Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    14-12-2020 15:37

General

  • Target

    94e4ed7d0a0b60e98fd919efdc32592a.exe

  • Size

    11.4MB

  • MD5

    94e4ed7d0a0b60e98fd919efdc32592a

  • SHA1

    cf0d4453294987854f24a2c00f6de3a1663fbfce

  • SHA256

    83c55714a6ef78bd2bd73c83206ed16391c515d32004103209df36e09e387af3

  • SHA512

    b76c4b1a3228e55d00b89992ad0803ce6753eea6944cda2246c47737aa243629ee8fe8a377f96eb4c7cbb51ce431d3e530e8c077d6f84a629e7ad2e046943c5a

Malware Config

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs
  • Creates new service(s) 1 TTPs
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Sets service image path in registry 2 TTPs
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\94e4ed7d0a0b60e98fd919efdc32592a.exe
    "C:\Users\Admin\AppData\Local\Temp\94e4ed7d0a0b60e98fd919efdc32592a.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\iqfvevwb\
      2⤵
        PID:3732
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\arknuhts.exe" C:\Windows\SysWOW64\iqfvevwb\
        2⤵
          PID:1664
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create iqfvevwb binPath= "C:\Windows\SysWOW64\iqfvevwb\arknuhts.exe /d\"C:\Users\Admin\AppData\Local\Temp\94e4ed7d0a0b60e98fd919efdc32592a.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:3684
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description iqfvevwb "wifi internet conection"
            2⤵
              PID:3828
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start iqfvevwb
              2⤵
                PID:196
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:2924
              • C:\Windows\SysWOW64\iqfvevwb\arknuhts.exe
                C:\Windows\SysWOW64\iqfvevwb\arknuhts.exe /d"C:\Users\Admin\AppData\Local\Temp\94e4ed7d0a0b60e98fd919efdc32592a.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:2808
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Deletes itself
                  PID:3612

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Persistence

              New Service

              1
              T1050

              Modify Existing Service

              1
              T1031

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              New Service

              1
              T1050

              Defense Evasion

              Disabling Security Tools

              1
              T1089

              Modify Registry

              2
              T1112

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\arknuhts.exe
                MD5

                3fbc2dd55a1c728dce0b6882d9351604

                SHA1

                4c8d4f0fedb91383793e6b4e929f4ece9f0f299c

                SHA256

                2b078e8dc31ea3e4e9da1b9fa1a9d977d56cff507aa33c0df7291e8c412f7b0b

                SHA512

                f6d06fe51ffc6d750d3ce7886de992e6c20803cf63f5379ad68aa3d94bac867ffe0ea2ef0e865717d37cb7dd7228518fa4254a9311a9d9c0685e8e1a0b78ffae

              • C:\Windows\SysWOW64\iqfvevwb\arknuhts.exe
                MD5

                3fbc2dd55a1c728dce0b6882d9351604

                SHA1

                4c8d4f0fedb91383793e6b4e929f4ece9f0f299c

                SHA256

                2b078e8dc31ea3e4e9da1b9fa1a9d977d56cff507aa33c0df7291e8c412f7b0b

                SHA512

                f6d06fe51ffc6d750d3ce7886de992e6c20803cf63f5379ad68aa3d94bac867ffe0ea2ef0e865717d37cb7dd7228518fa4254a9311a9d9c0685e8e1a0b78ffae

              • memory/196-7-0x0000000000000000-mapping.dmp
              • memory/1664-3-0x0000000000000000-mapping.dmp
              • memory/2924-8-0x0000000000000000-mapping.dmp
              • memory/3612-11-0x0000000000989A6B-mapping.dmp
              • memory/3612-10-0x0000000000980000-0x0000000000995000-memory.dmp
                Filesize

                84KB

              • memory/3684-5-0x0000000000000000-mapping.dmp
              • memory/3732-2-0x0000000000000000-mapping.dmp
              • memory/3828-6-0x0000000000000000-mapping.dmp