Overview

overview

10

Static

static

2391d4e6b0...88.exe

windows7_x64

10

2391d4e6b0...88.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    12-06-2022 01:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488.exe

  • Size

    142KB

  • MD5

    c20d3f9c5dcd93a3dfd3b6e9aeea2541

  • SHA1

    c829d1ab536df96bcc67f136c8453b51e8407934

  • SHA256

    2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488

  • SHA512

    4dec42790939d1d486de2c43e802583c60ff984f1c7ed4c40b744635f3a0ec2c8c9c49c3bb6f2d1942cab0da21f61a62a62aaa07381cbc841ef5a49adf3195d9

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488.exe
    "C:\Users\Admin\AppData\Local\Temp\2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1464
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hsfzauea\
      2⤵
        PID:820
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\mmsoccia.exe" C:\Windows\SysWOW64\hsfzauea\
        2⤵
          PID:1744
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create hsfzauea binPath= "C:\Windows\SysWOW64\hsfzauea\mmsoccia.exe /d\"C:\Users\Admin\AppData\Local\Temp\2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:1060
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description hsfzauea "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:912
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start hsfzauea
          2⤵
          • Launches sc.exe
          PID:1556
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:1696
      • C:\Windows\SysWOW64\hsfzauea\mmsoccia.exe
        C:\Windows\SysWOW64\hsfzauea\mmsoccia.exe /d"C:\Users\Admin\AppData\Local\Temp\2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1128
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:1864

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      New Service

      1
      T1050

      Modify Existing Service

      1
      T1031

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      New Service

      1
      T1050

      Defense Evasion

      Disabling Security Tools

      1
      T1089

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\mmsoccia.exe
        Filesize

        11.5MB

        MD5

        cbf4e0d7b4a6fd43d768bbd5ed812de5

        SHA1

        3131d98644079e4e4bc08db96f079fdce560404f

        SHA256

        6150ae456148fa1be0244cf4f915a6a9ed7c8b912e5b217ae1613fabf6e4d628

        SHA512

        4da7edd53a016e189be943d0012e0810463557db26dbe62a9f9a312048b3fcbdd296e414239d8f748f5ac839d5ae8c40284cafe5ad6b63c5283cdf2b89e0c89a

        Download Submit
      • C:\Windows\SysWOW64\hsfzauea\mmsoccia.exe
        Filesize

        11.5MB

        MD5

        cbf4e0d7b4a6fd43d768bbd5ed812de5

        SHA1

        3131d98644079e4e4bc08db96f079fdce560404f

        SHA256

        6150ae456148fa1be0244cf4f915a6a9ed7c8b912e5b217ae1613fabf6e4d628

        SHA512

        4da7edd53a016e189be943d0012e0810463557db26dbe62a9f9a312048b3fcbdd296e414239d8f748f5ac839d5ae8c40284cafe5ad6b63c5283cdf2b89e0c89a

        Download Submit
      • memory/820-56-0x0000000000000000-mapping.dmp
        Download
      • memory/912-60-0x0000000000000000-mapping.dmp
        Download
      • memory/1060-59-0x0000000000000000-mapping.dmp
        Download
      • memory/1128-65-0x0000000000400000-0x0000000000426000-memory.dmp
        Filesize

        152KB

        Download
      • memory/1464-55-0x0000000074B51000-0x0000000074B53000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1464-54-0x0000000000400000-0x0000000000426000-memory.dmp
        Filesize

        152KB

        Download
      • memory/1556-61-0x0000000000000000-mapping.dmp
        Download
      • memory/1696-62-0x0000000000000000-mapping.dmp
        Download
      • memory/1744-57-0x0000000000000000-mapping.dmp
        Download
      • memory/1864-67-0x0000000000080000-0x0000000000095000-memory.dmp
        Filesize

        84KB

        Download
      • memory/1864-69-0x0000000000080000-0x0000000000095000-memory.dmp
        Filesize

        84KB

        Download
      • memory/1864-70-0x0000000000089A6B-mapping.dmp
        Download
      • memory/1864-74-0x0000000000080000-0x0000000000095000-memory.dmp
        Filesize

        84KB

        Download
      • memory/1864-75-0x0000000000080000-0x0000000000095000-memory.dmp
        Filesize

        84KB

        Download