c06f4e5289cde6fd5fd854a09c4d9688ccfbc9b10228ffc5744e1b514ef8ea69

General

Target

c06f4e5289cde6fd5fd854a09c4d9688ccfbc9b10228ffc5744e1b514ef8ea69.exe
Size

63KB
MD5

08388dae31961f3b39cf876837571858
SHA1

476b940dec0bb73da2b44839b40110d468d35261
SHA256

c06f4e5289cde6fd5fd854a09c4d9688ccfbc9b10228ffc5744e1b514ef8ea69
SHA512

4d8e4dc7d9c8eebc79550c22f10f4eb69026cf37cb1e2e3b6f5809bf4bf0e89fb15c3d748ec97bc40a3446cc6752423250e33fb4a370da738204cd8d13932950
SSDEEP

768:TO0EWgIos/JdQm2iE8NUIu0oWsV1qaZIp/Bj7YcRpaSOovHYxtxdve:SLe92iEzGs1stvHYxtHG

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	tuozo.exe

Executes dropped EXE 1 IoCs

pid	Process
1616	tuozo.exe

Loads dropped DLL 2 IoCs

pid	Process
1784	c06f4e5289cde6fd5fd854a09c4d9688ccfbc9b10228ffc5744e1b514ef8ea69.exe
1784	c06f4e5289cde6fd5fd854a09c4d9688ccfbc9b10228ffc5744e1b514ef8ea69.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	tuozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuozo = "C:\\Users\\Admin\\tuozo.exe"	tuozo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1616	tuozo.exe
1616	tuozo.exe
1616	tuozo.exe
1616	tuozo.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1784	c06f4e5289cde6fd5fd854a09c4d9688ccfbc9b10228ffc5744e1b514ef8ea69.exe
1616	tuozo.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 1616	1784	c06f4e5289cde6fd5fd854a09c4d9688ccfbc9b10228ffc5744e1b514ef8ea69.exe	28
PID 1784 wrote to memory of 1616	1784	c06f4e5289cde6fd5fd854a09c4d9688ccfbc9b10228ffc5744e1b514ef8ea69.exe	28
PID 1784 wrote to memory of 1616	1784	c06f4e5289cde6fd5fd854a09c4d9688ccfbc9b10228ffc5744e1b514ef8ea69.exe	28
PID 1784 wrote to memory of 1616	1784	c06f4e5289cde6fd5fd854a09c4d9688ccfbc9b10228ffc5744e1b514ef8ea69.exe	28
PID 1616 wrote to memory of 1784	1616	tuozo.exe	16
PID 1616 wrote to memory of 1784	1616	tuozo.exe	16
PID 1616 wrote to memory of 1784	1616	tuozo.exe	16
PID 1616 wrote to memory of 1784	1616	tuozo.exe	16
PID 1616 wrote to memory of 1784	1616	tuozo.exe	16
PID 1616 wrote to memory of 1784	1616	tuozo.exe	16

C:\Users\Admin\AppData\Local\Temp\c06f4e5289cde6fd5fd854a09c4d9688ccfbc9b10228ffc5744e1b514ef8ea69.exe
"C:\Users\Admin\AppData\Local\Temp\c06f4e5289cde6fd5fd854a09c4d9688ccfbc9b10228ffc5744e1b514ef8ea69.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Users\Admin\tuozo.exe
  "C:\Users\Admin\tuozo.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\tuozo.exe

Filesize
63KB

MD5
457eadf104708110627322cba4a5d2be

SHA1
c73544da468cb187eea935beb9a59316eab08aec

SHA256
821794b8ca0e56fcc4ebb0e169dc07e74ff9f73182324c57cb34694e85745934

SHA512
bd298eb4fa3f2ac6b04ce97541c4c545676218117b3cd21eed72c2ad993d7bb7faf17361cbaa00d223e37fc0e712f8a9a104fa3610d1659e69d0db46760d6893

Download Submit
C:\Users\Admin\tuozo.exe

Filesize
63KB

MD5
457eadf104708110627322cba4a5d2be

SHA1
c73544da468cb187eea935beb9a59316eab08aec

SHA256
821794b8ca0e56fcc4ebb0e169dc07e74ff9f73182324c57cb34694e85745934

SHA512
bd298eb4fa3f2ac6b04ce97541c4c545676218117b3cd21eed72c2ad993d7bb7faf17361cbaa00d223e37fc0e712f8a9a104fa3610d1659e69d0db46760d6893

Download Submit
\Users\Admin\tuozo.exe

Filesize
63KB

MD5
457eadf104708110627322cba4a5d2be

SHA1
c73544da468cb187eea935beb9a59316eab08aec

SHA256
821794b8ca0e56fcc4ebb0e169dc07e74ff9f73182324c57cb34694e85745934

SHA512
bd298eb4fa3f2ac6b04ce97541c4c545676218117b3cd21eed72c2ad993d7bb7faf17361cbaa00d223e37fc0e712f8a9a104fa3610d1659e69d0db46760d6893

Download Submit
\Users\Admin\tuozo.exe

Filesize
63KB

MD5
457eadf104708110627322cba4a5d2be

SHA1
c73544da468cb187eea935beb9a59316eab08aec

SHA256
821794b8ca0e56fcc4ebb0e169dc07e74ff9f73182324c57cb34694e85745934

SHA512
bd298eb4fa3f2ac6b04ce97541c4c545676218117b3cd21eed72c2ad993d7bb7faf17361cbaa00d223e37fc0e712f8a9a104fa3610d1659e69d0db46760d6893

Download Submit
memory/1784-56-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads