Resubmissions

22-04-2024 15:01

240422-sd558scg4v 10

22-04-2024 14:58

240422-sch93scg21 10

Analysis

  • max time kernel
    91s
  • max time network
    204s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240412-en
  • resource tags

    arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    22-04-2024 14:58

General

  • Target

    TangoGen/instructions.txt

  • Size

    283B

  • MD5

    d1f4e26ecd7fbecbdc4f78f84ed4fb3e

  • SHA1

    ed45ea4e43b929e3fabaed771d678e4ede784e34

  • SHA256

    24c17fd24aaf02a5f7ac3f6c94c26aac66b5666fc017339d62d82816c41010ec

  • SHA512

    c179bd6dc3525ef97a0db494e6796dcb0f4bf00590b3010f90d02051bf9f18a96e80b52890ad2aedfd9d3f9cc4dc9a129caff2d03f25c5166fd660e1124a34a8

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\TangoGen\instructions.txt
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\TangoGen\instructions.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:4356
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4592
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4424
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.0.1291794468\557970113" -parentBuildID 20230214051806 -prefsHandle 1768 -prefMapHandle 1760 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {02445b54-de9e-44bd-85d1-5c701dd21894} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 1848 24c6f7f6f58 gpu
        3⤵
          PID:1256
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.1.73154367\1275902220" -parentBuildID 20230214051806 -prefsHandle 2360 -prefMapHandle 2348 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {445ac2ed-8430-4c26-bff4-201da3388704} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 2372 24c63a8a558 socket
          3⤵
          • Checks processor information in registry
          PID:4012
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.2.1108614109\1572518470" -childID 1 -isForBrowser -prefsHandle 2936 -prefMapHandle 2932 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 1352 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65b503d0-c6eb-4be3-9a91-3ae7906e7664} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 2948 24c73518958 tab
          3⤵
            PID:3436
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.3.415470815\890156227" -childID 2 -isForBrowser -prefsHandle 3624 -prefMapHandle 3620 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1352 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e744dee-7f57-4da1-9f4c-41509a06f32e} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 3632 24c7613ef58 tab
            3⤵
              PID:892
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.4.743175878\1606977717" -childID 3 -isForBrowser -prefsHandle 5036 -prefMapHandle 4404 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1352 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6735f2ea-1ccc-41cd-85e1-99dbc6931667} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 5004 24c77d54658 tab
              3⤵
                PID:2752
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.5.68514212\1219364063" -childID 4 -isForBrowser -prefsHandle 5172 -prefMapHandle 5056 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1352 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95ec5628-0abf-431f-ad39-253f23f7333c} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 5160 24c785a9258 tab
                3⤵
                  PID:2564
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.6.194950423\336006700" -childID 5 -isForBrowser -prefsHandle 5364 -prefMapHandle 5368 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1352 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f36c08be-e7de-41f9-9f3f-ba69fdec67c7} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 5356 24c785a9e58 tab
                  3⤵
                    PID:672
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.7.341744965\306276511" -childID 6 -isForBrowser -prefsHandle 5896 -prefMapHandle 5892 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1352 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ae714d1-253c-4dda-9236-daec983542d7} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 5904 24c7a17f258 tab
                    3⤵
                      PID:2132
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.8.732588754\1133693908" -parentBuildID 20230214051806 -prefsHandle 6164 -prefMapHandle 6160 -prefsLen 27695 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {33c89f88-453f-402a-a9f7-91f050cb5e9e} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 6176 24c7ab63e58 rdd
                      3⤵
                        PID:3336
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.9.1823983917\2029031284" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 6192 -prefMapHandle 6184 -prefsLen 27695 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f449ece3-a11f-4127-90a0-42f934a101f4} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 6320 24c7abd7858 utility
                        3⤵
                          PID:3484
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.10.1210588212\1395681880" -childID 7 -isForBrowser -prefsHandle 6608 -prefMapHandle 6604 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1352 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a7b420f-bc02-499e-8cdb-1a680af05f52} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 6616 24c7ad23e58 tab
                          3⤵
                            PID:3540

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ta9v328x.default-release\activity-stream.discovery_stream.json.tmp

                        Filesize

                        26KB

                        MD5

                        76cdf555bd6571bce660d722c87889e7

                        SHA1

                        dace01c91deac69de2c37282fd0ead8eb0562932

                        SHA256

                        a6365e231c733480137711149158f8ddebaade47e2e7b5a600e7124c6e6fb655

                        SHA512

                        5c54898143c5cdc6431990acf783bfd90453f80b71064376124d309d099878dd9aed1776b76857f0dbdea979a12ce940579f98a795bd56ef86b47fe8de8fcdc5

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ta9v328x.default-release\cache2\doomed\1463

