Analysis
-
max time kernel
1794s -
max time network
1786s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
06-06-2022 01:56
General
-
Target
5c9432e3f389b63a63d2aa8eed0e91350b86370539542f5a9f572395eabef946.exe
-
Size
10.5MB
-
MD5
222c77202aaadbae9167f125d5235c93
-
SHA1
bdaa4533ebd52e7c4936cc2612ae9cc850ccdd6c
-
SHA256
5c9432e3f389b63a63d2aa8eed0e91350b86370539542f5a9f572395eabef946
-
SHA512
834691c22d611de565c4b147728f74d7cc24b623c5bdda53f43e6fc129cce765a43cfb31982618e5fb341e676adf2eb816192b1fcb26a1cd00399429db46bbbe
Score
10/10
Malware Config
Extracted
Family
tofsee
C2
43.231.4.7
lazystax.ru
Signatures
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext 1 IoCs
-
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 21 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c9432e3f389b63a63d2aa8eed0e91350b86370539542f5a9f572395eabef946.exe"C:\Users\Admin\AppData\Local\Temp\5c9432e3f389b63a63d2aa8eed0e91350b86370539542f5a9f572395eabef946.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 6042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 6922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 8442⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 9802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 7362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 7362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 8402⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\vafyauan\2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 9242⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 11522⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\mmnytusa.exe" C:\Windows\SysWOW64\vafyauan\2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 8122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 6682⤵
- Program crash
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create vafyauan binPath= "C:\Windows\SysWOW64\vafyauan\mmnytusa.exe /d\"C:\Users\Admin\AppData\Local\Temp\5c9432e3f389b63a63d2aa8eed0e91350b86370539542f5a9f572395eabef946.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 12202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 11642⤵
- Program crash
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description vafyauan "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 11682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 12202⤵
- Program crash
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start vafyauan2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 8122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 6802⤵
- Program crash
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 10402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1964 -ip 19641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1964 -ip 19641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1964 -ip 19641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1964 -ip 19641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1964 -ip 19641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1964 -ip 19641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1964 -ip 19641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1964 -ip 19641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1964 -ip 19641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1964 -ip 19641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1964 -ip 19641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1964 -ip 19641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1964 -ip 19641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1964 -ip 19641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1964 -ip 19641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1964 -ip 19641⤵
-
C:\Windows\SysWOW64\vafyauan\mmnytusa.exeC:\Windows\SysWOW64\vafyauan\mmnytusa.exe /d"C:\Users\Admin\AppData\Local\Temp\5c9432e3f389b63a63d2aa8eed0e91350b86370539542f5a9f572395eabef946.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 5362⤵
- Program crash
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 5442⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 5362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1964 -ip 19641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1964 -ip 19641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3660 -ip 36601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3660 -ip 36601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3660 -ip 36601⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\mmnytusa.exeFilesize
14.7MB
MD506bde269eefefc468ba72c1b4cbba68d
SHA18de37d656292faeb9fd3fd2e55cd7eccda690caa
SHA25648662cbe5e727debe574d0441e0b48ed0baa7565212080e08900b1b5b97ba2f4
SHA512235a293b93ba44286611f01282dd91f6543f63963d864fd84e2a9bf472ab75f41ad61f3f36697abfe7fb2ebb7fcda7a3f95d43915fcb9e5600c274ba90a4e13e
-
C:\Windows\SysWOW64\vafyauan\mmnytusa.exeFilesize
14.7MB
MD506bde269eefefc468ba72c1b4cbba68d
SHA18de37d656292faeb9fd3fd2e55cd7eccda690caa
SHA25648662cbe5e727debe574d0441e0b48ed0baa7565212080e08900b1b5b97ba2f4
SHA512235a293b93ba44286611f01282dd91f6543f63963d864fd84e2a9bf472ab75f41ad61f3f36697abfe7fb2ebb7fcda7a3f95d43915fcb9e5600c274ba90a4e13e
-
memory/212-137-0x0000000000000000-mapping.dmp
-
memory/792-136-0x0000000000000000-mapping.dmp
-
memory/1236-147-0x0000000000EA0000-0x0000000000EB5000-memory.dmpFilesize
84KB
-
memory/1236-143-0x0000000000EA0000-0x0000000000EB5000-memory.dmpFilesize
84KB
-
memory/1236-150-0x0000000000EA0000-0x0000000000EB5000-memory.dmpFilesize
84KB
-
memory/1236-142-0x0000000000000000-mapping.dmp
-
memory/1480-134-0x0000000000000000-mapping.dmp
-
memory/1964-146-0x0000000000400000-0x0000000002321000-memory.dmpFilesize
31.1MB
-
memory/1964-141-0x000000000249A000-0x00000000024A8000-memory.dmpFilesize
56KB
-
memory/1964-131-0x00000000023F0000-0x0000000002403000-memory.dmpFilesize
76KB
-
memory/1964-132-0x0000000000400000-0x0000000002321000-memory.dmpFilesize
31.1MB
-
memory/1964-130-0x000000000249A000-0x00000000024A8000-memory.dmpFilesize
56KB
-
memory/3608-140-0x0000000000000000-mapping.dmp
-
memory/3660-148-0x0000000002595000-0x00000000025A3000-memory.dmpFilesize
56KB
-
memory/3660-149-0x0000000000400000-0x0000000002321000-memory.dmpFilesize
31.1MB
-
memory/3660-151-0x0000000000400000-0x0000000002321000-memory.dmpFilesize
31.1MB
-
memory/4076-138-0x0000000000000000-mapping.dmp
-
memory/4576-133-0x0000000000000000-mapping.dmp