General

  • Target

    C8F7.exe

  • Size

    123KB

  • Sample

    210213-2c4qm4qg3e

  • MD5

    cafce84f76fb35a8dcb2e1643db09707

  • SHA1

    db2a432a783fb4ed1e12ccd5a85f894eab8c38ff

  • SHA256

    94304428071b5b27927d6c5f88ca8a0da48e5361c12b1e258f6aafa0368179fc

  • SHA512

    ac40678374c8e9f02c0ded586f4b28749f12623d59f48c93c40b555fb650958359ec6b6931ccb2257214d982d8324ad7a1ef180e3d62b6bfef85620a31ba607b

Malware Config

Targets

    • Target

      C8F7.exe

    • Size

      123KB

    • MD5

      cafce84f76fb35a8dcb2e1643db09707

    • SHA1

      db2a432a783fb4ed1e12ccd5a85f894eab8c38ff

    • SHA256

      94304428071b5b27927d6c5f88ca8a0da48e5361c12b1e258f6aafa0368179fc

    • SHA512

      ac40678374c8e9f02c0ded586f4b28749f12623d59f48c93c40b555fb650958359ec6b6931ccb2257214d982d8324ad7a1ef180e3d62b6bfef85620a31ba607b

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner Payload

    • Creates new service(s)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Deletes itself

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

New Service

1
T1050

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Discovery

System Information Discovery

1
T1082

Tasks