tongda | 7d6d085ca3c09ae099e8fc4822281dfc0e68607ca840ff5e5305bdc4d7f251e2

General

Target

7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
Size

2.9MB
MD5

fdc4436fa5700e2ff984d25dfcb19a72
SHA1

d6503f42be986ef42fe20c39309111bad7602403
SHA256

7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63
SHA512

a21a29ae37488ceb331405c1f53fa8e795dc1744561fa57352c1dadbc82e01e0bdd2f3b5c03a1dcf3f0d7dfb71670cf0be88d702b8757c3b83ba592212d59cc1

Score

10^/10

ransomware spyware tongda

Malware Config

Extracted

Path

C:\readme_readme_readme.txt

Family

tongda

Ransom Note

send 0.3 bitcoin to 12ZsBrX4UTsdjJbx84GcPFGEQaKMyYU29p screenchot and key send to [email protected] and [email protected] key:P0lzmrgTOFAPMbeaS8HW7EgsiiP7tuiSoQWE0YOet+51vmH1wmQWy6mGWZbTeLHUqkpZwncr8E20eYEvzv6cabWCorICDeQGMuyWUpJlTHZ+Z7iAZRv0zAPTd2YEoPEvfz8BGi1atZOSzgY6oYRfT1auVFiJSMkDxqfGP0zKy/0S7taQWS8QyvZronGLqp+NXYnTc7hRxOE1pFSIHuWmfB64Lsp2u/otKAVDFnS3kdOE6oOLCKQv/wtO2IFke0YUOOqZvxoAJLUzAZP8lwAcYgmbyErSRTqxmgAMYRvxuUrogSsOZwZO9QS2NfrvqYoimSo8r25eFDs5imNVMjg8Ug==

Emails

[email protected]

Wallets

12ZsBrX4UTsdjJbx84GcPFGEQaKMyYU29p

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Tongda 2000
Ransomware targetting the Chinese office management software Tongda OA.
ransomware tongda

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 420	1008	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe	67
PID 1008 wrote to memory of 420	1008	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe	67
PID 1008 wrote to memory of 420	1008	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe	67
PID 420 wrote to memory of 640	420	cmd.exe	68
PID 420 wrote to memory of 640	420	cmd.exe	68
PID 420 wrote to memory of 640	420	cmd.exe	68
PID 1008 wrote to memory of 1080	1008	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe	70
PID 1008 wrote to memory of 1080	1008	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe	70
PID 1008 wrote to memory of 1080	1008	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe	70
PID 1080 wrote to memory of 1128	1080	cmd.exe	71
PID 1080 wrote to memory of 1128	1080	cmd.exe	71
PID 1080 wrote to memory of 1128	1080	cmd.exe	71

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	640	taskkill.exe
Token: SeDebugPrivilege	1128	taskkill.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
640	taskkill.exe
1128	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
"C:\Users\Admin\AppData\Local\Temp\7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im mysqld.exe & cd ../mysql5/bin/ & move /Y mysqld.exe mysqld.exe1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:420
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mysqld.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:640
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "taskkill /f /im mysqld.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mysqld.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:1128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads