Overview

overview

10

Static

static

0e93b345b1...33.exe

windows7_x64

10

0e93b345b1...33.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    04-06-2022 18:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe

  • Size

    196KB

  • MD5

    371e8928f2518f19e3439a7f1870b6ce

  • SHA1

    685d65f85a1e23324fa378f9301a36a52ace4759

  • SHA256

    0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033

  • SHA512

    32703ea0d84be57d5efda99d0a4746d1c4fb5e6a634d24fe8760b6bfbeb23141f34212ea4d17c35497635f2ee4b02aba482577b1f1f3cc872bce903c6604787e

Score
10/10
tofseepersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

103.232.222.57

111.121.193.242

123.249.0.22

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe
    "C:\Users\Admin\AppData\Local\Temp\0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Users\Admin\bgfiznrs.exe
      "C:\Users\Admin\bgfiznrs.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3540
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
          PID:1684
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 468
            4⤵
            • Program crash
            PID:552
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7424.bat" "
        2⤵
          PID:2036
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1684 -ip 1684
        1⤵
          PID:2792

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\7424.bat
          Filesize

          302B

          MD5

          6b9cf7f6462dc12c2356a6687b4c2317

          SHA1

          ee40d8737db4d82a753d4c34585764fd4bcc6f35

          SHA256

          f48a50912a2e2c9de41ae4e91a88374dd97e5d9ae04da0c525b2408a41faba70

          SHA512

          3a306ba630df82d2fb0ae53886ade8931f3abfbb7f52d36d0541024f4a095e11226701aeef20682b37983e99ff8ed15c5f0e5fe3f87996edee1243bf0e6328af

          Download Submit
        • C:\Users\Admin\bgfiznrs.exe
          Filesize

          30.5MB

          MD5

          66a1060d584337078e890f20fe8aa671

          SHA1

          6982acd2ef4dc18a44b651f4703f8e2282da53ee

          SHA256

          77d24dce2dec9689a5f1c684ce1923246b40ff383d18c8a6b374b8fbeb5d9c51

          SHA512

          80368c5ffde392a168787a71711ac1a4923bfe3720b360e9e0c6cd11c96a35d799a44597642cda200f5a3c8a2c3f98cb5ef04cdcbd2d4da05ff89a01a6e2cade

          Download Submit
        • C:\Users\Admin\bgfiznrs.exe
          Filesize

          30.5MB

          MD5

          66a1060d584337078e890f20fe8aa671

          SHA1

          6982acd2ef4dc18a44b651f4703f8e2282da53ee

          SHA256

          77d24dce2dec9689a5f1c684ce1923246b40ff383d18c8a6b374b8fbeb5d9c51

          SHA512

          80368c5ffde392a168787a71711ac1a4923bfe3720b360e9e0c6cd11c96a35d799a44597642cda200f5a3c8a2c3f98cb5ef04cdcbd2d4da05ff89a01a6e2cade

          Download Submit
        • memory/1684-159-0x0000000000A50000-0x0000000000A62000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1684-158-0x0000000000A50000-0x0000000000A62000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1684-154-0x0000000000A50000-0x0000000000A62000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1684-153-0x0000000000000000-mapping.dmp
          Download
        • memory/2036-144-0x0000000000000000-mapping.dmp
          Download
        • memory/2520-145-0x0000000075180000-0x00000000752DD000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/2520-132-0x0000000002CF1000-0x0000000002CF6000-memory.dmp
          Filesize

          20KB

          Download
        • memory/2520-143-0x0000000075180000-0x00000000752DD000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/2520-134-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/3540-147-0x0000000002141000-0x0000000002146000-memory.dmp
          Filesize

          20KB

          Download
        • memory/3540-157-0x0000000075180000-0x00000000752DD000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3540-138-0x0000000000000000-mapping.dmp
          Download