Overview

overview

10

Static

static

a2f750ea33...cb.exe

windows7_x64

10

a2f750ea33...cb.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    14-12-2020 12:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a2f750ea33e71a374a0e40cb66bad6cb.exe

  • Size

    10.7MB

  • MD5

    a2f750ea33e71a374a0e40cb66bad6cb

  • SHA1

    c13139c6d890e4c4fa7772751c4459a74f9ec382

  • SHA256

    0f1625c8dfa3634a83f6a378fba14c07da2289d78881bc10b03ff06b87f3597d

  • SHA512

    739f55776c23f55646261154873fc3c29ed53506e54703d2989ac796443b65947b197a71b7a21f273d2d81c299759d8247f3d2be9a58004e02aa02a8ddc66f80

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a2f750ea33e71a374a0e40cb66bad6cb.exe
    "C:\Users\Admin\AppData\Local\Temp\a2f750ea33e71a374a0e40cb66bad6cb.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1656
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dblmjljc\
      2⤵
        PID:772
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\edneywlx.exe" C:\Windows\SysWOW64\dblmjljc\
        2⤵
          PID:1744
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create dblmjljc binPath= "C:\Windows\SysWOW64\dblmjljc\edneywlx.exe /d\"C:\Users\Admin\AppData\Local\Temp\a2f750ea33e71a374a0e40cb66bad6cb.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:1368
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description dblmjljc "wifi internet conection"
            2⤵
              PID:1636
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start dblmjljc
              2⤵
                PID:1572
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:1100
              • C:\Windows\SysWOW64\dblmjljc\edneywlx.exe
                C:\Windows\SysWOW64\dblmjljc\edneywlx.exe /d"C:\Users\Admin\AppData\Local\Temp\a2f750ea33e71a374a0e40cb66bad6cb.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:968
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Deletes itself
                  PID:1056

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\edneywlx.exe
                MD5

                a0fc0b8ee4cb52f4ed8952ac211c150d

                SHA1

                4f65823c822e1b3936fed47544a3f4f24cc673fa

                SHA256

                964e6abe8e7f229118a4eedc2116e030bca365834e0639b00837fed7536ebb40

                SHA512

                635e4165a5e227e61136ed8d5d814f0237be5963f75f34746af42e857ce3559702374f231adc654dee1d3747195ddc41862bfd0faf0b8b6c5a261d5af7806f3c

                Download Submit

              • C:\Windows\SysWOW64\dblmjljc\edneywlx.exe
                MD5

                a0fc0b8ee4cb52f4ed8952ac211c150d

                SHA1

                4f65823c822e1b3936fed47544a3f4f24cc673fa

                SHA256

                964e6abe8e7f229118a4eedc2116e030bca365834e0639b00837fed7536ebb40

                SHA512

                635e4165a5e227e61136ed8d5d814f0237be5963f75f34746af42e857ce3559702374f231adc654dee1d3747195ddc41862bfd0faf0b8b6c5a261d5af7806f3c

                Download Submit

              • memory/772-2-0x0000000000000000-mapping.dmp

                Download

              • memory/1056-10-0x00000000000C0000-0x00000000000D5000-memory.dmp

                Filesize

                84KB

                Download

              • memory/1056-11-0x00000000000C9A6B-mapping.dmp

                Download

              • memory/1100-8-0x0000000000000000-mapping.dmp

                Download

              • memory/1368-5-0x0000000000000000-mapping.dmp

                Download

              • memory/1572-7-0x0000000000000000-mapping.dmp

                Download

              • memory/1636-6-0x0000000000000000-mapping.dmp

                Download

              • memory/1744-3-0x0000000000000000-mapping.dmp

                Download