Analysis

  • max time kernel
    143s
  • max time network
    127s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    14-12-2020 13:42

General

  • Target

    13dc59ee41ac76115d4fa94d41ea9f4e.exe

  • Size

    13.6MB

  • MD5

    13dc59ee41ac76115d4fa94d41ea9f4e

  • SHA1

    63176b69b4a959e85ef1c391e4e090048e60a127

  • SHA256

    c36c064e1cf65d9e7acdd02967eb67475f83eb722efe3fd8e1767ccde84b32d1

  • SHA512

    f1a9f58f353bd5b265ac2b8461e740b2cd43b447a37acddb9f401e139f352259b711fd4f64abfb8d4ac7390f70cfe6e72c36c04c6b762868d92d0c7081df8c03

Malware Config

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs
  • Creates new service(s) 1 TTPs
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Sets service image path in registry 2 TTPs
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\13dc59ee41ac76115d4fa94d41ea9f4e.exe
    "C:\Users\Admin\AppData\Local\Temp\13dc59ee41ac76115d4fa94d41ea9f4e.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:508
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\osizndri\
      2⤵
        PID:3000
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gjrrpnra.exe" C:\Windows\SysWOW64\osizndri\
        2⤵
          PID:3556
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create osizndri binPath= "C:\Windows\SysWOW64\osizndri\gjrrpnra.exe /d\"C:\Users\Admin\AppData\Local\Temp\13dc59ee41ac76115d4fa94d41ea9f4e.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:4076
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description osizndri "wifi internet conection"
            2⤵
              PID:4060
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start osizndri
              2⤵
                PID:3936
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:3384
              • C:\Windows\SysWOW64\osizndri\gjrrpnra.exe
                C:\Windows\SysWOW64\osizndri\gjrrpnra.exe /d"C:\Users\Admin\AppData\Local\Temp\13dc59ee41ac76115d4fa94d41ea9f4e.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:1172
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Deletes itself
                  PID:1460

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Persistence

              New Service

              1
              T1050

              Modify Existing Service

              1
              T1031

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              New Service

              1
              T1050

              Defense Evasion

              Disabling Security Tools

              1
              T1089

              Modify Registry

              2
              T1112

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\gjrrpnra.exe
                MD5

                b2a075ab2b2381ff2fc3c396bd4dc554

                SHA1

                6ba1693eede3061795ea1fdeab783c92b1d8b21c

                SHA256

                9ddfcae3a731e840b7552d166112ce23a88806d9ff9769984c34ea974db07fb2

                SHA512

                6e671670c557775201f2258a26ce5f7a90b86aca00c9032c6012ab1a66cb62f8f02f56f26056e2aac43cb3f00609593d4a9eb02bd3bdf4a22dd7f7b405791c3d

              • C:\Windows\SysWOW64\osizndri\gjrrpnra.exe
                MD5

                b2a075ab2b2381ff2fc3c396bd4dc554

                SHA1

                6ba1693eede3061795ea1fdeab783c92b1d8b21c

                SHA256

                9ddfcae3a731e840b7552d166112ce23a88806d9ff9769984c34ea974db07fb2

                SHA512

                6e671670c557775201f2258a26ce5f7a90b86aca00c9032c6012ab1a66cb62f8f02f56f26056e2aac43cb3f00609593d4a9eb02bd3bdf4a22dd7f7b405791c3d

              • memory/1460-10-0x00000000005E0000-0x00000000005F5000-memory.dmp
                Filesize

                84KB

              • memory/1460-11-0x00000000005E9A6B-mapping.dmp
              • memory/3000-2-0x0000000000000000-mapping.dmp
              • memory/3384-8-0x0000000000000000-mapping.dmp
              • memory/3556-3-0x0000000000000000-mapping.dmp
              • memory/3936-7-0x0000000000000000-mapping.dmp
              • memory/4060-6-0x0000000000000000-mapping.dmp
              • memory/4076-5-0x0000000000000000-mapping.dmp