4a36398050b818b3ea0067685fc31cedbe3efa017ae741774c527c9391ec26a6

General

Target

ToDesk_Lite.exe
Size

6.4MB
MD5

ce5ab2494fc91c67248bbdb085b747c2
SHA1

bdc554a291a4c4e2bf2490522aa70d0ff262cba7
SHA256

4a36398050b818b3ea0067685fc31cedbe3efa017ae741774c527c9391ec26a6
SHA512

a60d8225cf8c497f8364adde5467ba6872fd56692650b324815c7eec676e263776be8f7aa442e21d3cb733d5d7544d4e6001a2f8a5834f1b834c9de222b0cbc0

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 4 IoCs

Processes:

ToDesk_Lite.exeToDesk_Lite.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\service_2021_07_09.log	ToDesk_Lite.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\config.ini	ToDesk_Lite.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\config.ini	ToDesk_Lite.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_09.log	ToDesk_Lite.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings firefox.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

ToDesk_Lite.exe

pid process

2104 ToDesk_Lite.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ToDesk_Lite.exe

pid	process
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe
644	ToDesk_Lite.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

ToDesk_Lite.exefirefox.exe

description	pid	process
Token: SeTcbPrivilege	644	ToDesk_Lite.exe
Token: SeDebugPrivilege	2760	firefox.exe
Token: SeDebugPrivilege	2760	firefox.exe
Token: SeDebugPrivilege	2760	firefox.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

ToDesk_Lite.exefirefox.exe

pid	process
2104	ToDesk_Lite.exe
2104	ToDesk_Lite.exe
2104	ToDesk_Lite.exe
2104	ToDesk_Lite.exe
2104	ToDesk_Lite.exe
2760	firefox.exe
2760	firefox.exe
2760	firefox.exe
2104	ToDesk_Lite.exe
2760	firefox.exe

Suspicious use of SendNotifyMessage 9 IoCs

Processes:

ToDesk_Lite.exefirefox.exe

pid	process
2104	ToDesk_Lite.exe
2104	ToDesk_Lite.exe
2104	ToDesk_Lite.exe
2104	ToDesk_Lite.exe
2104	ToDesk_Lite.exe
2760	firefox.exe
2760	firefox.exe
2760	firefox.exe
2104	ToDesk_Lite.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

firefox.exefirefox.exe

pid process

3824 firefox.exe
2760 firefox.exe

pid	process
3824	firefox.exe
2760	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ToDesk_Lite.exefirefox.exefirefox.exefirefox.exefirefox.exe

description	pid	process	target process
PID 644 wrote to memory of 2104	644	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 644 wrote to memory of 2104	644	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 644 wrote to memory of 2104	644	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 644 wrote to memory of 3268	644	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 644 wrote to memory of 3268	644	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 644 wrote to memory of 3268	644	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 696 wrote to memory of 2760	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 2760	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 2760	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 2760	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 2760	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 2760	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 2760	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 2760	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 2760	696	firefox.exe	firefox.exe
PID 1448 wrote to memory of 3824	1448	firefox.exe	firefox.exe
PID 1448 wrote to memory of 3824	1448	firefox.exe	firefox.exe
PID 1448 wrote to memory of 3824	1448	firefox.exe	firefox.exe
PID 1448 wrote to memory of 3824	1448	firefox.exe	firefox.exe
PID 1448 wrote to memory of 3824	1448	firefox.exe	firefox.exe
PID 1448 wrote to memory of 3824	1448	firefox.exe	firefox.exe
PID 1448 wrote to memory of 3824	1448	firefox.exe	firefox.exe
PID 1448 wrote to memory of 3824	1448	firefox.exe	firefox.exe
PID 1448 wrote to memory of 3824	1448	firefox.exe	firefox.exe
PID 3824 wrote to memory of 1432	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 1432	3824	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3248	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3248	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe
PID 2760 wrote to memory of 3364	2760	firefox.exe	firefox.exe

C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe
"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe"
1⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe
"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe" server_start
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644

C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe
"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe" clinet_hide
2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2104

C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe
"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe" vp8 session_video
2⤵
- Drops file in System32 directory
PID:3268

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:696

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2760

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.0.1516074858\1536203126" -parentBuildID 20200403170909 -prefsHandle 1520 -prefMapHandle 1496 -prefsLen 1 -prefMapSize 219680 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 1616 gpu
3⤵
PID:3248

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.3.100171628\1996978933" -childID 1 -isForBrowser -prefsHandle 1424 -prefMapHandle 1416 -prefsLen 535 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 2108 tab
3⤵
PID:3364

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.13.673330793\1415304020" -childID 2 -isForBrowser -prefsHandle 3124 -prefMapHandle 3120 -prefsLen 1402 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 3236 tab
3⤵
PID:2120

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.20.895989220\781622663" -childID 3 -isForBrowser -prefsHandle 2644 -prefMapHandle 2528 -prefsLen 7542 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 2636 tab
3⤵
PID:3832

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3824

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3824.0.616483524\240975882" -parentBuildID 20200403170909 -prefsHandle 1388 -prefMapHandle 1380 -prefsLen 1 -prefMapSize 214080 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3824 "\\.\pipe\gecko-crash-server-pipe.3824" 1476 gpu
3⤵
PID:1432

C:\Windows\System32\fontview.exe
"C:\Windows\System32\fontview.exe" C:\Users\Admin\Desktop\FormatRedo.ttc
1⤵
PID:2252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ToDesk\config.ini
MD5
b6bf86578f868911097f6560f5edc6b9

SHA1
1a1b5b5dd2ac92360f34992dd7cb578cff9aad88

SHA256
863268ee3f8756f61d9da939ea37ffb6b5239adc6e19f45f20318998b1b49ebb

SHA512
e0829de42e69aeaafd92d6c210721e1645b40c139024e1c8dc3b2bef0cb584fd16fbcf963cd57e8be382da3514896eb0e3e7420ab830a4289da08170deb0930d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\config.ini
MD5
59dd798aaace3cd7a69b7e30d7f155a3

SHA1
c63cd79815498222bbab9d177d148954d384caa9

SHA256
1b35fc16e1201ae134dde9e6a03bae5f0c840bdda113a0e6ef2534d574bd3ea8

SHA512
f224b78b27c98e8ae4d9d370677ed6667511c77fe3bd0cbdd81948ed04ccaea705848b321c77cc3d74f93eee196d0223f15bb768d01e4d918902dcaebe7cc75a

Download Submit
memory/1432-328-0x0000000000000000-mapping.dmp

Download
memory/2104-114-0x0000000000000000-mapping.dmp

Download
memory/2120-945-0x0000000000000000-mapping.dmp

Download
memory/2760-118-0x0000000000000000-mapping.dmp

Download
memory/3248-516-0x0000000000000000-mapping.dmp

Download
memory/3268-116-0x0000000000000000-mapping.dmp

Download
memory/3364-830-0x0000000000000000-mapping.dmp

Download
memory/3824-183-0x0000000000000000-mapping.dmp

Download
memory/3832-1396-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads