bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2

General

Target

bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
Size

447KB
MD5

b11ac9f1dc4bc69b0e9e4fd9e70f3c2f
SHA1

6cb25247dc4fc65c157052dc619f9903193a53ad
SHA256

bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2
SHA512

ff1317947b517aa1fcd52ac6e41c84fd0d168a501a710b6ebf62557ebbc1f1a8aa4b39bf30335d71e7a2c6382b14b60c83a640c261083b83e29814d682edbbbf
SSDEEP

12288:QjkArEN249AyE/rbaMct4bO2/VAZPYJ2pfsLEuhi4B:LFE//Tct4bOs/mUthN

Score

8^/10

evasion upx

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 3 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exe

pid process

1996 netsh.exe
868 netsh.exe
1800 netsh.exe

pid	process
1996	netsh.exe
868	netsh.exe
1800	netsh.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\TozomaaSO\TozomaaSO.exe	upx
\TozomaaSO\TozomaaSO.exe	upx
\TozomaaSO\TozomaaSO.exe	upx
behavioral1/memory/884-58-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/884-60-0x0000000002530000-0x0000000002540000-memory.dmp	upx
behavioral1/memory/884-67-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/884-70-0x0000000000400000-0x00000000004C1000-memory.dmp	upx

Loads dropped DLL 3 IoCs

Processes:

bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe

pid	process
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/884-58-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe
behavioral1/memory/884-67-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe
behavioral1/memory/884-70-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 17 IoCs

Processes:

bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe

pid	process
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe

Suspicious use of SendNotifyMessage 17 IoCs

Processes:

bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe

pid	process
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe

description	pid	process	target process
PID 884 wrote to memory of 1800	884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe	netsh.exe
PID 884 wrote to memory of 1800	884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe	netsh.exe
PID 884 wrote to memory of 1800	884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe	netsh.exe
PID 884 wrote to memory of 1800	884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe	netsh.exe
PID 884 wrote to memory of 1996	884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe	netsh.exe
PID 884 wrote to memory of 1996	884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe	netsh.exe
PID 884 wrote to memory of 1996	884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe	netsh.exe
PID 884 wrote to memory of 1996	884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe	netsh.exe
PID 884 wrote to memory of 868	884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe	netsh.exe
PID 884 wrote to memory of 868	884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe	netsh.exe
PID 884 wrote to memory of 868	884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe	netsh.exe
PID 884 wrote to memory of 868	884	bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe
"C:\Users\Admin\AppData\Local\Temp\bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall show rule name="TozomaaSO_Update"
2⤵
- Modifies Windows Firewall
PID:1800

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name=TozomaaSO_BG
2⤵
- Modifies Windows Firewall
PID:1996

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="TozomaaSO_BG" dir=in action=allow program="C:\TozomaaSO\TozomaaBG.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\TozomaaSO\TozomaaSO.exe

Filesize
447KB

MD5
b11ac9f1dc4bc69b0e9e4fd9e70f3c2f

SHA1
6cb25247dc4fc65c157052dc619f9903193a53ad

SHA256
bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2

SHA512
ff1317947b517aa1fcd52ac6e41c84fd0d168a501a710b6ebf62557ebbc1f1a8aa4b39bf30335d71e7a2c6382b14b60c83a640c261083b83e29814d682edbbbf

Download Submit
\TozomaaSO\TozomaaSO.exe

Filesize
447KB

MD5
b11ac9f1dc4bc69b0e9e4fd9e70f3c2f

SHA1
6cb25247dc4fc65c157052dc619f9903193a53ad

SHA256
bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2

SHA512
ff1317947b517aa1fcd52ac6e41c84fd0d168a501a710b6ebf62557ebbc1f1a8aa4b39bf30335d71e7a2c6382b14b60c83a640c261083b83e29814d682edbbbf

Download Submit
\TozomaaSO\TozomaaSO.exe

Filesize
447KB

MD5
b11ac9f1dc4bc69b0e9e4fd9e70f3c2f

SHA1
6cb25247dc4fc65c157052dc619f9903193a53ad

SHA256
bfd15ec46638355608d5f63c139b1369c9f88ed7dbde7685af1b8e8b85efaca2

SHA512
ff1317947b517aa1fcd52ac6e41c84fd0d168a501a710b6ebf62557ebbc1f1a8aa4b39bf30335d71e7a2c6382b14b60c83a640c261083b83e29814d682edbbbf

Download Submit
memory/868-65-0x0000000000000000-mapping.dmp

Download
memory/884-58-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/884-59-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/884-60-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/884-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/884-67-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/884-68-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/884-69-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/884-70-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1800-61-0x0000000000000000-mapping.dmp

Download
memory/1996-63-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads