Analysis

  • max time kernel
    151s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-06-2022 17:20

General

  • Target

    31eaa3ab5036dcea2e51802b5323f8ead2bee421b053e45fd5163dc947bf0a29.exe

  • Size

    188KB

  • MD5

    1105de805f1450aa298c8e1a4e66032b

  • SHA1

    b37cc2df88bdd24e6132b1cff5d541df8d14fe69

  • SHA256

    31eaa3ab5036dcea2e51802b5323f8ead2bee421b053e45fd5163dc947bf0a29

  • SHA512

    6630672aca0d671ac3f8f6cd970139a1eae713ce3f911d1488d2c594178dc2bba6f1fc574a456c7829027f6a6f4e8660c5e76f83fde9fd98ecc91201e10e3699

Malware Config

Extracted

Family

tofsee

C2

103.232.222.57

111.121.193.242

123.249.0.22

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\31eaa3ab5036dcea2e51802b5323f8ead2bee421b053e45fd5163dc947bf0a29.exe
    "C:\Users\Admin\AppData\Local\Temp\31eaa3ab5036dcea2e51802b5323f8ead2bee421b053e45fd5163dc947bf0a29.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1836
    • C:\Users\Admin\lqpsjxbc.exe
      "C:\Users\Admin\lqpsjxbc.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:1864
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
          PID:828
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\5551.bat" "
        2⤵
        • Deletes itself
        PID:1672

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Defense Evasion

    Modify Registry

    1
    T1112

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\5551.bat
      Filesize

      302B

      MD5

      32d676742550924cb1715317603b1184

      SHA1

      db221b1613f7c743ae5777b584e15df39b86b27b

      SHA256

      d4eed8f6b9f27b5c72803fa13b4f71dda172d8f093e6e680aaf596fccc33bbb9

      SHA512

      2277ec15263811bdd0d4cb5cf5e34d147bf8c669a7d57e4796ccec0b7cfc0f639e8eabc0bc883a1697b1995dd6763c935cf59a35f6c139b4903f5258793356c8

    • C:\Users\Admin\lqpsjxbc.exe
      Filesize

      40.1MB

      MD5

      c0890b409aae0c830477cd2db32be7fe

      SHA1

      9270cdb3344022f07932e4507075c9d9f370d122

      SHA256

      23be6d47e835349176df0af333e9ee544c11be2f7d3cb614a967345937baa17d

      SHA512

      feaad22cb5791a4d6736df58493c22dbf2f4d2bdb872b7b621f274f07dd8f075c0a585c94c65f3b6242b20ec8a47f19424b34ca19744f9f995f1fe10a363e82f

    • C:\Users\Admin\lqpsjxbc.exe
      Filesize

      40.1MB

      MD5

      c0890b409aae0c830477cd2db32be7fe

      SHA1

      9270cdb3344022f07932e4507075c9d9f370d122

      SHA256

      23be6d47e835349176df0af333e9ee544c11be2f7d3cb614a967345937baa17d

      SHA512

      feaad22cb5791a4d6736df58493c22dbf2f4d2bdb872b7b621f274f07dd8f075c0a585c94c65f3b6242b20ec8a47f19424b34ca19744f9f995f1fe10a363e82f

    • \Users\Admin\lqpsjxbc.exe
      Filesize

      40.1MB

      MD5

      c0890b409aae0c830477cd2db32be7fe

      SHA1

      9270cdb3344022f07932e4507075c9d9f370d122

      SHA256

      23be6d47e835349176df0af333e9ee544c11be2f7d3cb614a967345937baa17d

      SHA512

      feaad22cb5791a4d6736df58493c22dbf2f4d2bdb872b7b621f274f07dd8f075c0a585c94c65f3b6242b20ec8a47f19424b34ca19744f9f995f1fe10a363e82f

    • \Users\Admin\lqpsjxbc.exe
      Filesize

      40.1MB

      MD5

      c0890b409aae0c830477cd2db32be7fe

      SHA1

      9270cdb3344022f07932e4507075c9d9f370d122

      SHA256

      23be6d47e835349176df0af333e9ee544c11be2f7d3cb614a967345937baa17d

      SHA512

      feaad22cb5791a4d6736df58493c22dbf2f4d2bdb872b7b621f274f07dd8f075c0a585c94c65f3b6242b20ec8a47f19424b34ca19744f9f995f1fe10a363e82f

    • memory/828-80-0x0000000000080000-0x0000000000092000-memory.dmp
      Filesize

      72KB

    • memory/828-90-0x0000000000080000-0x0000000000092000-memory.dmp
      Filesize

      72KB

    • memory/828-89-0x0000000000080000-0x0000000000092000-memory.dmp
      Filesize

      72KB

    • memory/828-87-0x0000000000080000-0x0000000000092000-memory.dmp
      Filesize

      72KB

    • memory/828-83-0x000000000008782D-mapping.dmp
    • memory/828-82-0x0000000000080000-0x0000000000092000-memory.dmp
      Filesize

      72KB

    • memory/1672-71-0x0000000000000000-mapping.dmp
    • memory/1836-72-0x0000000072940000-0x0000000072A93000-memory.dmp
      Filesize

      1.3MB

    • memory/1836-56-0x0000000002550000-0x0000000002660000-memory.dmp
      Filesize

      1.1MB

    • memory/1836-60-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

    • memory/1836-58-0x0000000076011000-0x0000000076013000-memory.dmp
      Filesize

      8KB

    • memory/1836-57-0x0000000002550000-0x0000000002660000-memory.dmp
      Filesize

      1.1MB

    • memory/1864-76-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

    • memory/1864-70-0x0000000002F40000-0x0000000003050000-memory.dmp
      Filesize

      1.1MB

    • memory/1864-85-0x0000000072940000-0x0000000072A93000-memory.dmp
      Filesize

      1.3MB

    • memory/1864-66-0x0000000000000000-mapping.dmp