Overview

overview

10

Static

static

acb0fde336...82.exe

windows7_x64

10

acb0fde336...82.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    14-12-2020 12:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    acb0fde336fa98fc541c69925c2f7c82.exe

  • Size

    14.8MB

  • MD5

    acb0fde336fa98fc541c69925c2f7c82

  • SHA1

    c2bfd9dca872e5b99326904e8aef4be9f8d7fe0e

  • SHA256

    e2d8cb1ebc11e8eed1d7e815fea002ab8adb88a3a68da5c2485231174458af8f

  • SHA512

    0d3b93b6e9d2b430989ee18807f878b84862c01667210eff4c9262e5c641df15987990f7a99d27ff248a293e27b7252ac0e4e6ce9588f1d271d98a014e5406df

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\acb0fde336fa98fc541c69925c2f7c82.exe
    "C:\Users\Admin\AppData\Local\Temp\acb0fde336fa98fc541c69925c2f7c82.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:412
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dokwzpss\
      2⤵
        PID:3364
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\awqwcewn.exe" C:\Windows\SysWOW64\dokwzpss\
        2⤵
          PID:3168
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create dokwzpss binPath= "C:\Windows\SysWOW64\dokwzpss\awqwcewn.exe /d\"C:\Users\Admin\AppData\Local\Temp\acb0fde336fa98fc541c69925c2f7c82.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:3988
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description dokwzpss "wifi internet conection"
            2⤵
              PID:1640
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start dokwzpss
              2⤵
                PID:3244
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:3796
              • C:\Windows\SysWOW64\dokwzpss\awqwcewn.exe
                C:\Windows\SysWOW64\dokwzpss\awqwcewn.exe /d"C:\Users\Admin\AppData\Local\Temp\acb0fde336fa98fc541c69925c2f7c82.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:2272
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Deletes itself
                  PID:3052

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\awqwcewn.exe
                MD5

                c5695b615202d227ead7131b4638425a

                SHA1

                6beb24061d14a59f16c477a426099afb1bedacb4

                SHA256

                89e92ca99c04ecf56186e1b5df60ba7540c3e50800a75c4ad79166d754869dd0

                SHA512

                8d3ba2cfcca11ca964d1a731f51ac342bddc3acae13edec6b427211cd34a99e2bfd1aa039c1fac6b7dd042f7bec84d867c1b40cd59f7976fd5ee175f7336c96d

                Download Submit
              • C:\Windows\SysWOW64\dokwzpss\awqwcewn.exe
                MD5

                c5695b615202d227ead7131b4638425a

                SHA1

                6beb24061d14a59f16c477a426099afb1bedacb4

                SHA256

                89e92ca99c04ecf56186e1b5df60ba7540c3e50800a75c4ad79166d754869dd0

                SHA512

                8d3ba2cfcca11ca964d1a731f51ac342bddc3acae13edec6b427211cd34a99e2bfd1aa039c1fac6b7dd042f7bec84d867c1b40cd59f7976fd5ee175f7336c96d

                Download Submit
              • memory/1640-6-0x0000000000000000-mapping.dmp
                Download
              • memory/3052-10-0x00000000003C0000-0x00000000003D5000-memory.dmp
                Filesize

                84KB

                Download
              • memory/3052-11-0x00000000003C9A6B-mapping.dmp
                Download
              • memory/3052-12-0x00000000003C0000-0x00000000003D5000-memory.dmp
                Filesize

                84KB

                Download
              • memory/3168-3-0x0000000000000000-mapping.dmp
                Download
              • memory/3244-7-0x0000000000000000-mapping.dmp
                Download
              • memory/3364-2-0x0000000000000000-mapping.dmp
                Download
              • memory/3796-8-0x0000000000000000-mapping.dmp
                Download
              • memory/3988-5-0x0000000000000000-mapping.dmp
                Download