Play interactive tour

Edit tour

Analysis Report https://bitbucket.org/phjounin/tftpd64/downloads/Tftpd64-4.64-setup.exe

Overview

General Information

Sample URL:	https://bitbucket.org/phjounin/tftpd64/downloads/Tftpd64-4.64-setup.exe
Analysis ID:	401517
Infos:
Most interesting Screenshot:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to shutdown / reboot the system

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Stores files to the Windows start menu directory

Classification

Startup

System is w10x64

cmd.exe (PID: 6392 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://bitbucket.org/phjounin/tftpd64/downloads/Tftpd64-4.64-setup.exe' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

wget.exe (PID: 6440 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://bitbucket.org/phjounin/tftpd64/downloads/Tftpd64-4.64-setup.exe' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)

Tftpd64-4.64-setup.exe (PID: 7140 cmdline: 'C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe' MD5: 044CC568B52CE2E65EB82D3D3B7FFA2F)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Program Files\Tftpd64\tftpd64.exe

Virustotal: Detection: 8%

Perma Link

Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	Directory created: C:\Program Files\Tftpd64	Jump to behavior
Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	Directory created: C:\Program Files\Tftpd64\tftpd64.exe	Jump to behavior
Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	Directory created: C:\Program Files\Tftpd64\tftpd32.chm	Jump to behavior
Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	Directory created: C:\Program Files\Tftpd64\EUPL-EN.pdf	Jump to behavior
Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	Directory created: C:\Program Files\Tftpd64\tftpd32.ini	Jump to behavior
Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	Directory created: C:\Program Files\Tftpd64\uninstall.exe	Jump to behavior

Source: unknown	HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.217.128.89:443 -> 192.168.2.6:49713 version: TLS 1.2

Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	Code function: 5_2_00405EC2 FindFirstFileA,FindClose,	5_2_00405EC2
Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	Code function: 5_2_00402671 FindFirstFileA,	5_2_00402671
Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	Code function: 5_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	5_2_004054EC

Source: unknown

DNS traffic detected: queries for: bitbucket.org

Source: wget.exe, 00000002.00000003.339327377.00000000012A8000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertBaltimoreCA-2G2.crt
Source: wget.exe, 00000002.00000002.339741494.00000000012B9000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertBaltimoreCA-2G2.crt0
Source: wget.exe, 00000002.00000003.339327377.00000000012A8000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertBaltimoreCA-2G2.crtna
Source: wget.exe, 00000002.00000003.339327377.00000000012A8000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt
Source: wget.exe, 00000002.00000003.339327377.00000000012A8000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
Source: wget.exe, 00000002.00000002.339702945.000000000126C000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: wget.exe, 00000002.00000002.339702945.000000000126C000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wget.exe, 00000002.00000003.339327377.00000000012A8000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertBaltimoreCA-2G2.crl
Source: wget.exe, 00000002.00000003.339327377.00000000012A8000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertBaltimoreCA-2G2.crl0:
Source: wget.exe, 00000002.00000003.339327377.00000000012A8000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertBaltimoreCA-2G2.crlqg
Source: wget.exe, 00000002.00000002.339702945.000000000126C000.00000004.00000001.sdmp, wget.exe, 00000002.00000003.339327377.00000000012A8000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl
Source: wget.exe, 00000002.00000002.339741494.00000000012B9000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: wget.exe, 00000002.00000002.339702945.000000000126C000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl
Source: wget.exe, 00000002.00000003.339327377.00000000012A8000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
Source: wget.exe, 00000002.00000003.339327377.00000000012A8000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertBaltimoreCA-2G2.crl
Source: wget.exe, 00000002.00000002.339741494.00000000012B9000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertBaltimoreCA-2G2.crl0K
Source: wget.exe, 00000002.00000003.339327377.00000000012A8000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
Source: wget.exe, 00000002.00000003.336855620.000000000129F000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: wget.exe, 00000002.00000002.339702945.000000000126C000.00000004.00000001.sdmp, wget.exe, 00000002.00000003.336864547.00000000012A8000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl
Source: wget.exe, 00000002.00000003.339327377.00000000012A8000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
Source: Tftpd64-4.64-setup.exe, Tftpd64-4.64-setup.exe, 00000005.00000000.343792672.0000000000409000.00000008.00020000.sdmp, uninstall.exe.5.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Tftpd64-4.64-setup.exe, 00000005.00000000.343792672.0000000000409000.00000008.00020000.sdmp, uninstall.exe.5.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: wget.exe, 00000002.00000002.339702945.000000000126C000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com
Source: wget.exe, 00000002.00000002.339741494.00000000012B9000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: wget.exe, 00000002.00000003.339327377.00000000012A8000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: wget.exe, 00000002.00000003.336855620.000000000129F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0K
Source: wget.exe, 00000002.00000003.339327377.00000000012A8000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0R
Source: wget.exe, 00000002.00000002.339702945.000000000126C000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.comy
Source: tftpd64.exe.5.dr	String found in binary or memory: http://tftpd32.jounin.net
Source: wget.exe, 00000002.00000002.339741494.00000000012B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: wget.exe, 00000002.00000003.336855620.000000000129F000.00000004.00000001.sdmp, wget.exe, 00000002.00000003.339327377.00000000012A8000.00000004.00000001.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com
Source: wget.exe, 00000002.00000003.339327377.00000000012A8000.00000004.00000001.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/0d2c3bf4-a97c-40b5-b347-2c7c47f5335d/downloads/17389c4c-2e
Source: cmdline.out.2.dr	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/0d2c3bf4-a97c-40b5-b347-2c7c47f5335d/downloads/17389c4c-2e4d-
Source: wget.exe, 00000002.00000002.339757198.00000000013D0000.00000004.00000040.sdmp, cmdline.out.2.dr	String found in binary or memory: https://bitbucket.org/phjounin/tftpd64/downloads/Tftpd64-4.64-setup.exe
Source: wget.exe, 00000002.00000003.339327377.00000000012A8000.00000004.00000001.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.n
Source: wget.exe, 00000002.00000003.336855620.000000000129F000.00000004.00000001.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net;
Source: wget.exe, 00000002.00000003.336855620.000000000129F000.00000004.00000001.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website;
Source: wget.exe, 00000002.00000003.339327377.00000000012A8000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS
Source: wget.exe, 00000002.00000003.336855620.000000000129F000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: wget.exe, 00000002.00000003.339327377.00000000012A8000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPSWW

