Analysis
-
max time kernel
1800s -
max time network
1797s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
09-07-2021 13:58
Static task
static1
Behavioral task
behavioral1
Sample
ToDesk_Lite.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
ToDesk_Lite.exe
Resource
win10v20210410
General
-
Target
ToDesk_Lite.exe
-
Size
6.4MB
-
MD5
ce5ab2494fc91c67248bbdb085b747c2
-
SHA1
bdc554a291a4c4e2bf2490522aa70d0ff262cba7
-
SHA256
4a36398050b818b3ea0067685fc31cedbe3efa017ae741774c527c9391ec26a6
-
SHA512
a60d8225cf8c497f8364adde5467ba6872fd56692650b324815c7eec676e263776be8f7aa442e21d3cb733d5d7544d4e6001a2f8a5834f1b834c9de222b0cbc0
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
ToDesk_Lite.exeToDesk_Lite.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\service_2021_07_09.log ToDesk_Lite.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\config.ini ToDesk_Lite.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\config.ini ToDesk_Lite.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_09.log ToDesk_Lite.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
ToDesk_Lite.exepid process 2104 ToDesk_Lite.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ToDesk_Lite.exepid process 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe 644 ToDesk_Lite.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
ToDesk_Lite.exefirefox.exedescription pid process Token: SeTcbPrivilege 644 ToDesk_Lite.exe Token: SeDebugPrivilege 2760 firefox.exe Token: SeDebugPrivilege 2760 firefox.exe Token: SeDebugPrivilege 2760 firefox.exe -
Suspicious use of FindShellTrayWindow 10 IoCs
Processes:
ToDesk_Lite.exefirefox.exepid process 2104 ToDesk_Lite.exe 2104 ToDesk_Lite.exe 2104 ToDesk_Lite.exe 2104 ToDesk_Lite.exe 2104 ToDesk_Lite.exe 2760 firefox.exe 2760 firefox.exe 2760 firefox.exe 2104 ToDesk_Lite.exe 2760 firefox.exe -
Suspicious use of SendNotifyMessage 9 IoCs
Processes:
ToDesk_Lite.exefirefox.exepid process 2104 ToDesk_Lite.exe 2104 ToDesk_Lite.exe 2104 ToDesk_Lite.exe 2104 ToDesk_Lite.exe 2104 ToDesk_Lite.exe 2760 firefox.exe 2760 firefox.exe 2760 firefox.exe 2104 ToDesk_Lite.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
firefox.exefirefox.exepid process 3824 firefox.exe 2760 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ToDesk_Lite.exefirefox.exefirefox.exefirefox.exefirefox.exedescription pid process target process PID 644 wrote to memory of 2104 644 ToDesk_Lite.exe ToDesk_Lite.exe PID 644 wrote to memory of 2104 644 ToDesk_Lite.exe ToDesk_Lite.exe PID 644 wrote to memory of 2104 644 ToDesk_Lite.exe ToDesk_Lite.exe PID 644 wrote to memory of 3268 644 ToDesk_Lite.exe ToDesk_Lite.exe PID 644 wrote to memory of 3268 644 ToDesk_Lite.exe ToDesk_Lite.exe PID 644 wrote to memory of 3268 644 ToDesk_Lite.exe ToDesk_Lite.exe PID 696 wrote to memory of 2760 696 firefox.exe firefox.exe PID 696 wrote to memory of 2760 696 firefox.exe firefox.exe PID 696 wrote to memory of 2760 696 firefox.exe firefox.exe PID 696 wrote to memory of 2760 696 firefox.exe firefox.exe PID 696 wrote to memory of 2760 696 firefox.exe firefox.exe PID 696 wrote to memory of 2760 696 firefox.exe firefox.exe PID 696 wrote to memory of 2760 696 firefox.exe firefox.exe PID 696 wrote to memory of 2760 696 firefox.exe firefox.exe PID 696 wrote to memory of 2760 696 firefox.exe firefox.exe PID 1448 wrote to memory of 3824 1448 firefox.exe firefox.exe PID 1448 wrote to memory of 3824 1448 firefox.exe firefox.exe