certutil.exe (PID: 564)
- certutil.exe (PID: 2216)
- certutil.exe (PID: 3968)
Creates files in the user directory
- SetupCSPx64.tmp (PID: 3680)
Uses REG.EXE to modify Windows registry
- SetupCSPx64.tmp (PID: 3680)
Starts CMD.EXE for commands execution
- SetupCSPx64.tmp (PID: 3680)
- cmd.exe (PID: 3508)
Uses ICACLS.EXE to modify access control list
- SetupCSPx64.tmp (PID: 3680)
Removes files from Windows directory
- certutil.exe (PID: 564)
- certutil.exe (PID: 2216)
- certutil.exe (PID: 3968)
Starts SC.EXE for service management
- cmd.exe (PID: 3296)
Creates or modifies windows services
- tumsrv204.exe (PID: 3988)
INFO
Application was dropped or rewritten from another process
- TumarCSP.tmp (PID: 4028)
- TumarCSP.tmp (PID: 3796)
- SetupCSPx64.tmp (PID: 3680)
Creates files in the program directory
- TumarCSP.tmp (PID: 3796)
- SetupCSPx64.tmp (PID: 3680)
Creates a software uninstall entry
- SetupCSPx64.tmp (PID: 3680)
Loads dropped or rewritten executable
- SetupCSPx64.tmp (PID: 3680)
- TumarCSP.tmp (PID: 3796)
- TumarCSP.tmp (PID: 4028)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2019:02:26 11:57:12 |
| ZipCRC: | 0x27c715ea |
| ZipCompressedSize: | 1921971 |
| ZipUncompressedSize: | 1949551 |
| ZipFileName: | iBankSignerInstaller.exe |
Total processes
88
Monitored processes
36
Malicious processes
13
Suspicious processes
3
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 564 | certutil -addstore root ""C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\FF"\rootNCA.cer" | C:\Windows\system32\certutil.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: CertUtil.exe Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 616 | \??\C:\Windows\system32\conhost.exe | C:\Windows\system32\conhost.exe | csrss.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1836 | "C:\Program Files\GammaTech\TumarCSP\temp\SetupCSPx64.exe" | C:\Program Files\GammaTech\TumarCSP\temp\SetupCSPx64.exe | TumarCSP.tmp | ||||||||||||
User: admin Company: НИЛ "Гамма Технологии" Integrity Level: HIGH Description: Tumar CSP 6 Setup Exit code: 0 Version: 6.2.1.6 Modules
| |||||||||||||||
| 1844 | sc config SCardSvr start= auto | C:\Windows\system32\sc.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: A tool to aid in developing services for WindowsNT Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2216 | "C:\Windows\system32\icacls.exe" C:\ProgramData\GammaTech\TumarCSP\cptumar.conf /grant:r *S-1-1-0:F | C:\Windows\system32\icacls.exe | — | SetupCSPx64.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2216 | certutil -addstore ca ""C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\FF"\subcaNCA.cer" | C:\Windows\system32\certutil.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: CertUtil.exe Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2232 | "C:\Program Files\GammaTech\TumarCSP\temp\CertMgr.exe" /add /c ca_gost.cer /s /r localMachine Root | C:\Program Files\GammaTech\TumarCSP\temp\CertMgr.exe | — | TumarCSP.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: ECM Certificate Manager Exit code: 0 Version: 6.0.6000.16384 (vista_rtm.061029-1900) Modules
| |||||||||||||||
| 2344 | "C:\Windows\system32\TumService.exe" start | C:\Windows\system32\TumService.exe | SetupCSPx64.tmp | ||||||||||||
User: admin Company: ТОО НИЛ Гамма Технологии Integrity Level: HIGH Description: TumarCSP service x32 Exit code: 0 Version: 1.0.1.295 Modules
| |||||||||||||||
| 2580 | "C:\Windows\regedit.exe" /s C:\Users\admin\AppData\Local\Temp\is-GH1IV.tmp\tumcfg.reg | C:\Windows\regedit.exe | — | TumarCSP.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Editor Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2620 | C:\Windows\system32\cmd.exe /c dir "C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\FF\cert8.db" /a-d /b /s | C:\Windows\system32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
891
Read events
600
Write events
284
Delete events
7
Modification events
| (PID) Process: | (3932) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3932) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3932) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3932) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\TumarCSP.zip | |||
| (PID) Process: | (3932) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3932) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3932) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (3932) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (3796) TumarCSP.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Owner |
Value: D40E00008005BE0B99CDD401 | |||
| (PID) Process: | (3796) TumarCSP.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | SessionHash |
Value: 67B9F433C9A02FE344669CEF37539CB7B289785DDD011118F6EC60E52BB0B8DA | |||
Executable files
37
Suspicious files
2
Text files
27
Unknown types
14
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3932 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3932.2917\iBankSignerInstaller.exe | — | |
MD5:— | SHA256:— | |||
| 3932 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3932.2917\TumarCSP.exe | — | |
MD5:— | SHA256:— | |||
| 3796 | TumarCSP.tmp | C:\Program Files\GammaTech\TumarCSP\temp\is-H9OTG.tmp | — | |
MD5:— | SHA256:— | |||
| 3796 | TumarCSP.tmp | C:\Users\admin\AppData\Local\Temp\is-GH1IV.tmp\is-CEDLC.tmp | — | |
MD5:— | SHA256:— | |||
| 3796 | TumarCSP.tmp | C:\Users\admin\AppData\Local\Temp\is-GH1IV.tmp\is-VTTT1.tmp | — | |
MD5:— | SHA256:— | |||
| 3796 | TumarCSP.tmp | C:\Program Files\GammaTech\TumarCSP\temp\is-OT1KK.tmp | — | |
MD5:— | SHA256:— | |||
| 3796 | TumarCSP.tmp | C:\Program Files\GammaTech\TumarCSP\temp\is-39P0O.tmp | — | |
MD5:— | SHA256:— | |||
| 3796 | TumarCSP.tmp | C:\Program Files\GammaTech\TumarCSP\temp\is-PTDCL.tmp | — | |
MD5:— | SHA256:— | |||
| 3796 | TumarCSP.tmp | C:\Program Files\GammaTech\TumarCSP\temp\is-QQOKF.tmp | — | |
MD5:— | SHA256:— | |||
| 3796 | TumarCSP.tmp | C:\Program Files\GammaTech\TumarCSP\temp\is-49JON.tmp | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
DNS requests
Threats
Process | Message |
|---|---|
TumService.exe | TumarCSP start |
TumService.exe | TumarCSP stop |
TumService.exe | TumarCSP start |
TumService.exe | TumarCSP start |
TumService.exe | TumarCSP stop |
TumService.exe | User info: |
TumService.exe | 1 [2]:SessionId = 1 - pWinStationName =Console SessionState = [0] |
TumProcess.exe | !!! module: c:\Windows\System32\TumProcess.exe [TumProcess.exe_2956] |
conhost.exe | !!! module: C:\Windows\system32\conhost.exe [conhost.exe_616] |
conhost.exe | !!! module: C:\Windows\system32\conhost.exe [conhost.exe_616] |