Overview

overview

10

Static

static

06638a7f94...29.exe

windows7_x64

10

06638a7f94...29.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    14-12-2020 13:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    06638a7f94e86279d3188c9d02d54029.exe

  • Size

    13.4MB

  • MD5

    06638a7f94e86279d3188c9d02d54029

  • SHA1

    985ec19800fbf08a21780792671f5359da739ed6

  • SHA256

    e78965bb611ca20f0dd54e20a28a4edb801aa2cd07bc2acf21386979df7a0a8e

  • SHA512

    6f9839849f8bca21d5d2b431b8d6bda772d00846f104fffe77eb7bd80a094822b8c23bf316315dc8a9afe561d8e5e1c727e873a2f2443cd50ab17301e952cdba

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\06638a7f94e86279d3188c9d02d54029.exe
    "C:\Users\Admin\AppData\Local\Temp\06638a7f94e86279d3188c9d02d54029.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:788
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\sirwsrsl\
      2⤵
        PID:2032
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\njdjprja.exe" C:\Windows\SysWOW64\sirwsrsl\
        2⤵
          PID:1736
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create sirwsrsl binPath= "C:\Windows\SysWOW64\sirwsrsl\njdjprja.exe /d\"C:\Users\Admin\AppData\Local\Temp\06638a7f94e86279d3188c9d02d54029.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:1288
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description sirwsrsl "wifi internet conection"
            2⤵
              PID:1740
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start sirwsrsl
              2⤵
                PID:844
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:1556
              • C:\Windows\SysWOW64\sirwsrsl\njdjprja.exe
                C:\Windows\SysWOW64\sirwsrsl\njdjprja.exe /d"C:\Users\Admin\AppData\Local\Temp\06638a7f94e86279d3188c9d02d54029.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:1352
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Deletes itself
                  PID:632

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              New Service

              1
              T1050

              Modify Existing Service

              1
              T1031

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              New Service

              1
              T1050

              Defense Evasion

              Disabling Security Tools

              1
              T1089

              Modify Registry

              2
              T1112

              Credential Access

              Discovery

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\njdjprja.exe
                MD5

                e99a2df622809367e3bee48a925ba4c8

                SHA1

                43b52b3bf0805af697579ba4e01e2358ec979865

                SHA256

                667aa46f2f208d98a4bab2f34932602140bf9e75127c367d49d6e3df45e6a9e0

                SHA512

                4cc2a6552e2bd320c2b437cc1477209c2a0bda605ccd982e284ea77670962c92fbf6ad0e9767ba5bc9501e40d766e831215fc6b99ec59ad79fb7ea3b564417d9

                Download Submit
              • C:\Windows\SysWOW64\sirwsrsl\njdjprja.exe
                MD5

                e99a2df622809367e3bee48a925ba4c8

                SHA1

                43b52b3bf0805af697579ba4e01e2358ec979865

                SHA256

                667aa46f2f208d98a4bab2f34932602140bf9e75127c367d49d6e3df45e6a9e0

                SHA512

                4cc2a6552e2bd320c2b437cc1477209c2a0bda605ccd982e284ea77670962c92fbf6ad0e9767ba5bc9501e40d766e831215fc6b99ec59ad79fb7ea3b564417d9

                Download Submit
              • memory/632-9-0x00000000000D0000-0x00000000000E5000-memory.dmp
                Filesize

                84KB

                Download
              • memory/632-10-0x00000000000D9A6B-mapping.dmp
                Download
              • memory/844-7-0x0000000000000000-mapping.dmp
                Download
              • memory/1288-5-0x0000000000000000-mapping.dmp
                Download
              • memory/1556-12-0x0000000000000000-mapping.dmp
                Download
              • memory/1736-3-0x0000000000000000-mapping.dmp
                Download
              • memory/1740-6-0x0000000000000000-mapping.dmp
                Download
              • memory/2032-2-0x0000000000000000-mapping.dmp
                Download