                        Filesize

                        16KB

                        MD5

                        d574874fbdd70859840a025a2382c564

                        SHA1

                        3b70944a8250bff24d275fa6f940063fb6a93e0d

                        SHA256

                        c781cf0f3dcad61fddc17edb10645997cc8409b9ca6f03e6ae953888fe960eb8

                        SHA512

                        405a0f3e8f9f3bc26f29d11b04097f8a6fd0a2ea9b74254b65d5d6510dac460c90342d78d2c06cce4b7fbc623fcf8f8195619fba63ce3684b2f194c74264af06

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ta9v328x.default-release\cache2\doomed\21300

                        Filesize

                        16KB

                        MD5

                        71d42f771cde3d7d2a78ed04644b218a

                        SHA1

                        57fe38b9f96b54f928c331b503bcbd8da85e6f01

                        SHA256

                        1fc229e5c16791e2af2e47ddd7bf779fafdbf5d4c5e56bd128b58fc06543f79f

                        SHA512

                        e751f7cdde5cf541e96d8c3b87ac94ab6748d154722c2beb3c404f6b346acc7d373af29be4e9e19804ddf564e996faefba88dba0db9e8c38c1dc828647a4a179

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ta9v328x.default-release\cache2\doomed\26868

                        Filesize

                        16KB

                        MD5

                        579aeecfaafdb4a71682513c4c3bdffc

                        SHA1

                        6837ff6f301330314f18ed55b253c7bc070a669c

                        SHA256

                        9f8db2c9d6f3ec4f6782a31ee6676ea9e82540951074e1f16632a37898c17d31

                        SHA512

                        61fb1a4aff25481b9804df8f640b398bf3dc6ee5fe8bfdb00bd1a00fa173df09677ad56bd38db39b1a4992060e0eea560767624707ad924dd317550f919cf824

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ta9v328x.default-release\cache2\doomed\27740

                        Filesize

                        16KB

                        MD5

                        4a929b146028932a2695680d389f73d8

                        SHA1

                        ca7554b1f9d8055abe575ecc8857c81b0aecea3f

                        SHA256

                        445bae41804f4cb1706528d2da29631cfecd4bb934370eb09540e98fb5872836

                        SHA512

                        56900620ca6f182583b5cad8907d2ba9b8c4dab623537de7ae5ae822856cdd95c8be2803a81bf6070fa3144a4c79dc9861e29eb5645e7b28f3c65a4e6e2cf851

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ta9v328x.default-release\prefs.js

                        Filesize

                        7KB

                        MD5

                        0fe9ac5e645cfea2b430a730da3b6276

                        SHA1

                        07adcd09b97b5b9cc7f24cd4430090387c0dfd5e

                        SHA256

                        05add04c82b46e8ae86ad7afc31956451c9b9e483621288a3b081be4a7ea6a4c

                        SHA512

                        1d1ee6fa1d8720775f1f9d0014a020e3dab707c7939f0be8b86b775fe45c14b2c418ace877d5fecadd0ceccee359928967f3d232df23bee523ebfdc29c631dcb

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ta9v328x.default-release\prefs.js

                        Filesize

                        6KB

                        MD5

                        35f77f68d67796bf170d7e594bd7e126

                        SHA1

                        4bcecdbcaf74f08ba07aca62e7a92a6d1a1233ed

                        SHA256

                        03cb3067d4ada4c087a8144838fb4de6d7967234dcd64533979a01a141a6e223

                        SHA512

                        62b5719295b7e56e09930b4e5d1c7e421e6f23d6c354b2d1931b80be475547902e0984f360a946fa63a137add48ef92527b2a2f74abf2bd7120db9b0aaabe4d8

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ta9v328x.default-release\sessionstore-backups\recovery.jsonlz4

                        Filesize

                        4KB

                        MD5

                        723e63d49e6d6b1f94748292ec2c6ffe

                        SHA1

                        4f9dc7a1e71521b77a4ac8c30b0a5b4a6852b06c

                        SHA256

                        e94f17d3cea1ca52da9a95e964ab411e67bb81441d27dbeff6eab46657c384cd

                        SHA512

                        5b5713696cf091f397c683a962789a63a2bfe0e5b1d60a47ac0fdae18fe123fd685f2b3323052dc1ec3d35f6f15acbf6146d0f963d1096b1abe720caafdf2c9e

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ta9v328x.default-release\sessionstore.jsonlz4

                        Filesize

                        4KB

                        MD5

                        3bb13dbf75eb105585c97b8dd3eb565a

                        SHA1

                        49b5dac80d6501b8ce652c52a3199c4a678b554d

                        SHA256

                        38cfa200ffb46caabf74f4e40e217d99e4c1961cf2699b0efd3f19419b42e2ef

                        SHA512

                        7199bbb8726c05e7b72c83c3fad27f06999ea4e8b41e968ca3ecab1eef8a984d78a68d737f7bd1b2a3ed84b920dfd8ce352dafe1636d182bff33a9f0d0afc56e