Analysis

  • max time kernel
    19s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    14-12-2020 14:38

General

  • Target

    51a0acc8c78452456894a85db18c31a9.exe

  • Size

    10.3MB

  • MD5

    51a0acc8c78452456894a85db18c31a9

  • SHA1

    bfc6fb39ef21d6626fec260216178ebfb47f86fa

  • SHA256

    a4944054682d38caacc690fba9a286c0edb217c5d3e099d47d5e492d3807da9a

  • SHA512

    6efe90fe8badba612187109691771e3bb297e430a7a86305fa600092badc910ec93a0b89b5432d6b7b900033648dab2c838d8a05cf755cc9a86857b3301e54ad

Malware Config

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Creates new service(s) 1 TTPs
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\51a0acc8c78452456894a85db18c31a9.exe
    "C:\Users\Admin\AppData\Local\Temp\51a0acc8c78452456894a85db18c31a9.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1824
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\voggizkt\
      2⤵
        PID:1100
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\caoabwua.exe" C:\Windows\SysWOW64\voggizkt\
        2⤵
          PID:1316
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create voggizkt binPath= "C:\Windows\SysWOW64\voggizkt\caoabwua.exe /d\"C:\Users\Admin\AppData\Local\Temp\51a0acc8c78452456894a85db18c31a9.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:268
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description voggizkt "wifi internet conection"
            2⤵
              PID:1164
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start voggizkt
              2⤵
                PID:1552
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:1968
              • C:\Windows\SysWOW64\voggizkt\caoabwua.exe
                C:\Windows\SysWOW64\voggizkt\caoabwua.exe /d"C:\Users\Admin\AppData\Local\Temp\51a0acc8c78452456894a85db18c31a9.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:1748
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                    PID:1740

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Persistence

                New Service

                1
                T1050

                Modify Existing Service

                1
                T1031

                Privilege Escalation

                New Service

                1
                T1050

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\caoabwua.exe
                  MD5

                  4dfd99d09894df5c51dfd3e9a0de398e

                  SHA1

                  aa2668d4cddfa5e7fb8b72e7259f40fcd9a61705

                  SHA256

                  606579bc7d05ec64731de027e7cd445e395946236226983c8e2c16bc09da95b5

                  SHA512

                  928ef2218f48956ebbe6826e04482a8db482fb89d42eb3b2821417ff544f1c65299800a94cc263dbee1610ea068b18054e703ba0375d57d3d7d7beaa579dee68

                • C:\Windows\SysWOW64\voggizkt\caoabwua.exe
                  MD5

                  4dfd99d09894df5c51dfd3e9a0de398e

                  SHA1

                  aa2668d4cddfa5e7fb8b72e7259f40fcd9a61705

                  SHA256

                  606579bc7d05ec64731de027e7cd445e395946236226983c8e2c16bc09da95b5

                  SHA512

                  928ef2218f48956ebbe6826e04482a8db482fb89d42eb3b2821417ff544f1c65299800a94cc263dbee1610ea068b18054e703ba0375d57d3d7d7beaa579dee68

                • memory/268-5-0x0000000000000000-mapping.dmp
                • memory/1100-2-0x0000000000000000-mapping.dmp
                • memory/1164-6-0x0000000000000000-mapping.dmp
                • memory/1316-3-0x0000000000000000-mapping.dmp
                • memory/1552-7-0x0000000000000000-mapping.dmp
                • memory/1740-11-0x00000000000C9A6B-mapping.dmp
                • memory/1740-10-0x00000000000C0000-0x00000000000D5000-memory.dmp
                  Filesize

                  84KB

                • memory/1968-8-0x0000000000000000-mapping.dmp