Overview

overview

10

Static

static

23197502be...55.exe

windows7_x64

10

23197502be...55.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12-06-2022 02:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855.exe

  • Size

    101KB

  • MD5

    fc3b31c8214d209f6783baedfbfd514b

  • SHA1

    f457e855dea420e7ae69129d1437b31c33b78d25

  • SHA256

    23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855

  • SHA512

    6232c34e88c1da8fd9d13cd6c81bce59b7552ade20d2e0df736334ae96f9501eb1e63f4f3dbc207e8096c7e3a2111db2c73067c84b50a6da2a62285c789d7eb4

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855.exe
    "C:\Users\Admin\AppData\Local\Temp\23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\lcvvlmhk\
      2⤵
        PID:2856
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nwonwimd.exe" C:\Windows\SysWOW64\lcvvlmhk\
        2⤵
          PID:376
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create lcvvlmhk binPath= "C:\Windows\SysWOW64\lcvvlmhk\nwonwimd.exe /d\"C:\Users\Admin\AppData\Local\Temp\23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2052
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description lcvvlmhk "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:4940
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start lcvvlmhk
          2⤵
          • Launches sc.exe
          PID:4896
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:5000
      • C:\Windows\SysWOW64\lcvvlmhk\nwonwimd.exe
        C:\Windows\SysWOW64\lcvvlmhk\nwonwimd.exe /d"C:\Users\Admin\AppData\Local\Temp\23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4440
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          PID:4376

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      New Service

      1
      T1050

      Modify Existing Service

      1
      T1031

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      New Service

      1
      T1050

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\nwonwimd.exe
        Filesize

        10.1MB

        MD5

        5e4e68b6aff6e7e30d8d2843789b739d

        SHA1

        e5d2c31954bb81d0af703e49b8fdbf98d56c515c

        SHA256

        4b6a9567b984fb5bdfce772a84aa0ad965e3e7a75592f5907a7ab1e1d02510c4

        SHA512

        80e98ded975a41ba96d3e0821722209c7d3326a523ff681dc01f87cb00ac74cbe8ec23cf9aae671214fff45da81ea37041ec5a89ba89242ca2809d8febf2eee6

        Download Submit
      • C:\Windows\SysWOW64\lcvvlmhk\nwonwimd.exe
        Filesize

        10.1MB

        MD5

        5e4e68b6aff6e7e30d8d2843789b739d

        SHA1

        e5d2c31954bb81d0af703e49b8fdbf98d56c515c

        SHA256

        4b6a9567b984fb5bdfce772a84aa0ad965e3e7a75592f5907a7ab1e1d02510c4

        SHA512

        80e98ded975a41ba96d3e0821722209c7d3326a523ff681dc01f87cb00ac74cbe8ec23cf9aae671214fff45da81ea37041ec5a89ba89242ca2809d8febf2eee6

        Download Submit
      • memory/376-132-0x0000000000000000-mapping.dmp
        Download
      • memory/2052-134-0x0000000000000000-mapping.dmp
        Download
      • memory/2756-130-0x0000000000400000-0x000000000041D000-memory.dmp
        Filesize

        116KB

        Download
      • memory/2856-131-0x0000000000000000-mapping.dmp
        Download
      • memory/4376-141-0x0000000000860000-0x0000000000875000-memory.dmp
        Filesize

        84KB

        Download
      • memory/4376-145-0x0000000000860000-0x0000000000875000-memory.dmp
        Filesize

        84KB

        Download
      • memory/4376-144-0x0000000000860000-0x0000000000875000-memory.dmp
        Filesize

        84KB

        Download
      • memory/4376-143-0x0000000000860000-0x0000000000875000-memory.dmp
        Filesize

        84KB

        Download
      • memory/4376-140-0x0000000000000000-mapping.dmp
        Download
      • memory/4440-139-0x0000000000400000-0x000000000041D000-memory.dmp
        Filesize

        116KB

        Download
      • memory/4896-136-0x0000000000000000-mapping.dmp
        Download
      • memory/4940-135-0x0000000000000000-mapping.dmp
        Download
      • memory/5000-137-0x0000000000000000-mapping.dmp
        Download