Analysis
-
max time kernel
91s -
max time network
204s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
22-04-2024 14:58
Static task
static1
Behavioral task
behavioral1
Sample
TangoGen.rar
Resource
win11-20240412-en
Behavioral task
behavioral2
Sample
TangoGen/TangoGenV1.3.exe
Resource
win11-20240412-en
Behavioral task
behavioral3
Sample
TangoGen/assets.js
Resource
win11-20240412-en
Behavioral task
behavioral4
Sample
TangoGen/instructions.txt
Resource
win11-20240412-en
Behavioral task
behavioral5
Sample
TangoGen/license.txt
Resource
win11-20240412-en
General
-
Target
TangoGen/instructions.txt
-
Size
283B
-
MD5
d1f4e26ecd7fbecbdc4f78f84ed4fb3e
-
SHA1
ed45ea4e43b929e3fabaed771d678e4ede784e34
-
SHA256
24c17fd24aaf02a5f7ac3f6c94c26aac66b5666fc017339d62d82816c41010ec
-
SHA512
c179bd6dc3525ef97a0db494e6796dcb0f4bf00590b3010f90d02051bf9f18a96e80b52890ad2aedfd9d3f9cc4dc9a129caff2d03f25c5166fd660e1124a34a8
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 2 IoCs
Processes:
cmd.exefirefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\Local Settings firefox.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 4356 NOTEPAD.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 4424 firefox.exe Token: SeDebugPrivilege 4424 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
firefox.exepid process 4424 firefox.exe 4424 firefox.exe 4424 firefox.exe 4424 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 4424 firefox.exe 4424 firefox.exe 4424 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 4424 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exefirefox.exefirefox.exedescription pid process target process PID 2408 wrote to memory of 4356 2408 cmd.exe NOTEPAD.EXE PID 2408 wrote to memory of 4356 2408 cmd.exe NOTEPAD.EXE PID 4592 wrote to memory of 4424 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 4424 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 4424 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 4424 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 4424 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 4424 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 4424 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 4424 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 4424 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 4424 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 4424 4592 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 1256 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 4012 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 4012 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 4012 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 4012 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 4012 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 4012 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 4012 4424 firefox.exe firefox.exe PID 4424 wrote to memory of 4012 4424 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TangoGen\instructions.txt1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\TangoGen\instructions.txt2⤵
- Opens file in notepad (likely ransom note)
PID:4356
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.0.1291794468\557970113" -parentBuildID 20230214051806 -prefsHandle 1768 -prefMapHandle 1760 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {02445b54-de9e-44bd-85d1-5c701dd21894} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 1848 24c6f7f6f58 gpu3⤵PID:1256
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.1.73154367\1275902220" -parentBuildID 20230214051806 -prefsHandle 2360 -prefMapHandle 2348 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {445ac2ed-8430-4c26-bff4-201da3388704} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 2372 24c63a8a558 socket3⤵
- Checks processor information in registry
PID:4012 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.2.1108614109\1572518470" -childID 1 -isForBrowser -prefsHandle 2936 -prefMapHandle 2932 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 1352 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65b503d0-c6eb-4be3-9a91-3ae7906e7664} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 2948 24c73518958 tab3⤵PID:3436
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.3.415470815\890156227" -childID 2 -isForBrowser -prefsHandle 3624 -prefMapHandle 3620 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1352 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e744dee-7f57-4da1-9f4c-41509a06f32e} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 3632 24c7613ef58 tab3⤵PID:892
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.4.743175878\1606977717" -childID 3 -isForBrowser -prefsHandle 5036 -prefMapHandle 4404 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1352 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6735f2ea-1ccc-41cd-85e1-99dbc6931667} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 5004 24c77d54658 tab3⤵PID:2752
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.5.68514212\1219364063" -childID 4 -isForBrowser -prefsHandle 5172 -prefMapHandle 5056 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1352 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95ec5628-0abf-431f-ad39-253f23f7333c} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 5160 24c785a9258 tab3⤵PID:2564
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.6.194950423\336006700" -childID 5 -isForBrowser -prefsHandle 5364 -prefMapHandle 5368 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1352 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f36c08be-e7de-41f9-9f3f-ba69fdec67c7} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 5356 24c785a9e58 tab3⤵PID:672
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.7.341744965\306276511" -childID 6 -isForBrowser -prefsHandle 5896 -prefMapHandle 5892 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1352 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ae714d1-253c-4dda-9236-daec983542d7} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 5904 24c7a17f258 tab3⤵PID:2132
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.8.732588754\1133693908" -parentBuildID 20230214051806 -prefsHandle 6164 -prefMapHandle 6160 -prefsLen 27695 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {33c89f88-453f-402a-a9f7-91f050cb5e9e} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 6176 24c7ab63e58 rdd3⤵PID:3336
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.9.1823983917\2029031284" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 6192 -prefMapHandle 6184 -prefsLen 27695 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f449ece3-a11f-4127-90a0-42f934a101f4} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 6320 24c7abd7858 utility3⤵PID:3484
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.10.1210588212\1395681880" -childID 7 -isForBrowser -prefsHandle 6608 -prefMapHandle 6604 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1352 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a7b420f-bc02-499e-8cdb-1a680af05f52} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 6616 24c7ad23e58 tab3⤵PID:3540
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ta9v328x.default-release\activity-stream.discovery_stream.json.tmp
Filesize26KB
MD576cdf555bd6571bce660d722c87889e7
SHA1dace01c91deac69de2c37282fd0ead8eb0562932
SHA256a6365e231c733480137711149158f8ddebaade47e2e7b5a600e7124c6e6fb655
SHA5125c54898143c5cdc6431990acf783bfd90453f80b71064376124d309d099878dd9aed1776b76857f0dbdea979a12ce940579f98a795bd56ef86b47fe8de8fcdc5
-
Filesize
16KB
MD5d574874fbdd70859840a025a2382c564
SHA13b70944a8250bff24d275fa6f940063fb6a93e0d
SHA256c781cf0f3dcad61fddc17edb10645997cc8409b9ca6f03e6ae953888fe960eb8
SHA512405a0f3e8f9f3bc26f29d11b04097f8a6fd0a2ea9b74254b65d5d6510dac460c90342d78d2c06cce4b7fbc623fcf8f8195619fba63ce3684b2f194c74264af06
-
Filesize
16KB
MD571d42f771cde3d7d2a78ed04644b218a
SHA157fe38b9f96b54f928c331b503bcbd8da85e6f01
SHA2561fc229e5c16791e2af2e47ddd7bf779fafdbf5d4c5e56bd128b58fc06543f79f
SHA512e751f7cdde5cf541e96d8c3b87ac94ab6748d154722c2beb3c404f6b346acc7d373af29be4e9e19804ddf564e996faefba88dba0db9e8c38c1dc828647a4a179
-
Filesize
16KB
MD5579aeecfaafdb4a71682513c4c3bdffc
SHA16837ff6f301330314f18ed55b253c7bc070a669c
SHA2569f8db2c9d6f3ec4f6782a31ee6676ea9e82540951074e1f16632a37898c17d31
SHA51261fb1a4aff25481b9804df8f640b398bf3dc6ee5fe8bfdb00bd1a00fa173df09677ad56bd38db39b1a4992060e0eea560767624707ad924dd317550f919cf824
-
Filesize
16KB
MD54a929b146028932a2695680d389f73d8
SHA1ca7554b1f9d8055abe575ecc8857c81b0aecea3f
SHA256445bae41804f4cb1706528d2da29631cfecd4bb934370eb09540e98fb5872836
SHA51256900620ca6f182583b5cad8907d2ba9b8c4dab623537de7ae5ae822856cdd95c8be2803a81bf6070fa3144a4c79dc9861e29eb5645e7b28f3c65a4e6e2cf851
-
Filesize
7KB
MD50fe9ac5e645cfea2b430a730da3b6276
SHA107adcd09b97b5b9cc7f24cd4430090387c0dfd5e
SHA25605add04c82b46e8ae86ad7afc31956451c9b9e483621288a3b081be4a7ea6a4c
SHA5121d1ee6fa1d8720775f1f9d0014a020e3dab707c7939f0be8b86b775fe45c14b2c418ace877d5fecadd0ceccee359928967f3d232df23bee523ebfdc29c631dcb
-
Filesize
6KB
MD535f77f68d67796bf170d7e594bd7e126
SHA14bcecdbcaf74f08ba07aca62e7a92a6d1a1233ed
SHA25603cb3067d4ada4c087a8144838fb4de6d7967234dcd64533979a01a141a6e223
SHA51262b5719295b7e56e09930b4e5d1c7e421e6f23d6c354b2d1931b80be475547902e0984f360a946fa63a137add48ef92527b2a2f74abf2bd7120db9b0aaabe4d8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ta9v328x.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5723e63d49e6d6b1f94748292ec2c6ffe
SHA14f9dc7a1e71521b77a4ac8c30b0a5b4a6852b06c
SHA256e94f17d3cea1ca52da9a95e964ab411e67bb81441d27dbeff6eab46657c384cd
SHA5125b5713696cf091f397c683a962789a63a2bfe0e5b1d60a47ac0fdae18fe123fd685f2b3323052dc1ec3d35f6f15acbf6146d0f963d1096b1abe720caafdf2c9e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ta9v328x.default-release\sessionstore.jsonlz4
Filesize4KB
MD53bb13dbf75eb105585c97b8dd3eb565a
SHA149b5dac80d6501b8ce652c52a3199c4a678b554d
SHA25638cfa200ffb46caabf74f4e40e217d99e4c1961cf2699b0efd3f19419b42e2ef
SHA5127199bbb8726c05e7b72c83c3fad27f06999ea4e8b41e968ca3ecab1eef8a984d78a68d737f7bd1b2a3ed84b920dfd8ce352dafe1636d182bff33a9f0d0afc56e