4ead288dd0950c2ef0428ed8df3e27772f523687d8874134c570fc5ccac444ef

General

Target

BackupToGo_Install.exe
Size

54.5MB
MD5

1cdb04cc84f8b9896d3c251fd81095e6
SHA1

04b06dbdbb8de4091e88cc36759ab372bc382aee
SHA256

414ccf335973d41427583f9197e8a2b35b0a2b800ec4a399c6deb6ffd1fe2de5
SHA512

b8730daa9c7f80ff4ff931bc6f6aa9f57f4b727e05b5da28836a5817e4dd30ec50c8af28d3883a2987887b6b317dcedabb49c347cd7b03a99aa9a5d2e9397259
SSDEEP

1572864:pF81cqiPWZO5FDNJ7Xmbt5zjv/RIG323:pF8iFPl53J7czj5T0

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\FNETURPX.SYS	BackupToGo_Install.exe

Executes dropped EXE 1 IoCs

pid	Process
2752	Backup ToGo.exe

Loads dropped DLL 3 IoCs

pid	Process
2160	BackupToGo_Install.exe
2160	BackupToGo_Install.exe
2160	BackupToGo_Install.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	Backup ToGo.exe
File opened (read-only)	\??\Q:	Backup ToGo.exe
File opened (read-only)	\??\S:	Backup ToGo.exe
File opened (read-only)	\??\T:	Backup ToGo.exe
File opened (read-only)	\??\U:	Backup ToGo.exe
File opened (read-only)	\??\V:	Backup ToGo.exe
File opened (read-only)	\??\X:	Backup ToGo.exe
File opened (read-only)	\??\K:	Backup ToGo.exe
File opened (read-only)	\??\L:	Backup ToGo.exe
File opened (read-only)	\??\N:	Backup ToGo.exe
File opened (read-only)	\??\O:	Backup ToGo.exe
File opened (read-only)	\??\P:	Backup ToGo.exe
File opened (read-only)	\??\E:	Backup ToGo.exe
File opened (read-only)	\??\G:	Backup ToGo.exe
File opened (read-only)	\??\R:	Backup ToGo.exe
File opened (read-only)	\??\Y:	Backup ToGo.exe
File opened (read-only)	\??\H:	Backup ToGo.exe
File opened (read-only)	\??\I:	Backup ToGo.exe
File opened (read-only)	\??\J:	Backup ToGo.exe
File opened (read-only)	\??\M:	Backup ToGo.exe
File opened (read-only)	\??\W:	Backup ToGo.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Backup ToGo\libeay32.dll	BackupToGo_Install.exe
File created	C:\Program Files (x86)\Backup ToGo\ssleay32.dll	BackupToGo_Install.exe
File created	C:\Program Files (x86)\Backup ToGo\Backup ToGo.exe	BackupToGo_Install.exe
File opened for modification	C:\Program Files (x86)\Backup ToGo\Backup ToGo.exe	BackupToGo_Install.exe
File created	C:\Program Files (x86)\Backup ToGo\FDI.exe	BackupToGo_Install.exe
File created	C:\Program Files (x86)\Backup ToGo\Uninstall.exe	BackupToGo_Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Backup ToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BackupToGo_Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2216	schtasks.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2752	Backup ToGo.exe
Token: SeBackupPrivilege	2752	Backup ToGo.exe
Token: SeRestorePrivilege	2752	Backup ToGo.exe
Token: SeSystemtimePrivilege	2752	Backup ToGo.exe
Token: SeAssignPrimaryTokenPrivilege	2752	Backup ToGo.exe
Token: SeAuditPrivilege	2752	Backup ToGo.exe
Token: SeChangeNotifyPrivilege	2752	Backup ToGo.exe
Token: SeCreatePagefilePrivilege	2752	Backup ToGo.exe
Token: SeCreatePermanentPrivilege	2752	Backup ToGo.exe
Token: SeCreateTokenPrivilege	2752	Backup ToGo.exe
Token: SeDebugPrivilege	2752	Backup ToGo.exe
Token: SeEnableDelegationPrivilege	2752	Backup ToGo.exe
Token: SeImpersonatePrivilege	2752	Backup ToGo.exe
Token: SeIncBasePriorityPrivilege	2752	Backup ToGo.exe
Token: SeIncreaseQuotaPrivilege	2752	Backup ToGo.exe
Token: SeLoadDriverPrivilege	2752	Backup ToGo.exe
Token: SeLockMemoryPrivilege	2752	Backup ToGo.exe
Token: SeMachineAccountPrivilege	2752	Backup ToGo.exe
Token: SeManageVolumePrivilege	2752	Backup ToGo.exe
Token: SeProfSingleProcessPrivilege	2752	Backup ToGo.exe
Token: SeRemoteShutdownPrivilege	2752	Backup ToGo.exe
Token: SeSecurityPrivilege	2752	Backup ToGo.exe
Token: SeSyncAgentPrivilege	2752	Backup ToGo.exe
Token: SeSystemEnvironmentPrivilege	2752	Backup ToGo.exe
Token: SeSystemProfilePrivilege	2752	Backup ToGo.exe
Token: SeTakeOwnershipPrivilege	2752	Backup ToGo.exe
Token: SeTcbPrivilege	2752	Backup ToGo.exe
Token: SeUndockPrivilege	2752	Backup ToGo.exe
Token: 0	2752	Backup ToGo.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2752	Backup ToGo.exe
2752	Backup ToGo.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2752	Backup ToGo.exe
2752	Backup ToGo.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2564	2160	BackupToGo_Install.exe	30
PID 2160 wrote to memory of 2564	2160	BackupToGo_Install.exe	30
PID 2160 wrote to memory of 2564	2160	BackupToGo_Install.exe	30
PID 2160 wrote to memory of 2564	2160	BackupToGo_Install.exe	30
PID 2160 wrote to memory of 2216	2160	BackupToGo_Install.exe	31
PID 2160 wrote to memory of 2216	2160	BackupToGo_Install.exe	31
PID 2160 wrote to memory of 2216	2160	BackupToGo_Install.exe	31
PID 2160 wrote to memory of 2216	2160	BackupToGo_Install.exe	31
PID 2160 wrote to memory of 2752	2160	BackupToGo_Install.exe	35
PID 2160 wrote to memory of 2752	2160	BackupToGo_Install.exe	35
PID 2160 wrote to memory of 2752	2160	BackupToGo_Install.exe	35
PID 2160 wrote to memory of 2752	2160	BackupToGo_Install.exe	35

