Analysis

  • max time kernel
    150s
  • max time network
    95s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    12-06-2022 04:00

General

  • Target

    22cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01.exe

  • Size

    160KB

  • MD5

    151e547c0bcd4f597ae577fc6f5c0905

  • SHA1

    dadbc8ce69a363ef93b54cd8512d7b75dd96c13c

  • SHA256

    22cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01

  • SHA512

    7b0d95a968f2d41a89fe1ba61305921910211263829faffb211cd95825489439c5c9fd19508dd0f788e993ce6a5caa5abd711301fcac7cfacbc0b4170ace4afb

Malware Config

Extracted

Family

tofsee

C2

91.218.38.245

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\22cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01.exe
    "C:\Users\Admin\AppData\Local\Temp\22cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Suspicious use of WriteProcessMemory
    PID:1880
    • C:\Users\Admin\mmvugsfh.exe
      "C:\Users\Admin\mmvugsfh.exe"
      2⤵
      • Executes dropped EXE
      • Maps connected drives based on registry
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1896
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
          PID:1948
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0731.bat" "
        2⤵
        • Deletes itself
        PID:1140

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\0731.bat

      Filesize

      302B

      MD5

      52d8521f40c050325d4725db55fa88e5

      SHA1

      259e2b6b79b4c3fd6073d78cd968401b0de971e6

      SHA256

      7bdaa203ed4e4035f0f6871a51dc19a1300fb7f06b6c162673f1c34a15748733

      SHA512

      e86d26201f3ea1a24755209e66b0ba3e965db186029900ac23bc521ba9c91ce46631ff13ef78e79b6f35f70f0c60a4919f535b8805120ead2cde90b9fcea9ebf

    • C:\Users\Admin\mmvugsfh.exe

      Filesize

      160KB

      MD5

      151e547c0bcd4f597ae577fc6f5c0905

      SHA1

      dadbc8ce69a363ef93b54cd8512d7b75dd96c13c

      SHA256

      22cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01

      SHA512

      7b0d95a968f2d41a89fe1ba61305921910211263829faffb211cd95825489439c5c9fd19508dd0f788e993ce6a5caa5abd711301fcac7cfacbc0b4170ace4afb

    • C:\Users\Admin\mmvugsfh.exe

      Filesize

      160KB

      MD5

      151e547c0bcd4f597ae577fc6f5c0905

      SHA1

      dadbc8ce69a363ef93b54cd8512d7b75dd96c13c

      SHA256

      22cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01

      SHA512

      7b0d95a968f2d41a89fe1ba61305921910211263829faffb211cd95825489439c5c9fd19508dd0f788e993ce6a5caa5abd711301fcac7cfacbc0b4170ace4afb

    • \Users\Admin\mmvugsfh.exe

      Filesize

      160KB

      MD5

      151e547c0bcd4f597ae577fc6f5c0905

      SHA1

      dadbc8ce69a363ef93b54cd8512d7b75dd96c13c

      SHA256

      22cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01

      SHA512

      7b0d95a968f2d41a89fe1ba61305921910211263829faffb211cd95825489439c5c9fd19508dd0f788e993ce6a5caa5abd711301fcac7cfacbc0b4170ace4afb

    • \Users\Admin\mmvugsfh.exe

      Filesize

      160KB

      MD5

      151e547c0bcd4f597ae577fc6f5c0905

      SHA1

      dadbc8ce69a363ef93b54cd8512d7b75dd96c13c

      SHA256

      22cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01

      SHA512

      7b0d95a968f2d41a89fe1ba61305921910211263829faffb211cd95825489439c5c9fd19508dd0f788e993ce6a5caa5abd711301fcac7cfacbc0b4170ace4afb

    • memory/1140-73-0x0000000000000000-mapping.dmp

    • memory/1880-55-0x0000000000400000-0x0000000000459000-memory.dmp

      Filesize

      356KB

    • memory/1880-61-0x00000000033C0000-0x0000000003419000-memory.dmp

      Filesize

      356KB

    • memory/1880-62-0x00000000033C0000-0x0000000003419000-memory.dmp

      Filesize

      356KB

    • memory/1880-54-0x0000000075311000-0x0000000075313000-memory.dmp

      Filesize

      8KB

    • memory/1880-74-0x0000000000400000-0x0000000000459000-memory.dmp

      Filesize

      356KB

    • memory/1896-63-0x0000000000400000-0x0000000000459000-memory.dmp

      Filesize

      356KB

    • memory/1896-71-0x0000000000400000-0x0000000000459000-memory.dmp

      Filesize

      356KB

    • memory/1896-58-0x0000000000000000-mapping.dmp

    • memory/1948-66-0x0000000000080000-0x0000000000091000-memory.dmp

      Filesize

      68KB

    • memory/1948-67-0x0000000000087322-mapping.dmp

    • memory/1948-64-0x0000000000080000-0x0000000000091000-memory.dmp

      Filesize

      68KB

    • memory/1948-76-0x0000000000080000-0x0000000000091000-memory.dmp

      Filesize

      68KB

    • memory/1948-77-0x0000000000080000-0x0000000000091000-memory.dmp

      Filesize

      68KB