Overview

overview

10

Static

static

60e07537db...32.exe

windows7_x64

60e07537db...32.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    1801s
  • max time network
    1799s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    05-06-2022 02:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532.exe

  • Size

    98KB

  • MD5

    9ad29d46cf10bae1cb938e5bcdf87ac4

  • SHA1

    7db1ddffd9bf441769c4125b484b3a5703053bc8

  • SHA256

    60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532

  • SHA512

    f8e202ccf7d159f83040e1dba530c853dcfaa431a1999e520e172faf7a6e248b4aa3d282fb335962578668850f3325785cc6835c98e7b116cfbba78bfc7ebc8d

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532.exe
    "C:\Users\Admin\AppData\Local\Temp\60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:884
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nlayewsk\
      2⤵
        PID:2656
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\wfxwfrvm.exe" C:\Windows\SysWOW64\nlayewsk\
        2⤵
          PID:3260
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create nlayewsk binPath= "C:\Windows\SysWOW64\nlayewsk\wfxwfrvm.exe /d\"C:\Users\Admin\AppData\Local\Temp\60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:912
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description nlayewsk "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:4660
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start nlayewsk
          2⤵
          • Launches sc.exe
          PID:2728
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:4340
      • C:\Windows\SysWOW64\nlayewsk\wfxwfrvm.exe
        C:\Windows\SysWOW64\nlayewsk\wfxwfrvm.exe /d"C:\Users\Admin\AppData\Local\Temp\60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4560
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          PID:3648

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\wfxwfrvm.exe
        Filesize

        13.4MB

        MD5

        bb921302334cd1da428d89ec91f659c9

        SHA1

        f26c3d7a9719196aeef49661276bfe5138e8fe39

        SHA256

        12c74a6b032b097658f5aeb4ea8e4252c7716f883932630027129f44d9878a22

        SHA512

        cd5d231b83cd23c963bd64fe15adf32afef64e8e7943fee97a5e1626a206fb3cd781616591cb92af6edcff553c4340d1970e71da572483e1c055288b1a2eb9c0

        Download Submit
      • C:\Windows\SysWOW64\nlayewsk\wfxwfrvm.exe
        Filesize

        13.4MB

        MD5

        bb921302334cd1da428d89ec91f659c9

        SHA1

        f26c3d7a9719196aeef49661276bfe5138e8fe39

        SHA256

        12c74a6b032b097658f5aeb4ea8e4252c7716f883932630027129f44d9878a22

        SHA512

        cd5d231b83cd23c963bd64fe15adf32afef64e8e7943fee97a5e1626a206fb3cd781616591cb92af6edcff553c4340d1970e71da572483e1c055288b1a2eb9c0

        Download Submit
      • memory/884-139-0x0000000000400000-0x000000000041C000-memory.dmp
        Filesize

        112KB

        Download
      • memory/884-131-0x0000000000400000-0x000000000041C000-memory.dmp
        Filesize

        112KB

        Download
      • memory/884-130-0x0000000000400000-0x000000000041C000-memory.dmp
        Filesize

        112KB

        Download
      • memory/912-135-0x0000000000000000-mapping.dmp
        Download
      • memory/2656-132-0x0000000000000000-mapping.dmp
        Download
      • memory/2728-137-0x0000000000000000-mapping.dmp
        Download
      • memory/3260-133-0x0000000000000000-mapping.dmp
        Download
      • memory/3648-142-0x0000000000000000-mapping.dmp
        Download
      • memory/3648-143-0x0000000000A00000-0x0000000000A15000-memory.dmp
        Filesize

        84KB

        Download
      • memory/3648-147-0x0000000000A00000-0x0000000000A15000-memory.dmp
        Filesize

        84KB

        Download
      • memory/3648-148-0x0000000000A00000-0x0000000000A15000-memory.dmp
        Filesize

        84KB

        Download
      • memory/4340-138-0x0000000000000000-mapping.dmp
        Download
      • memory/4560-141-0x0000000000400000-0x000000000041C000-memory.dmp
        Filesize

        112KB

        Download
      • memory/4560-145-0x0000000000400000-0x000000000041C000-memory.dmp
        Filesize

        112KB

        Download
      • memory/4660-136-0x0000000000000000-mapping.dmp
        Download