Overview

overview

10

Static

static

8

SecuriteIn...18.exe

windows7_x64

10

SecuriteIn...18.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SecuriteInfo.com.BehavesLike.Win32.Generic.cc.20618

  • Size

    171KB

  • Sample

    201228-26cvynw98e

  • MD5

    000b21a6ac8f5d5fa950eed455556dd2

  • SHA1

    fe11975ba2efbc981619ea51f0875e65598a1daf

  • SHA256

    91568fbf16eb6e6c8e6e633163ef0ff94ca4956195438c61d1023614d6f18fa5

  • SHA512

    5205e5078bbb66f543541f7af3f463ea948c2c76df3d8fb4d4e1e50ef5dd2cd28352a9c73787d73d8a0996dce2d981ba03ca55ea342615df39e12510bbfe460f

Score
10/10
tofseexmrigevasionminerpersistencetrojanupx

Malware Config

Targets

    • Target

      SecuriteInfo.com.BehavesLike.Win32.Generic.cc.20618

    • Size

      171KB

    • MD5

      000b21a6ac8f5d5fa950eed455556dd2

    • SHA1

      fe11975ba2efbc981619ea51f0875e65598a1daf

    • SHA256

      91568fbf16eb6e6c8e6e633163ef0ff94ca4956195438c61d1023614d6f18fa5

    • SHA512

      5205e5078bbb66f543541f7af3f463ea948c2c76df3d8fb4d4e1e50ef5dd2cd28352a9c73787d73d8a0996dce2d981ba03ca55ea342615df39e12510bbfe460f

    Score
    10/10
    tofseexmrigevasionminerpersistencetrojanupx

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Windows security bypass

      evasiontrojan

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner Payload

      miner

    • Creates new service(s)

      persistence

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Deletes itself

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

New Service

1
T1050

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks