tongda | 7d6d085ca3c09ae099e8fc4822281dfc0e68607ca840ff5e5305bdc4d7f251e2

General

Target

7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
Size

2.9MB
MD5

fdc4436fa5700e2ff984d25dfcb19a72
SHA1

d6503f42be986ef42fe20c39309111bad7602403
SHA256

7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63
SHA512

a21a29ae37488ceb331405c1f53fa8e795dc1744561fa57352c1dadbc82e01e0bdd2f3b5c03a1dcf3f0d7dfb71670cf0be88d702b8757c3b83ba592212d59cc1

Score

10^/10

ransomware spyware tongda

Malware Config

Extracted

Path

C:\readme_readme_readme.txt

Family

tongda

Ransom Note

send 0.3 bitcoin to 12ZsBrX4UTsdjJbx84GcPFGEQaKMyYU29p screenchot and key send to langdiru1887@protonmail.com and mawienkiu@yandex.com key:QI53WswlGWXCcXpoy1tUrk6xV+8PrIrwz9HHffkjNMjIkcJ1eYoN97bdkM2qRhusV1rCOvlGIcllPUVpjzKxkOmMmTJHIfWUSqZNX3ZZJY884S+n5NdP92jTEHS6uGUDFYSCDAtqHH7UX+T8c5ur2JIu3X2BA5rwOjuHd6P0dlduSOZ3q/Hm6/4qJDRB33pD+OPfNJBkZTVhHkdTTnw4mTf6p9uaYgSqjR/LzrFtyXzA7x66QkM83SLmpe/p77S9MjBqdEwLaF/5iLlpgnc70cBdWQivnSLDOXRI/dQKC/MYuLn4FH2P2/YHTj+Rl7QmJq6E9mCNwDrovtXLAitf2A==

Emails

langdiru1887@protonmail.com

mawienkiu@yandex.com

Wallets

12ZsBrX4UTsdjJbx84GcPFGEQaKMyYU29p

Signatures

Drops file in Program Files directory 584 IoCs

Processes:

7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe

description	ioc	process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_ButtonGraphic.png1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\7-Zip\Lang\sr-spc.txt1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonSubpicture.png1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_RGB_PAL.wmv1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\full.png1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\7-Zip\Lang\br.txt1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\7-Zip\Lang\pt.txt1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\Common Files\Microsoft Shared\THEMES14\LAYERS\PREVIEW.GIF1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\Common Files\Microsoft Shared\THEMES14\JOURNAL\THMBNAIL.PNG1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIcon.png1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576black.png1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\Common Files\Microsoft Shared\THEMES14\LEVEL\PREVIEW.GIF1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_select-highlight.png1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask_PAL.wmv1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\AddSwitch.7z1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_scene.wmv1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_SelectionSubpicture.png1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_highlights_Thumbnail.bmp1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DissolveAnother.png1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\Common Files\Microsoft Shared\THEMES14\LAYERS\THMBNAIL.PNG1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotslightoverlay.png1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_SelectionSubpicture.png1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\7-Zip\Lang\eu.txt1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\7-Zip\Lang\uk.txt1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Memories_buttonClear.png1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG_PAL.wmv1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG_PAL.wmv1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-image-inset.png1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\7-Zip\Lang\mng2.txt1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\colorcycle.png1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref.wmv1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\photograph.png1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\7-Zip\Lang\mng.txt1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\Common Files\Microsoft Shared\THEMES14\RIPPLE\THMBNAIL.PNG1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\mainimage-mask.png1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask_PAL.wmv1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\Common Files\Microsoft Shared\THEMES14\QUAD\THMBNAIL.PNG1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_widescreen_Thumbnail.bmp1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\7-Zip\Lang\an.txt1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_ButtonGraphic.png1	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe

Tongda 2000
Ransomware targetting the Chinese office management software Tongda OA.
ransomware tongda

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.execmd.execmd.exe

description	pid	process	target process
PID 896 wrote to memory of 744	896	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe	cmd.exe
PID 896 wrote to memory of 744	896	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe	cmd.exe
PID 896 wrote to memory of 744	896	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe	cmd.exe
PID 896 wrote to memory of 744	896	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe	cmd.exe
PID 744 wrote to memory of 1088	744	cmd.exe	taskkill.exe
PID 744 wrote to memory of 1088	744	cmd.exe	taskkill.exe
PID 744 wrote to memory of 1088	744	cmd.exe	taskkill.exe
PID 744 wrote to memory of 1088	744	cmd.exe	taskkill.exe
PID 896 wrote to memory of 1800	896	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe	cmd.exe
PID 896 wrote to memory of 1800	896	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe	cmd.exe
PID 896 wrote to memory of 1800	896	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe	cmd.exe
PID 896 wrote to memory of 1800	896	7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe	cmd.exe
PID 1800 wrote to memory of 1812	1800	cmd.exe	taskkill.exe
PID 1800 wrote to memory of 1812	1800	cmd.exe	taskkill.exe
PID 1800 wrote to memory of 1812	1800	cmd.exe	taskkill.exe
PID 1800 wrote to memory of 1812	1800	cmd.exe	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

taskkill.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 1088 taskkill.exe
Token: SeDebugPrivilege 1812 taskkill.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1088 taskkill.exe
1812 taskkill.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process
Token: SeDebugPrivilege	1088	taskkill.exe
Token: SeDebugPrivilege	1812	taskkill.exe

pid	process
1088	taskkill.exe
1812	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
"C:\Users\Admin\AppData\Local\Temp\7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:896

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "taskkill /f /im mysqld.exe & cd ../mysql5/bin/ & move /Y mysqld.exe mysqld.exe1"
2⤵
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mysqld.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1088

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "taskkill /f /im mysqld.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mysqld.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1812

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/744-0-0x0000000000000000-mapping.dmp

Download
memory/1088-1-0x0000000000000000-mapping.dmp

Download
memory/1800-2-0x0000000000000000-mapping.dmp

Download
memory/1812-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing