ac9a96be003388d497db4755c9ca68a2725c901fdec82b942b4fb84683490b01

General

Target

TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe
Size

1.4MB
MD5

219ba6bac5cb35641e76ffdee2f97fbc
SHA1

4eb1887fc7de7552c674c5501de8776c5175de3f
SHA256

ac9a96be003388d497db4755c9ca68a2725c901fdec82b942b4fb84683490b01
SHA512

fff2cef9f701e5f1fa50e93e05bc13c13313815b151e9e31ff719d5b13a20d7437544efe001ad4a6745532c408e3adb42e512aaae4858d35e6bc9f18b864a9f3

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

796 schtasks.exe

pid	process
796	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe

pid	process
1060	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe
1060	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe
1060	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe
1060	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe
1060	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe

description pid process

Token: SeDebugPrivilege 1060 TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe

description	pid	process
Token: SeDebugPrivilege	1060	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe

C:\Users\Admin\AppData\Local\Temp\TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe
"C:\Users\Admin\AppData\Local\Temp\TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QWfdBxcEaEAQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3237.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:796
- C:\Users\Admin\AppData\Local\Temp\TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe
  "C:\Users\Admin\AppData\Local\Temp\TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe"
  2⤵
  PID:888
- C:\Users\Admin\AppData\Local\Temp\TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe
  "C:\Users\Admin\AppData\Local\Temp\TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe"
  2⤵
  PID:1112
- C:\Users\Admin\AppData\Local\Temp\TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe
  "C:\Users\Admin\AppData\Local\Temp\TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe"
  2⤵
  PID:1468
- C:\Users\Admin\AppData\Local\Temp\TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe
  "C:\Users\Admin\AppData\Local\Temp\TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe"
  2⤵
  PID:1892
- C:\Users\Admin\AppData\Local\Temp\TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe
  "C:\Users\Admin\AppData\Local\Temp\TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe"
  2⤵
  PID:1832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3237.tmp

MD5
429c00b43869d357978e34c6b6127421

SHA1
4d45738a17e4eefcebf784b436321ee29ae64a9f

SHA256
d1926d734e72d7c78507b0802ded3639394f6b010fafc8598686911f117d5309

SHA512
8d1e6b125c433df2b29a404d9d1b33010ff1930c55cbd73aa0de5c1d94c700e06964045eb495e80d0737b35bcfef5be169908432394e8136fcd6063298653e04

Download Submit
memory/796-65-0x0000000000000000-mapping.dmp

Download
memory/1060-59-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1060-61-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/1060-62-0x0000000000290000-0x00000000002BD000-memory.dmp

Filesize
180KB

Download
memory/1060-63-0x00000000052C0000-0x0000000005324000-memory.dmp

Filesize
400KB

Download
memory/1060-64-0x0000000000530000-0x000000000054F000-memory.dmp

Filesize
124KB

Download

description	pid	process	target process
PID 1060 wrote to memory of 796	1060	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe	schtasks.exe
PID 1060 wrote to memory of 796	1060	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe	schtasks.exe
PID 1060 wrote to memory of 796	1060	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe	schtasks.exe
PID 1060 wrote to memory of 796	1060	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe	schtasks.exe
PID 1060 wrote to memory of 888	1060	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe
PID 1060 wrote to memory of 888	1060	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe
PID 1060 wrote to memory of 888	1060	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe
PID 1060 wrote to memory of 888	1060	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe
PID 1060 wrote to memory of 1112	1060	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe
PID 1060 wrote to memory of 1112	1060	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe
PID 1060 wrote to memory of 1112	1060	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe
PID 1060 wrote to memory of 1112	1060	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe
PID 1060 wrote to memory of 1468	1060	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe
PID 1060 wrote to memory of 1468	1060	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe
PID 1060 wrote to memory of 1468	1060	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe
PID 1060 wrote to memory of 1468	1060	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe
PID 1060 wrote to memory of 1892	1060	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe
PID 1060 wrote to memory of 1892	1060	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe
PID 1060 wrote to memory of 1892	1060	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe
PID 1060 wrote to memory of 1892	1060	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe
PID 1060 wrote to memory of 1832	1060	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe
PID 1060 wrote to memory of 1832	1060	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe
PID 1060 wrote to memory of 1832	1060	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe
PID 1060 wrote to memory of 1832	1060	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe	TOA Vietnam Co., Ltd - Inquiry Note from 26.07.2021.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads