Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10-20220414-en
  • submitted
    20-06-2022 10:25

General

  • Target

    750fb1c0adbd3e75a4a398fbc8b185274dd08a662529fe72b962ed7f50b6afb2.exe

  • Size

    313KB

  • MD5

    8c59fd44034638f1bb8faf8e176f9957

  • SHA1

    db22814dda7aa3052159970207ef04c81f489796

  • SHA256

    750fb1c0adbd3e75a4a398fbc8b185274dd08a662529fe72b962ed7f50b6afb2

  • SHA512

    b02ade51044ab436ee21118bd4ab3029feaf22d0e8e44d96eb9462f0ea462634614c4d452c33f37ebbb6f92cee16e45cdcb526ccae561064391b3b6df508a4b9

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures 16

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass ⋅ 2 TTPs 1 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner Payload ⋅ 1 IoCs
  • Creates new service(s) ⋅ 1 TTPs
  • Executes dropped EXE ⋅ 1 IoCs
  • Modifies Windows Firewall ⋅ 1 TTPs 1 IoCs
  • Sets service image path in registry ⋅ 2 TTPs 1 IoCs
  • Deletes itself ⋅ 1 IoCs
  • Drops file in System32 directory ⋅ 2 IoCs
  • Suspicious use of SetThreadContext ⋅ 2 IoCs
  • Launches sc.exe ⋅ 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS ⋅ 7 IoCs