Overview

overview

10

Static

static

0f46fce8d6...d8.exe

windows7_x64

10

0f46fce8d6...d8.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    166s
  • max time network
    184s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    04-06-2022 16:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8.exe

  • Size

    98KB

  • MD5

    b34b1258a1e5b89d9fbdd9aac4c47bec

  • SHA1

    8f1550ed6e666752230cf637c71743512a6dda45

  • SHA256

    0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8

  • SHA512

    1bb74f49b3e37f60afc80c607460e451e143856a0a7212ef3136dc34ecb3969e27370b7fc5266ff73fd8eab62b5155d96a8288fb247f6104a1a911130dc306d5

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8.exe
    "C:\Users\Admin\AppData\Local\Temp\0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:548
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\quyzlhrl\
      2⤵
        PID:2480
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\feqmrbly.exe" C:\Windows\SysWOW64\quyzlhrl\
        2⤵
          PID:4452
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create quyzlhrl binPath= "C:\Windows\SysWOW64\quyzlhrl\feqmrbly.exe /d\"C:\Users\Admin\AppData\Local\Temp\0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:456
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description quyzlhrl "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2864
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start quyzlhrl
          2⤵
          • Launches sc.exe
          PID:700
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:1856
      • C:\Windows\SysWOW64\quyzlhrl\feqmrbly.exe
        C:\Windows\SysWOW64\quyzlhrl\feqmrbly.exe /d"C:\Users\Admin\AppData\Local\Temp\0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1404
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          PID:556

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\feqmrbly.exe
        Filesize

        10.6MB

        MD5

        17c05f115b2269c0eb00dd507918db41

        SHA1

        5f3832bdad40ad1d122f4fa31d881d9b92b9dca1

        SHA256

        b14bbb07fa730e39b4722ddf1d56bc89a970f5369d21895cee11f82e55203c25

        SHA512

        fd1e6c1f79d8a079a3d4f9ec140d68cc4e6961e626ff098a8cdd0aaf09f0b0564180bdc03c7d4df90866a5eb0c86d0729aa0819539d38614cea84f8677f0cae9

        Download Submit
      • C:\Windows\SysWOW64\quyzlhrl\feqmrbly.exe
        Filesize

        10.6MB

        MD5

        17c05f115b2269c0eb00dd507918db41

        SHA1

        5f3832bdad40ad1d122f4fa31d881d9b92b9dca1

        SHA256

        b14bbb07fa730e39b4722ddf1d56bc89a970f5369d21895cee11f82e55203c25

        SHA512

        fd1e6c1f79d8a079a3d4f9ec140d68cc4e6961e626ff098a8cdd0aaf09f0b0564180bdc03c7d4df90866a5eb0c86d0729aa0819539d38614cea84f8677f0cae9

        Download Submit
      • memory/456-134-0x0000000000000000-mapping.dmp
        Download
      • memory/548-130-0x0000000000400000-0x000000000041C000-memory.dmp
        Filesize

        112KB

        Download
      • memory/556-140-0x0000000000000000-mapping.dmp
        Download
      • memory/556-145-0x00000000003D0000-0x00000000003E5000-memory.dmp
        Filesize

        84KB

        Download
      • memory/556-144-0x00000000003D0000-0x00000000003E5000-memory.dmp
        Filesize

        84KB

        Download
      • memory/556-143-0x00000000003D0000-0x00000000003E5000-memory.dmp
        Filesize

        84KB

        Download
      • memory/556-141-0x00000000003D0000-0x00000000003E5000-memory.dmp
        Filesize

        84KB

        Download
      • memory/700-136-0x0000000000000000-mapping.dmp
        Download
      • memory/1404-139-0x0000000000400000-0x000000000041C000-memory.dmp
        Filesize

        112KB

        Download
      • memory/1856-137-0x0000000000000000-mapping.dmp
        Download
      • memory/2480-131-0x0000000000000000-mapping.dmp
        Download
      • memory/2864-135-0x0000000000000000-mapping.dmp
        Download
      • memory/4452-132-0x0000000000000000-mapping.dmp
        Download