Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 12:38
General
-
Target
a9fa51ad1139e264aab2587952efa791.exe
-
Size
10.5MB
-
MD5
a9fa51ad1139e264aab2587952efa791
-
SHA1
d2f386beedc6ca2d0107360194757e287d59ade0
-
SHA256
34a778f45563129b9fd9ba7baaa297056f2cfa2f39804af405e2f25c989721c8
-
SHA512
394e02fcaeb785327a0fca1f5ca2bd852974010a38be79fc1b128405327ec6660ee17d07dd1b6dd9f0056b4746bd0ff3160e5418eea04b42bfff93de18ee501f
Malware Config
Signatures
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass 2 TTPs
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9fa51ad1139e264aab2587952efa791.exe"C:\Users\Admin\AppData\Local\Temp\a9fa51ad1139e264aab2587952efa791.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jralbwti\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\idkhgdza.exe" C:\Windows\SysWOW64\jralbwti\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create jralbwti binPath= "C:\Windows\SysWOW64\jralbwti\idkhgdza.exe /d\"C:\Users\Admin\AppData\Local\Temp\a9fa51ad1139e264aab2587952efa791.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description jralbwti "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start jralbwti2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\SysWOW64\jralbwti\idkhgdza.exeC:\Windows\SysWOW64\jralbwti\idkhgdza.exe /d"C:\Users\Admin\AppData\Local\Temp\a9fa51ad1139e264aab2587952efa791.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\idkhgdza.exeMD5
c2c767e90d6f50ae2aa90b83f6bb6577
SHA17249badb5ac7d800753632bfba30f3a43e104509
SHA25674f988e5d903ef0204f893acd4be9169882d7051ad8afdb4735ffd9911791583
SHA5123accf8f4fb314ef94029f637c3c82c4cde6d1ccd740c1caeeb19053728f0d7530d884d0b8730f87d7c86e1dc0cfee5f4e9bfb10ac51be01e5600a224ac96d730
-
C:\Windows\SysWOW64\jralbwti\idkhgdza.exeMD5
c2c767e90d6f50ae2aa90b83f6bb6577
SHA17249badb5ac7d800753632bfba30f3a43e104509
SHA25674f988e5d903ef0204f893acd4be9169882d7051ad8afdb4735ffd9911791583
SHA5123accf8f4fb314ef94029f637c3c82c4cde6d1ccd740c1caeeb19053728f0d7530d884d0b8730f87d7c86e1dc0cfee5f4e9bfb10ac51be01e5600a224ac96d730
-
memory/428-10-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/428-11-0x0000000000089A6B-mapping.dmp
-
memory/428-12-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/668-6-0x0000000000000000-mapping.dmp
-
memory/780-8-0x0000000000000000-mapping.dmp
-
memory/1324-7-0x0000000000000000-mapping.dmp
-
memory/1552-3-0x0000000000000000-mapping.dmp
-
memory/1672-5-0x0000000000000000-mapping.dmp
-
memory/1996-2-0x0000000000000000-mapping.dmp