Overview

overview

10

Static

static

51a0acc8c7...a9.exe

windows7_x64

10

51a0acc8c7...a9.exe

windows10_x64

10

Analysis

  • max time kernel
    11s
  • max time network
    111s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    14-12-2020 14:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    51a0acc8c78452456894a85db18c31a9.exe

  • Size

    10.3MB

  • MD5

    51a0acc8c78452456894a85db18c31a9

  • SHA1

    bfc6fb39ef21d6626fec260216178ebfb47f86fa

  • SHA256

    a4944054682d38caacc690fba9a286c0edb217c5d3e099d47d5e492d3807da9a

  • SHA512

    6efe90fe8badba612187109691771e3bb297e430a7a86305fa600092badc910ec93a0b89b5432d6b7b900033648dab2c838d8a05cf755cc9a86857b3301e54ad

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\51a0acc8c78452456894a85db18c31a9.exe
    "C:\Users\Admin\AppData\Local\Temp\51a0acc8c78452456894a85db18c31a9.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:984
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jshfqefy\
      2⤵
        PID:2516
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nryiiwgc.exe" C:\Windows\SysWOW64\jshfqefy\
        2⤵
          PID:3772
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create jshfqefy binPath= "C:\Windows\SysWOW64\jshfqefy\nryiiwgc.exe /d\"C:\Users\Admin\AppData\Local\Temp\51a0acc8c78452456894a85db18c31a9.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:3700
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description jshfqefy "wifi internet conection"
            2⤵
              PID:1896
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start jshfqefy
              2⤵
                PID:732
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:2972
              • C:\Windows\SysWOW64\jshfqefy\nryiiwgc.exe
                C:\Windows\SysWOW64\jshfqefy\nryiiwgc.exe /d"C:\Users\Admin\AppData\Local\Temp\51a0acc8c78452456894a85db18c31a9.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:1604
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                    PID:592

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Initial Access

                Execution

                Persistence

                New Service

                1
                T1050

                Modify Existing Service

                1
                T1031

                Privilege Escalation

                New Service

                1
                T1050

                Defense Evasion

                Credential Access

                Discovery

                Lateral Movement

                Collection

                Exfiltration

                Command and Control

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\nryiiwgc.exe
                  MD5

                  3b6c627614f0bdd84055498fce5d32f3

                  SHA1

                  f0ac453e9990e7cd9aa78d151a577cf67b9398a8

                  SHA256

                  a74c0d176834fdc5e7c8fdcccc097fb910f81f475ce5e7fcba44c915d8376599

                  SHA512

                  6e4a64b558ff7fb3e11db666f5071f5df08902c07013dd9a24ecc4bc2ea5a1239a5cbf69ef75557fb36d0c651b51572a4d5de7856d1ffe6d9d7dc4354533a519

                  Download Submit
                • C:\Windows\SysWOW64\jshfqefy\nryiiwgc.exe
                  MD5

                  3b6c627614f0bdd84055498fce5d32f3

                  SHA1

                  f0ac453e9990e7cd9aa78d151a577cf67b9398a8

                  SHA256

                  a74c0d176834fdc5e7c8fdcccc097fb910f81f475ce5e7fcba44c915d8376599

                  SHA512

                  6e4a64b558ff7fb3e11db666f5071f5df08902c07013dd9a24ecc4bc2ea5a1239a5cbf69ef75557fb36d0c651b51572a4d5de7856d1ffe6d9d7dc4354533a519

                  Download Submit
                • memory/592-9-0x0000000000490000-0x00000000004A5000-memory.dmp
                  Filesize

                  84KB

                  Download
                • memory/592-10-0x0000000000499A6B-mapping.dmp
                  Download
                • memory/732-7-0x0000000000000000-mapping.dmp
                  Download
                • memory/1896-6-0x0000000000000000-mapping.dmp
                  Download
                • memory/2516-2-0x0000000000000000-mapping.dmp
                  Download
                • memory/2972-11-0x0000000000000000-mapping.dmp
                  Download
                • memory/3700-5-0x0000000000000000-mapping.dmp
                  Download
                • memory/3772-3-0x0000000000000000-mapping.dmp
                  Download