Overview

overview

8

Static

static

8

ToDesk_Lite.exe

windows7_x64

5

ToDesk_Lite.exe

windows10_x64

5

Resubmissions

09-07-2021 13:58

210709-xk3hc7raax 8

02-07-2021 15:48

210702-mee6653ca6 10

Analysis

  • max time kernel
    1726s
  • max time network
    1829s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    09-07-2021 13:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ToDesk_Lite.exe

  • Size

    6.4MB

  • MD5

    ce5ab2494fc91c67248bbdb085b747c2

  • SHA1

    bdc554a291a4c4e2bf2490522aa70d0ff262cba7

  • SHA256

    4a36398050b818b3ea0067685fc31cedbe3efa017ae741774c527c9391ec26a6

  • SHA512

    a60d8225cf8c497f8364adde5467ba6872fd56692650b324815c7eec676e263776be8f7aa442e21d3cb733d5d7544d4e6001a2f8a5834f1b834c9de222b0cbc0

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 42 IoCs
  • Suspicious use of SendNotifyMessage 42 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe
    "C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe"
    1⤵
      PID:2004
    • C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe
      "C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe" server_start
      1⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe
        "C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe" clinet_hide
        2⤵
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1832

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\ToDesk\config.ini
      MD5

      4187f96e15ee413a8eb83d252fda4110

      SHA1

      7042dd19b9404cc24f8ac487c311eaf523c749a7

      SHA256

      d0618493d09ae512e80820b5929081fc74ddb640cf3ae2df05783249ad86592a

      SHA512

      9834d22423770fd1333309e4917e4b7f8ba2f3adba468d9ab1eb26b71b74812c93144fecefee7dea1531d12cc8647a5af4568624af3522869c72666236c74513

      Download Submit
    • memory/1832-61-0x0000000000000000-mapping.dmp
      Download
    • memory/2004-59-0x00000000754F1000-0x00000000754F3000-memory.dmp
      Filesize

      8KB

      Download