Analysis

  • max time kernel
    146s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    14-12-2020 13:30

General

  • Target

    0886900e6ab222d3c07748d15656ac31.exe

  • Size

    10.6MB

  • MD5

    0886900e6ab222d3c07748d15656ac31

  • SHA1

    09d03036d44c671692f1127c9f5b4a0d402b3774

  • SHA256

    d3a5a7bd70448e907398655362e916a9de3c8e80f9af2582e6bacdb01b0b502a

  • SHA512

    6520f0aa808539930f88c8f1f372f46de75c8ec12cee9774cbe3f885c78fe98a8c6a2c07171bb5d6aecef620e34fc9ef90e23451c166f7f7753107e914adb55f

Malware Config

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs
  • Creates new service(s) 1 TTPs
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Sets service image path in registry 2 TTPs
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0886900e6ab222d3c07748d15656ac31.exe
    "C:\Users\Admin\AppData\Local\Temp\0886900e6ab222d3c07748d15656ac31.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\driilcwr\
      2⤵
        PID:1148
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jatwdqcb.exe" C:\Windows\SysWOW64\driilcwr\
        2⤵
          PID:1964
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create driilcwr binPath= "C:\Windows\SysWOW64\driilcwr\jatwdqcb.exe /d\"C:\Users\Admin\AppData\Local\Temp\0886900e6ab222d3c07748d15656ac31.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:1756
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description driilcwr "wifi internet conection"
            2⤵
              PID:1352
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start driilcwr
              2⤵
                PID:1400
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:1884
              • C:\Windows\SysWOW64\driilcwr\jatwdqcb.exe
                C:\Windows\SysWOW64\driilcwr\jatwdqcb.exe /d"C:\Users\Admin\AppData\Local\Temp\0886900e6ab222d3c07748d15656ac31.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:868
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Deletes itself
                  PID:1516

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Persistence

              New Service

              1
              T1050

              Modify Existing Service

              1
              T1031

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              New Service

              1
              T1050

              Defense Evasion

              Disabling Security Tools

              1
              T1089

              Modify Registry

              2
              T1112

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\jatwdqcb.exe
                MD5

                9f3d5a58ded585b7eb69472e0b4b3cb3

                SHA1

                763d72bca80e9c09d9d2031d863b42612f72b478

                SHA256

                655beaf4a72c4058c9b0f30697553a14be6f18b7eb94ed64515a4162f5a92ebb

                SHA512

                451b1fd5640334545f30dafb538df4312fd9222338f64b218df0127913db2566d3da6eb5035eae64fe83cace35eb2d8adc46b85d4619ab9db2a1f1d4a1af8a06

              • C:\Windows\SysWOW64\driilcwr\jatwdqcb.exe
                MD5

                9f3d5a58ded585b7eb69472e0b4b3cb3

                SHA1

                763d72bca80e9c09d9d2031d863b42612f72b478

                SHA256

                655beaf4a72c4058c9b0f30697553a14be6f18b7eb94ed64515a4162f5a92ebb

                SHA512

                451b1fd5640334545f30dafb538df4312fd9222338f64b218df0127913db2566d3da6eb5035eae64fe83cace35eb2d8adc46b85d4619ab9db2a1f1d4a1af8a06

              • memory/1148-2-0x0000000000000000-mapping.dmp
              • memory/1352-6-0x0000000000000000-mapping.dmp
              • memory/1400-7-0x0000000000000000-mapping.dmp
              • memory/1516-10-0x0000000000080000-0x0000000000095000-memory.dmp
                Filesize

                84KB

              • memory/1516-11-0x0000000000089A6B-mapping.dmp
              • memory/1756-5-0x0000000000000000-mapping.dmp
              • memory/1884-8-0x0000000000000000-mapping.dmp
              • memory/1964-3-0x0000000000000000-mapping.dmp