Overview

overview

10

Static

static

b355dc0b18...d3.exe

windows7_x64

10

b355dc0b18...d3.exe

windows10_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    14-12-2020 15:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b355dc0b186600b6812852aaba586ad3.exe

  • Size

    14.9MB

  • MD5

    b355dc0b186600b6812852aaba586ad3

  • SHA1

    c4cfb0e6073a520bb06bf442b322a1cc3f30b8f5

  • SHA256

    accf3e9fbd47c991968f035df3bfde01beddbb1dbcd667bd13dad9c52c18e17c

  • SHA512

    67cc9bcd4ab5703d2be50986a875d412cb4446b5b277c32b596bc386d13eaa1b1ffb85cc4a85ff7d85d15c5dac4048823f011c6cb3586bfcfe390d3a78d73ef5

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b355dc0b186600b6812852aaba586ad3.exe
    "C:\Users\Admin\AppData\Local\Temp\b355dc0b186600b6812852aaba586ad3.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4004
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nyxdnjbj\
      2⤵
        PID:2244
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\uqkqwyqh.exe" C:\Windows\SysWOW64\nyxdnjbj\
        2⤵
          PID:3084
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create nyxdnjbj binPath= "C:\Windows\SysWOW64\nyxdnjbj\uqkqwyqh.exe /d\"C:\Users\Admin\AppData\Local\Temp\b355dc0b186600b6812852aaba586ad3.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:3856
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description nyxdnjbj "wifi internet conection"
            2⤵
              PID:1240
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start nyxdnjbj
              2⤵
                PID:1956
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:1128
              • C:\Windows\SysWOW64\nyxdnjbj\uqkqwyqh.exe
                C:\Windows\SysWOW64\nyxdnjbj\uqkqwyqh.exe /d"C:\Users\Admin\AppData\Local\Temp\b355dc0b186600b6812852aaba586ad3.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:1316
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Deletes itself
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  PID:2748

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\uqkqwyqh.exe
                MD5

                4cb1fef36fa507a127bc71fda343cb19

                SHA1

                d811e61da57ca2c3de5c5b5d3921d47d10c47b5b

                SHA256

                ce1c0011859c73317defb5f42bf65f33a579d80c991fe54fa851eef0cd7f185d

                SHA512

                52acdec89d9b2b6e3e81f174dda8c812605ea7c8efb23c643a0537fa74ae84933cf7190fafd41122d5314dee1b3f249c1ff6ced8891eb066825ca0162df14308

                Download Submit

              • C:\Windows\SysWOW64\nyxdnjbj\uqkqwyqh.exe
                MD5

                4cb1fef36fa507a127bc71fda343cb19

                SHA1

                d811e61da57ca2c3de5c5b5d3921d47d10c47b5b

                SHA256

                ce1c0011859c73317defb5f42bf65f33a579d80c991fe54fa851eef0cd7f185d

                SHA512

                52acdec89d9b2b6e3e81f174dda8c812605ea7c8efb23c643a0537fa74ae84933cf7190fafd41122d5314dee1b3f249c1ff6ced8891eb066825ca0162df14308

                Download Submit

              • memory/1128-12-0x0000000000000000-mapping.dmp

                Download

              • memory/1240-6-0x0000000000000000-mapping.dmp

                Download

              • memory/1956-7-0x0000000000000000-mapping.dmp

                Download

              • memory/2244-2-0x0000000000000000-mapping.dmp

                Download

              • memory/2748-9-0x0000000002C90000-0x0000000002CA5000-memory.dmp

                Filesize

                84KB

                Download

              • memory/2748-10-0x0000000002C99A6B-mapping.dmp

                Download

              • memory/3084-3-0x0000000000000000-mapping.dmp

                Download

              • memory/3856-5-0x0000000000000000-mapping.dmp

                Download