Overview

overview

10

Static

static

94e4ed7d0a...2a.exe

windows7_x64

10

94e4ed7d0a...2a.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    14-12-2020 15:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    94e4ed7d0a0b60e98fd919efdc32592a.exe

  • Size

    11.4MB

  • MD5

    94e4ed7d0a0b60e98fd919efdc32592a

  • SHA1

    cf0d4453294987854f24a2c00f6de3a1663fbfce

  • SHA256

    83c55714a6ef78bd2bd73c83206ed16391c515d32004103209df36e09e387af3

  • SHA512

    b76c4b1a3228e55d00b89992ad0803ce6753eea6944cda2246c47737aa243629ee8fe8a377f96eb4c7cbb51ce431d3e530e8c077d6f84a629e7ad2e046943c5a

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\94e4ed7d0a0b60e98fd919efdc32592a.exe
    "C:\Users\Admin\AppData\Local\Temp\94e4ed7d0a0b60e98fd919efdc32592a.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1424
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jvytfnfb\
      2⤵
        PID:1996
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ttsyjxeh.exe" C:\Windows\SysWOW64\jvytfnfb\
        2⤵
          PID:1428
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create jvytfnfb binPath= "C:\Windows\SysWOW64\jvytfnfb\ttsyjxeh.exe /d\"C:\Users\Admin\AppData\Local\Temp\94e4ed7d0a0b60e98fd919efdc32592a.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:1924
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description jvytfnfb "wifi internet conection"
            2⤵
              PID:432
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start jvytfnfb
              2⤵
                PID:240
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:1132
              • C:\Windows\SysWOW64\jvytfnfb\ttsyjxeh.exe
                C:\Windows\SysWOW64\jvytfnfb\ttsyjxeh.exe /d"C:\Users\Admin\AppData\Local\Temp\94e4ed7d0a0b60e98fd919efdc32592a.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:1168
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Deletes itself
                  PID:824

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              New Service

              1
              T1050

              Modify Existing Service

              1
              T1031

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              New Service

              1
              T1050

              Defense Evasion

              Disabling Security Tools

              1
              T1089

              Modify Registry

              2
              T1112

              Credential Access

              Discovery

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\ttsyjxeh.exe
                MD5

                d1ea7e6201a63443237bbc455936d86d

                SHA1

                70780ddf99cf639271ce70fed48a52334dab337e

                SHA256

                261424f2ca85d336706ac7ba8154f4201e168fcac7595b9e49d6fa9d5c79bc92

                SHA512

                0db5471cb6180f2ad5eecd6126c8a37441187df369f86b61583e1f8dc1ff2bb4b6bebdf6c35b4856ac2bcd8ecd0bc7fea2723eb176e2e03eed004bded7285f8b

                Download Submit
              • C:\Windows\SysWOW64\jvytfnfb\ttsyjxeh.exe
                MD5

                d1ea7e6201a63443237bbc455936d86d

                SHA1

                70780ddf99cf639271ce70fed48a52334dab337e

                SHA256

                261424f2ca85d336706ac7ba8154f4201e168fcac7595b9e49d6fa9d5c79bc92

                SHA512

                0db5471cb6180f2ad5eecd6126c8a37441187df369f86b61583e1f8dc1ff2bb4b6bebdf6c35b4856ac2bcd8ecd0bc7fea2723eb176e2e03eed004bded7285f8b

                Download Submit
              • memory/240-7-0x0000000000000000-mapping.dmp
                Download
              • memory/432-6-0x0000000000000000-mapping.dmp
                Download
              • memory/824-9-0x0000000000080000-0x0000000000095000-memory.dmp
                Filesize

                84KB

                Download
              • memory/824-10-0x0000000000089A6B-mapping.dmp
                Download
              • memory/1132-12-0x0000000000000000-mapping.dmp
                Download
              • memory/1428-3-0x0000000000000000-mapping.dmp
                Download
              • memory/1924-5-0x0000000000000000-mapping.dmp
                Download
              • memory/1996-2-0x0000000000000000-mapping.dmp
                Download