Analysis

  • max time kernel
    148s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    14-12-2020 15:53

General

  • Target

    b23ec80dcfd2ee8ad973ac39a4b6488b.exe

  • Size

    13.5MB

  • MD5

    b23ec80dcfd2ee8ad973ac39a4b6488b

  • SHA1

    58a7c7a55442f3f22b61bb94eff369288f8b6392

  • SHA256

    388e770957cb4e6e396d8ef4a0cf158a69e3cdeb98157b013e79327013706afe

  • SHA512

    4f92d9235235702099771a60f5c8ea1fe83dd8dc2dbd05649d353f43de4c54a89249fb513659aad3022688e98cc8dbbe5a3ba144e12eedc3c2c000ca5d8e355d

Malware Config

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs
  • Creates new service(s) 1 TTPs
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Sets service image path in registry 2 TTPs
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b23ec80dcfd2ee8ad973ac39a4b6488b.exe
    "C:\Users\Admin\AppData\Local\Temp\b23ec80dcfd2ee8ad973ac39a4b6488b.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jtfvybzd\
      2⤵
        PID:1684
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vdswjhqq.exe" C:\Windows\SysWOW64\jtfvybzd\
        2⤵
          PID:1752
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create jtfvybzd binPath= "C:\Windows\SysWOW64\jtfvybzd\vdswjhqq.exe /d\"C:\Users\Admin\AppData\Local\Temp\b23ec80dcfd2ee8ad973ac39a4b6488b.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:1840
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description jtfvybzd "wifi internet conection"
            2⤵
              PID:768
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start jtfvybzd
              2⤵
                PID:240
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:1068
              • C:\Windows\SysWOW64\jtfvybzd\vdswjhqq.exe
                C:\Windows\SysWOW64\jtfvybzd\vdswjhqq.exe /d"C:\Users\Admin\AppData\Local\Temp\b23ec80dcfd2ee8ad973ac39a4b6488b.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:564
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Deletes itself
                  PID:1036

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Persistence

              New Service

              1
              T1050

              Modify Existing Service

              1
              T1031

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              New Service

              1
              T1050

              Defense Evasion

              Disabling Security Tools

              1
              T1089

              Modify Registry

              2
              T1112

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\vdswjhqq.exe
                MD5

                c18e564be45ada391e490814b5e60033

                SHA1

                8c10713675894e4499bbc38eac90f320623cccf1

                SHA256

                3c71a8c7c1eb564391473b2e8e64ff02977a1255a481cd5612ab5ab7b3abe3ca

                SHA512

                e822007fc8f9752413de4c0037a520324d71ddf416342a27e3b1c87ddce675676d29d5fb68e9cb21229b2cf0dcb0ebf806aa247906b2a19a89631ce94151da2a

              • C:\Windows\SysWOW64\jtfvybzd\vdswjhqq.exe
                MD5

                c18e564be45ada391e490814b5e60033

                SHA1

                8c10713675894e4499bbc38eac90f320623cccf1

                SHA256

                3c71a8c7c1eb564391473b2e8e64ff02977a1255a481cd5612ab5ab7b3abe3ca

                SHA512

                e822007fc8f9752413de4c0037a520324d71ddf416342a27e3b1c87ddce675676d29d5fb68e9cb21229b2cf0dcb0ebf806aa247906b2a19a89631ce94151da2a

              • memory/240-12-0x0000000000000000-mapping.dmp
              • memory/564-17-0x0000000004700000-0x0000000004711000-memory.dmp
                Filesize

                68KB

              • memory/564-16-0x00000000042AC000-0x00000000042AD000-memory.dmp
                Filesize

                4KB

              • memory/768-10-0x0000000000000000-mapping.dmp
              • memory/1036-19-0x0000000000089A6B-mapping.dmp
              • memory/1036-18-0x0000000000080000-0x0000000000095000-memory.dmp
                Filesize

                84KB

              • memory/1068-15-0x0000000000000000-mapping.dmp
              • memory/1684-4-0x0000000000000000-mapping.dmp
              • memory/1752-5-0x0000000000000000-mapping.dmp
              • memory/1840-8-0x0000000000000000-mapping.dmp
              • memory/2024-2-0x000000000421C000-0x000000000421D000-memory.dmp
                Filesize

                4KB

              • memory/2024-3-0x0000000005BB0000-0x0000000005BC1000-memory.dmp
                Filesize

                68KB