Overview

overview

10

Static

static

19cd7ad722...cf.exe

windows7_x64

10

19cd7ad722...cf.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    187s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    08-06-2022 05:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe

  • Size

    142KB

  • MD5

    70780b64e4a6d98605af8971d4c087ea

  • SHA1

    862b12cfea6bf1c5e636f58e8bcdaf89482c94af

  • SHA256

    19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf

  • SHA512

    cbdfdf35c0f31aaf4870709aa07c3c93edf8c5b504d39f44838e9ffc4d7eeee3483e9c3a6c98a92d1fcdbb3e0e585127f0635c535575faa2509f9dbd54ac3950

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe
    "C:\Users\Admin\AppData\Local\Temp\19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\healfpvy\
      2⤵
        PID:1532
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pfjxnjem.exe" C:\Windows\SysWOW64\healfpvy\
        2⤵
          PID:1324
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create healfpvy binPath= "C:\Windows\SysWOW64\healfpvy\pfjxnjem.exe /d\"C:\Users\Admin\AppData\Local\Temp\19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:1540
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description healfpvy "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:524
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start healfpvy
          2⤵
          • Launches sc.exe
          PID:872
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:1096
      • C:\Windows\SysWOW64\healfpvy\pfjxnjem.exe
        C:\Windows\SysWOW64\healfpvy\pfjxnjem.exe /d"C:\Users\Admin\AppData\Local\Temp\19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1948
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          PID:1448

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\pfjxnjem.exe
        Filesize

        11.7MB

        MD5

        6da79deee61f0fc7f4d21dbb15ca1163

        SHA1

        cd225a4f7cb3df3069664d18bc21011b630f6c61

        SHA256

        f22435044d6a5f90d08e8f1c3a65b35759784f376d3c4617b6b2b9bdae42d2a4

        SHA512

        b2108ce7070f79e04f68c43f2b336c81c4809ff0970d6d1bcd91f675962794f50fb3ae88fb8ee1027b1845256a170969b71331b6bc412c95f11bffcca6f50917

        Download Submit

      • C:\Windows\SysWOW64\healfpvy\pfjxnjem.exe
        Filesize

        11.7MB

        MD5

        6da79deee61f0fc7f4d21dbb15ca1163

        SHA1

        cd225a4f7cb3df3069664d18bc21011b630f6c61

        SHA256

        f22435044d6a5f90d08e8f1c3a65b35759784f376d3c4617b6b2b9bdae42d2a4

        SHA512

        b2108ce7070f79e04f68c43f2b336c81c4809ff0970d6d1bcd91f675962794f50fb3ae88fb8ee1027b1845256a170969b71331b6bc412c95f11bffcca6f50917

        Download Submit

      • memory/524-60-0x0000000000000000-mapping.dmp

        Download

      • memory/872-61-0x0000000000000000-mapping.dmp

        Download

      • memory/1096-63-0x0000000000000000-mapping.dmp

        Download

      • memory/1324-57-0x0000000000000000-mapping.dmp

        Download

      • memory/1448-67-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/1448-69-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/1448-70-0x0000000000089A6B-mapping.dmp

        Download

      • memory/1448-74-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/1448-75-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/1532-56-0x0000000000000000-mapping.dmp

        Download

      • memory/1540-59-0x0000000000000000-mapping.dmp

        Download

      • memory/1648-55-0x0000000076171000-0x0000000076173000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1648-54-0x0000000000400000-0x0000000000426000-memory.dmp

        Filesize

        152KB

        Download

      • memory/1948-65-0x0000000000400000-0x0000000000426000-memory.dmp

        Filesize

        152KB

        Download