Analysis

  • max time kernel
    9s
  • max time network
    14s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    14-12-2020 15:39

General

  • Target

    977f60bb46c98f4fece2c317fc17c504.exe

  • Size

    14.2MB

  • MD5

    977f60bb46c98f4fece2c317fc17c504

  • SHA1

    d246ad0209ed7041b0ee9004b36a4bad0513d876

  • SHA256

    2d09b4467fcf47fe6e2f95ea3af4b5dffe0522d87c1cbbe85bbe71ba81d7f628

  • SHA512

    4104422354bce5a50c08dda09529ddaef96fde520a84cf5f3c2ebfec794dfd1ba0c3ae0c7483ca6aef9c104f389db07793e05f0b1905a0fe7d03609c01677a39

Malware Config

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Creates new service(s) 1 TTPs
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\977f60bb46c98f4fece2c317fc17c504.exe
    "C:\Users\Admin\AppData\Local\Temp\977f60bb46c98f4fece2c317fc17c504.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xkqcybpl\
      2⤵
        PID:1168
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\cesthprb.exe" C:\Windows\SysWOW64\xkqcybpl\
        2⤵
          PID:868
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create xkqcybpl binPath= "C:\Windows\SysWOW64\xkqcybpl\cesthprb.exe /d\"C:\Users\Admin\AppData\Local\Temp\977f60bb46c98f4fece2c317fc17c504.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:1772
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description xkqcybpl "wifi internet conection"
            2⤵
              PID:796
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start xkqcybpl
              2⤵
                PID:760
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:1076
              • C:\Windows\SysWOW64\xkqcybpl\cesthprb.exe
                C:\Windows\SysWOW64\xkqcybpl\cesthprb.exe /d"C:\Users\Admin\AppData\Local\Temp\977f60bb46c98f4fece2c317fc17c504.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:272
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                    PID:1144

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Persistence

                New Service

                1
                T1050

                Modify Existing Service

                1
                T1031

                Privilege Escalation

                New Service

                1
                T1050

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\cesthprb.exe
                  MD5

                  7051af2a3ac88a17e9df406524773144

                  SHA1

                  ecbed7506d0a6dcc57008cb02b800842d7c52292

                  SHA256

                  d32000fe70f3ccca911391ffb271071df63ac520438144157f2056d2f0db5b56

                  SHA512

                  253a19608f172846fe31794366bbf9a0d5f8c607c2b934f55f0337600489570e88fe029d98ac0f22006ce22d2be461e77c722e3285d86091832c4c570c18f5ed

                • C:\Windows\SysWOW64\xkqcybpl\cesthprb.exe
                  MD5

                  7051af2a3ac88a17e9df406524773144

                  SHA1

                  ecbed7506d0a6dcc57008cb02b800842d7c52292

                  SHA256

                  d32000fe70f3ccca911391ffb271071df63ac520438144157f2056d2f0db5b56

                  SHA512

                  253a19608f172846fe31794366bbf9a0d5f8c607c2b934f55f0337600489570e88fe029d98ac0f22006ce22d2be461e77c722e3285d86091832c4c570c18f5ed

                • memory/760-7-0x0000000000000000-mapping.dmp
                • memory/796-6-0x0000000000000000-mapping.dmp
                • memory/868-3-0x0000000000000000-mapping.dmp
                • memory/1076-8-0x0000000000000000-mapping.dmp
                • memory/1144-10-0x00000000000D0000-0x00000000000E5000-memory.dmp
                  Filesize

                  84KB

                • memory/1144-11-0x00000000000D9A6B-mapping.dmp
                • memory/1168-2-0x0000000000000000-mapping.dmp
                • memory/1772-5-0x0000000000000000-mapping.dmp