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown	HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.217.128.89:443 -> 192.168.2.6:49713 version: TLS 1.2

Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe

Code function: 5_2_00404FF1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

5_2_00404FF1

Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe

Code function: 5_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

5_2_0040312A

Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	Code function: 5_2_00404802	5_2_00404802
Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	Code function: 5_2_00406354	5_2_00406354
Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	Code function: 5_2_00406B2B	5_2_00406B2B

Source: Tftpd64-4.64-setup.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: uninstall.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: classification engine

Classification label: mal48.win@5/12@2/2

Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe

Code function: 5_2_004042C1 GetDlgItem,SetWindowTextA,SHAutoComplete,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

5_2_004042C1

Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe

Code function: 5_2_00402053 CoCreateInstance,MultiByteToWideChar,

5_2_00402053

Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe

File created: C:\Program Files\Tftpd64

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\Desktop\cmdline.out

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6408:120:WilError_01

Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe

File created: C:\Users\user\AppData\Local\Temp\nsk9E8A.tmp

Jump to behavior

Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://bitbucket.org/phjounin/tftpd64/downloads/Tftpd64-4.64-setup.exe' > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://bitbucket.org/phjounin/tftpd64/downloads/Tftpd64-4.64-setup.exe'
Source: unknown	Process created: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe 'C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://bitbucket.org/phjounin/tftpd64/downloads/Tftpd64-4.64-setup.exe'	Jump to behavior

Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe

File written: C:\Program Files\Tftpd64\tftpd32.ini

Jump to behavior

Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	Automated click: I Agree
Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	Automated click: Next >
Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	Automated click: Install

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	Directory created: C:\Program Files\Tftpd64	Jump to behavior
Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	Directory created: C:\Program Files\Tftpd64\tftpd64.exe	Jump to behavior
Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	Directory created: C:\Program Files\Tftpd64\tftpd32.chm	Jump to behavior
Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	Directory created: C:\Program Files\Tftpd64\EUPL-EN.pdf	Jump to behavior
Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	Directory created: C:\Program Files\Tftpd64\tftpd32.ini	Jump to behavior
Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	Directory created: C:\Program Files\Tftpd64\uninstall.exe	Jump to behavior

Source: tftpd64.exe.5.dr

Static PE information: section name: _RDATA

Source: C:\Windows\SysWOW64\wget.exe	File created: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	File created: C:\Program Files\Tftpd64\uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	File created: C:\Program Files\Tftpd64\tftpd64.exe	Jump to dropped file

Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Tftpd64	Jump to behavior
Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Tftpd64\Uninstall.lnk	Jump to behavior
Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Tftpd64\Tftpd64.lnk	Jump to behavior
Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Tftpd64\Tftpd64 Settings.lnk	Jump to behavior

Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	Dropped PE file which has not been started: C:\Program Files\Tftpd64\uninstall.exe			Jump to dropped file
Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	Dropped PE file which has not been started: C:\Program Files\Tftpd64\tftpd64.exe			Jump to dropped file

Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	File Volume queried: C:\Program Files FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	File Volume queried: C:\Program Files FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	Code function: 5_2_00405EC2 FindFirstFileA,FindClose,	5_2_00405EC2
Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	Code function: 5_2_00402671 FindFirstFileA,	5_2_00402671
Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	Code function: 5_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	5_2_004054EC

Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	API call chain: ExitProcess graph end node			graph_5-3309
Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	API call chain: ExitProcess graph end node			graph_5-3311

Source: Tftpd64-4.64-setup.exe, 00000005.00000002.606518853.0000000000DE0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Tftpd64-4.64-setup.exe, 00000005.00000002.606518853.0000000000DE0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Tftpd64-4.64-setup.exe, 00000005.00000002.606518853.0000000000DE0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: Tftpd64-4.64-setup.exe, 00000005.00000002.606518853.0000000000DE0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\wget.exe	Queries volume information: C:\Users\user\Desktop\download VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\download\Tftpd64-4.64-setup.exe

5_2_0040312A

Source: C:\Windows\SysWOW64\wget.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Registry Run Keys / Startup Folder1	Process Injection2	Masquerading3	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder1	Virtualization/Sandbox Evasion1	LSASS Memory	Security Software Discovery11	Remote Desktop Protocol	Clipboard Data1	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection2	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	File and Directory Discovery3	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery15	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report https://bitbucket.org/phjounin/tftpd64/downloads/Tftpd64-4.64-setup.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails