2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100

General

Target

2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
Size

168KB
MD5

454a3fb58e149902f7727496391200e0
SHA1

4c9c5be7fbf71a84e53c770d7520f5593cc8c980
SHA256

2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100
SHA512

67348ebe3ae99386a47cfd7e516865d7a136fb521054f1a461808ee67e6356bbb0729d48f3413dee8910bbf6223fe59021f9b4eead77b248c5f5411ad1a019ac
SSDEEP

768:c4lvMajhJP5iUwbjMPkG1VuW/wqvRXMXp677yCzdXZRT2Nq1MaQnepMri14PGBEv:c4RlVJh+lGVs4emEFbMP0

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

tozop.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	tozop.exe

Executes dropped EXE 1 IoCs

Processes:

tozop.exe

pid process

3144 tozop.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe

Adds Run key to start application 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tozop.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /K"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /F"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /w"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /A"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /g"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /c"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /J"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /l"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /W"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /C"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /I"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /Z"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /H"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /R"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /b"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /X"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /x"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /r"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /N"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /y"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /m"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /O"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /f"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /j"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /q"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /z"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /L"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /v"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /Q"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /D"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /i"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /S"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /u"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /Y"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /T"	tozop.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run\	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /G"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /n"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /t"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /V"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /B"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /d"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /a"	tozop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tozop = "C:\\Users\\Admin\\tozop.exe /s"	tozop.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tozop.exe

pid	process
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe
3144	tozop.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exetozop.exe

pid process

772 2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
3144 tozop.exe

pid	process
772	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
3144	tozop.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exetozop.exe

description	pid	process	target process
PID 772 wrote to memory of 3144	772	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe	tozop.exe
PID 772 wrote to memory of 3144	772	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe	tozop.exe
PID 772 wrote to memory of 3144	772	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe	tozop.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
PID 3144 wrote to memory of 772	3144	tozop.exe	2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe

C:\Users\Admin\AppData\Local\Temp\2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe
"C:\Users\Admin\AppData\Local\Temp\2a07b35d0e67d8411f0145c2de91ff750ae97fb06f851e71b478f7805f7cc100.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:772

C:\Users\Admin\tozop.exe
"C:\Users\Admin\tozop.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\tozop.exe

Filesize
168KB

MD5
6a8702a19dee4b48bf98ffc9e5451d96

SHA1
b57c59f013646bf00936fda4ba11402cc9ca0a6f

SHA256
2385cc1ce139409001c260096390223028a1347f6a688e6e6a19d8a9138adae1

SHA512
5bf4216fe8b57581b56d0627114c00b1e63144f318fba8b664763c8f1cb8b89b79061408764a48b92b743fb6b6e3ab700d6fb228bc693af7533004a9b47ce2a5

Download Submit
C:\Users\Admin\tozop.exe

Filesize
168KB

MD5
6a8702a19dee4b48bf98ffc9e5451d96

SHA1
b57c59f013646bf00936fda4ba11402cc9ca0a6f

SHA256
2385cc1ce139409001c260096390223028a1347f6a688e6e6a19d8a9138adae1

SHA512
5bf4216fe8b57581b56d0627114c00b1e63144f318fba8b664763c8f1cb8b89b79061408764a48b92b743fb6b6e3ab700d6fb228bc693af7533004a9b47ce2a5

Download Submit
memory/772-132-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3144-135-0x0000000000000000-mapping.dmp

Download
memory/3144-140-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3144-141-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads