Analysis
-
max time kernel
149s -
max time network
273s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
22-04-2024 14:58
Static task
static1
Behavioral task
behavioral1
Sample
TangoGen.rar
Resource
win11-20240412-en
Behavioral task
behavioral2
Sample
TangoGen/TangoGenV1.3.exe
Resource
win11-20240412-en
Behavioral task
behavioral3
Sample
TangoGen/assets.js
Resource
win11-20240412-en
Behavioral task
behavioral4
Sample
TangoGen/instructions.txt
Resource
win11-20240412-en
Behavioral task
behavioral5
Sample
TangoGen/license.txt
Resource
win11-20240412-en
General
-
Target
TangoGen/license.txt
-
Size
6KB
-
MD5
0b09566254b011d989decf0e23a902eb
-
SHA1
3ae5cd6be73daf418b8deee9c865cf78225838c9
-
SHA256
a19d58aaab15c4d0019e569d1c073d1b5286fdd37dbeee7a58a7d1ae76045ae1
-
SHA512
4e22e58f925879306261e5993039e1d84d87f8fecc0f9fdad534da55b6fd22be77e622a4077d8d521f7734e5535f66853d581155987e2f3607e2d386938c218b
-
SSDEEP
192:uEwjuKsgA4+XYdXjA+okS63vZBCSUziJm:eNs8+QRVxBRU1
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
cmd.exeMiniSearchHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 4460 NOTEPAD.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MiniSearchHost.exepid process 384 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
cmd.exedescription pid process target process PID 2448 wrote to memory of 4460 2448 cmd.exe NOTEPAD.EXE PID 2448 wrote to memory of 4460 2448 cmd.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TangoGen\license.txt1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\TangoGen\license.txt2⤵
- Opens file in notepad (likely ransom note)
PID:4460
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:384
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:4472
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5e8197e68deaabec1caac808d8a1b1202
SHA13b706ac97224e95f5db57eb60acf067ccf2d4c95
SHA25689d5da8ae7c25fce8f1b74b2a02f4cb9d524dac5b752b35e511d399259a26d66
SHA512609e6013c4683519b1d7448c2417ec3f528a0764f1ae9c9cedc213ceec2df497c187164e7b713e4a78236e17f6fc9680630551a7fec98c2432e308a48b8e66e0