PID 1448 wrote to memory of 3824 1448 firefox.exe firefox.exe PID 1448 wrote to memory of 3824 1448 firefox.exe firefox.exe PID 1448 wrote to memory of 3824 1448 firefox.exe firefox.exe PID 1448 wrote to memory of 3824 1448 firefox.exe firefox.exe PID 1448 wrote to memory of 3824 1448 firefox.exe firefox.exe PID 1448 wrote to memory of 3824 1448 firefox.exe firefox.exe PID 1448 wrote to memory of 3824 1448 firefox.exe firefox.exe PID 3824 wrote to memory of 1432 3824 firefox.exe firefox.exe PID 3824 wrote to memory of 1432 3824 firefox.exe firefox.exe PID 2760 wrote to memory of 3248 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3248 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe PID 2760 wrote to memory of 3364 2760 firefox.exe firefox.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe" server_start1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe" clinet_hide2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe" vp8 session_video2⤵
- Drops file in System32 directory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.0.1516074858\1536203126" -parentBuildID 20200403170909 -prefsHandle 1520 -prefMapHandle 1496 -prefsLen 1 -prefMapSize 219680 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 1616 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.3.100171628\1996978933" -childID 1 -isForBrowser -prefsHandle 1424 -prefMapHandle 1416 -prefsLen 535 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 2108 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.13.673330793\1415304020" -childID 2 -isForBrowser -prefsHandle 3124 -prefMapHandle 3120 -prefsLen 1402 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 3236 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.20.895989220\781622663" -childID 3 -isForBrowser -prefsHandle 2644 -prefMapHandle 2528 -prefsLen 7542 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 2636 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3824.0.616483524\240975882" -parentBuildID 20200403170909 -prefsHandle 1388 -prefMapHandle 1380 -prefsLen 1 -prefMapSize 214080 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3824 "\\.\pipe\gecko-crash-server-pipe.3824" 1476 gpu3⤵
-
C:\Windows\System32\fontview.exe"C:\Windows\System32\fontview.exe" C:\Users\Admin\Desktop\FormatRedo.ttc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\ToDesk\config.iniMD5
b6bf86578f868911097f6560f5edc6b9
SHA11a1b5b5dd2ac92360f34992dd7cb578cff9aad88
SHA256863268ee3f8756f61d9da939ea37ffb6b5239adc6e19f45f20318998b1b49ebb
SHA512e0829de42e69aeaafd92d6c210721e1645b40c139024e1c8dc3b2bef0cb584fd16fbcf963cd57e8be382da3514896eb0e3e7420ab830a4289da08170deb0930d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\config.iniMD5
59dd798aaace3cd7a69b7e30d7f155a3
SHA1c63cd79815498222bbab9d177d148954d384caa9
SHA2561b35fc16e1201ae134dde9e6a03bae5f0c840bdda113a0e6ef2534d574bd3ea8
SHA512f224b78b27c98e8ae4d9d370677ed6667511c77fe3bd0cbdd81948ed04ccaea705848b321c77cc3d74f93eee196d0223f15bb768d01e4d918902dcaebe7cc75a
-
memory/1432-328-0x0000000000000000-mapping.dmp
-
memory/2104-114-0x0000000000000000-mapping.dmp
-
memory/2120-945-0x0000000000000000-mapping.dmp
-
memory/2760-118-0x0000000000000000-mapping.dmp
-
memory/3248-516-0x0000000000000000-mapping.dmp
-
memory/3268-116-0x0000000000000000-mapping.dmp
-
memory/3364-830-0x0000000000000000-mapping.dmp
-
memory/3824-183-0x0000000000000000-mapping.dmp
-
memory/3832-1396-0x0000000000000000-mapping.dmp