C:\Users\Admin\AppData\Local\Temp\BackupToGo_Install.exe
"C:\Users\Admin\AppData\Local\Temp\BackupToGo_Install.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /delete /tn "Backup ToGo" /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2564
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /xml "C:\Users\Admin\AppData\Roaming\Backup_ToGo\Ini\TaskScd.xml" /tn "Backup ToGo"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2216
- C:\Program Files (x86)\Backup ToGo\Backup ToGo.exe
  "C:\Program Files (x86)\Backup ToGo\Backup ToGo.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Backup ToGo\Backup ToGo.exe

Filesize
5.7MB

MD5
52344fd019b493e1bbc5f6dedaa5c8d3

SHA1
236ea5e2b526da73d941d5e8ff90c79dac068b21

SHA256
c8e6e3de382692591ba8ee50d44117acfe6dc44ad2cd0999ba87685fb0b6100f

SHA512
ecc2d750c13a9b829c82bc948313df529d83457faf166b9b989efe6df1e238985691b1bb340c35428ea76ac48004f3e3ef469c29d0f82b85df3c01e69b9d7df1

Download Submit
C:\Program Files (x86)\Backup ToGo\Uninstall.exe

Filesize
3.4MB

MD5
090d21b745d28038f5366c2106be58b1

SHA1
3401cc91e083624adf80ce5894109b46092552ae

SHA256
8d55a8eac694894d83108a5aa75366774d1277553277d53323f2de853552184f

SHA512
856a19f3768af3398e59a66c8a2b1d68d5949c6136fb21a2168269bd1b7104ba3d8de94fce0de937e4036e37aec2cf5522bc9ce188b6809a37227aa570e8adfd

Download Submit
C:\Users\Admin\AppData\Roaming\Backup_ToGo\Ini\LangSet.ini

Filesize
6B

MD5
296b83c4f9bea1f33578f5fcd0f329a4

SHA1
e8a5e712aec609eee1597afc2abbe3650044bfa8

SHA256
cc1a434c7561f8c9e8a57de84e2a138f0b781b986cc21e85336edcecbabbe8e9

SHA512
0a7cbde9f820028aa1b39701cc215abf9eadea17ab341b65a244b4c7eed794f794dfd3a7a9511d5718a36ea113084b7ae01ac32575563dee518165db1dfbe162

Download Submit
C:\Users\Admin\AppData\Roaming\Backup_ToGo\Ini\TaskScd.xml

Filesize
1KB

MD5
4886aa89610c310bbad17a62d143b630

SHA1
2a1c16a460fa87eabc3afd23087d814a7d6f1cfe

SHA256
f4c1c29736e703313229489526249a7bc96a55cb7458fbafde35447620bca42c

SHA512
7c3a9138f6d8004a73e0377525a1631f38b4762fa0d2bbc6590d31ef597659dfb42a3f9b0d2bfad1d19e77933be25493571f018f79efcb5b431b37a5fcc1712d

Download Submit
memory/2160-0-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2160-2-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2160-1-0x0000000000400000-0x0000000003A96000-memory.dmp

Filesize
54.6MB

Download
memory/2160-38-0x0000000000400000-0x0000000003A96000-memory.dmp

Filesize
54.6MB

Download
memory/2160-45-0x0000000000400000-0x0000000003A96000-memory.dmp

Filesize
54.6MB

Download
memory/2752-44-0x0000000000400000-0x00000000009C6000-memory.dmp

Filesize
5.8MB

Download
memory/2752-50-0x0000000000400000-0x00000000009C6000-memory.dmp

Filesize
5.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads