Overview

overview

10

Static

static

19cd7ad722...cf.exe

windows7_x64

10

19cd7ad722...cf.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    159s
  • max time network
    179s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    08-06-2022 05:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe

  • Size

    142KB

  • MD5

    70780b64e4a6d98605af8971d4c087ea

  • SHA1

    862b12cfea6bf1c5e636f58e8bcdaf89482c94af

  • SHA256

    19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf

  • SHA512

    cbdfdf35c0f31aaf4870709aa07c3c93edf8c5b504d39f44838e9ffc4d7eeee3483e9c3a6c98a92d1fcdbb3e0e585127f0635c535575faa2509f9dbd54ac3950

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe
    "C:\Users\Admin\AppData\Local\Temp\19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1692
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hfveucfb\
      2⤵
        PID:680
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vsdpjko.exe" C:\Windows\SysWOW64\hfveucfb\
        2⤵
          PID:3580
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create hfveucfb binPath= "C:\Windows\SysWOW64\hfveucfb\vsdpjko.exe /d\"C:\Users\Admin\AppData\Local\Temp\19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:4376
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description hfveucfb "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:4464
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start hfveucfb
          2⤵
          • Launches sc.exe
          PID:4404
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:3644
      • C:\Windows\SysWOW64\hfveucfb\vsdpjko.exe
        C:\Windows\SysWOW64\hfveucfb\vsdpjko.exe /d"C:\Users\Admin\AppData\Local\Temp\19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1480
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          PID:4368

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\vsdpjko.exe
        Filesize

        10.5MB

        MD5

        1d7d230ddc3ffa0ee76c5a61032dd335

        SHA1

        a11c865b33ca5fa753bb3412556694a81d0343d7

        SHA256

        7ea4d9fdcd21a7561e650ee979a6407e1f4078faf58a1ac83d5b0b5a88826da3

        SHA512

        80fa23502a6d113cc432335604bb834d4de48429b66a8d374f0942a0391ac1fc9b0bd0b136f1faf1563724951ffaa95d2295f4a7870069ad74cc2fb0c10fcd0b

        Download Submit
      • C:\Windows\SysWOW64\hfveucfb\vsdpjko.exe
        Filesize

        10.5MB

        MD5

        1d7d230ddc3ffa0ee76c5a61032dd335

        SHA1

        a11c865b33ca5fa753bb3412556694a81d0343d7

        SHA256

        7ea4d9fdcd21a7561e650ee979a6407e1f4078faf58a1ac83d5b0b5a88826da3

        SHA512

        80fa23502a6d113cc432335604bb834d4de48429b66a8d374f0942a0391ac1fc9b0bd0b136f1faf1563724951ffaa95d2295f4a7870069ad74cc2fb0c10fcd0b

        Download Submit
      • memory/680-131-0x0000000000000000-mapping.dmp
        Download
      • memory/1480-139-0x0000000000400000-0x0000000000426000-memory.dmp
        Filesize

        152KB

        Download
      • memory/1692-130-0x0000000000400000-0x0000000000426000-memory.dmp
        Filesize

        152KB

        Download
      • memory/3580-132-0x0000000000000000-mapping.dmp
        Download
      • memory/3644-137-0x0000000000000000-mapping.dmp
        Download
      • memory/4368-140-0x0000000000000000-mapping.dmp
        Download
      • memory/4368-141-0x00000000005A0000-0x00000000005B5000-memory.dmp
        Filesize

        84KB

        Download
      • memory/4368-143-0x00000000005A0000-0x00000000005B5000-memory.dmp
        Filesize

        84KB

        Download
      • memory/4368-144-0x00000000005A0000-0x00000000005B5000-memory.dmp
        Filesize

        84KB

        Download
      • memory/4368-145-0x00000000005A0000-0x00000000005B5000-memory.dmp
        Filesize

        84KB

        Download
      • memory/4376-134-0x0000000000000000-mapping.dmp
        Download
      • memory/4404-136-0x0000000000000000-mapping.dmp
        Download
      • memory/4464-135-0x0000000000000000-mapping.dmp
        Download