Overview

overview

10

Static

static

85b3feab49...dd.exe

windows7_x64

10

85b3feab49...dd.exe

windows10_x64

10

Analysis

  • max time kernel
    39s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-en
  • submitted
    07/09/2021, 13:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    85b3feab4909c92206c42bcfda5ccc3fac3e4c083dfedf1ec6fa62f446ab78dd.exe

  • Size

    2.9MB

  • MD5

    2afaaba149d078aee64dfc7f979400f0

  • SHA1

    d771c3660ff7f370d9daea55a397b0d9e3d6ba26

  • SHA256

    85b3feab4909c92206c42bcfda5ccc3fac3e4c083dfedf1ec6fa62f446ab78dd

  • SHA512

    5333e86582435b4341c32f701adb75b7356026118292bd59c84807ac27b1099ddd0fe56b840b8e0a3feca60835b05b1e1af2cebb53d557f11213ecf9d46ff7bf

Score
10/10
tongdaransomwarespywarestealer

Malware Config

Extracted

Path

C:\readme_readme_readme.txt

Family

tongda

Ransom Note
send 0.3 bitcoin to 12ZsBrX4UTsdjJbx84GcPFGEQaKMyYU29p screenchot and key send to [email protected] and [email protected] key:Q+OmTXJ/v7xwxCzseawcqw+GMBS9xeQsZo/Ltnp7bsxfSZFEOOcSAx7vqbDfT0D2D2zpDmW0m8EBBRQjZ0l9C9Z1kUjdPNwwjGbF6sNZ7arrwJe7bPqGV+jez+s4fC04TUlyYkfLY7RmVzKW1peNNuABez/YuKH2mgO5FEgfDO+sN0LCuysJC6gwE3hgNKPVnlUArAD+A1hTuaFPvm2oXlCsmYY8++mTBVCIhx77FOsEqbqRDWhz0VI5+pVQn8j9tfIRbYvpfdhCiDSOtR3YAaqemDe0zW90PUGlaBenB+wkyxkvQQxdLn+wyQMF/0Yq7uCDkCMiHCSeJcxx8yiPDw==
Wallets

12ZsBrX4UTsdjJbx84GcPFGEQaKMyYU29p

Signatures

  • Tongda 2000

    Ransomware targetting the Chinese office management software Tongda OA.

    ransomwaretongda
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Kills process with taskkill 2 IoCs
    evasion
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\85b3feab4909c92206c42bcfda5ccc3fac3e4c083dfedf1ec6fa62f446ab78dd.exe
    "C:\Users\Admin\AppData\Local\Temp\85b3feab4909c92206c42bcfda5ccc3fac3e4c083dfedf1ec6fa62f446ab78dd.exe"
    1⤵
    • Modifies extensions of user files
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "taskkill /f /im mysqld.exe & cd ../mysql5/bin/ & move /Y mysqld.exe mysqld.exe1"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1776
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im mysqld.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1720
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "taskkill /f /im mysqld.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1560
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im mysqld.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1568
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme_readme_readme.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:1260

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1260-57-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmp

    Filesize

    8KB

    Download