General

  • Target

    5e89a9366b2c4fd17aa972a03b08a5a9a54fdc9499081b35ec1f162adf70d997

  • Size

    267KB

  • Sample

    220123-nmzmlagab4

  • MD5

    3adaacd89eab091b9e850985ed9c7f53

  • SHA1

    5d7c0007a1f503824b18ae8f6b56fd6a8b9235b1

  • SHA256

    5e89a9366b2c4fd17aa972a03b08a5a9a54fdc9499081b35ec1f162adf70d997

  • SHA512

    4f3654d9da122c3af195f403568bc1ad433c7958e07e8b9fff0d0b30abb986f2985c6326a3bfcf17275ad6051327c9da9b5182fa7bd2aab7140f5f2175b6af36

Malware Config

Extracted

Family

tofsee

C2

patmushta.info

ovicrush.cn

Targets

    • Target

      5e89a9366b2c4fd17aa972a03b08a5a9a54fdc9499081b35ec1f162adf70d997

    • Size

      267KB

    • MD5

      3adaacd89eab091b9e850985ed9c7f53

    • SHA1

      5d7c0007a1f503824b18ae8f6b56fd6a8b9235b1

    • SHA256

      5e89a9366b2c4fd17aa972a03b08a5a9a54fdc9499081b35ec1f162adf70d997

    • SHA512

      4f3654d9da122c3af195f403568bc1ad433c7958e07e8b9fff0d0b30abb986f2985c6326a3bfcf17275ad6051327c9da9b5182fa7bd2aab7140f5f2175b6af36

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner Payload

    • Creates new service(s)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Deletes itself

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

New Service

1
T1050

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Discovery

System Information Discovery

1
T1082

Tasks