Analysis

  • max time kernel
    153s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-06-2022 03:22

General

  • Target

    308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230.exe

  • Size

    120KB

  • MD5

    b84615094beeac27936f9d8838bba53c

  • SHA1

    03c41583b675686e05c855c2e891387c88df1933

  • SHA256

    308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230

  • SHA512

    06e49d5b95e5c601b8813fe21ae3bb0563e5231171b6655eb34a97403fb51d9e0e171d66907958c112cd6b43a61f57e101b6c3a691e8b843a1566c6fd61a621e

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Creates new service(s) 1 TTPs
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230.exe
    "C:\Users\Admin\AppData\Local\Temp\308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nwgedvkd\
      2⤵
        PID:2288
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\svddbzdm.exe" C:\Windows\SysWOW64\nwgedvkd\
        2⤵
          PID:3704
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create nwgedvkd binPath= "C:\Windows\SysWOW64\nwgedvkd\svddbzdm.exe /d\"C:\Users\Admin\AppData\Local\Temp\308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2916
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description nwgedvkd "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:1976
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start nwgedvkd
          2⤵
          • Launches sc.exe
          PID:5008
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:4608
      • C:\Windows\SysWOW64\nwgedvkd\svddbzdm.exe
        C:\Windows\SysWOW64\nwgedvkd\svddbzdm.exe /d"C:\Users\Admin\AppData\Local\Temp\308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4220
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          PID:3676

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Persistence

      New Service

      1
      T1050

      Modify Existing Service

      1
      T1031

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      New Service

      1
      T1050

      Defense Evasion

      Modify Registry

      1
      T1112

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\svddbzdm.exe
        Filesize

        10.9MB

        MD5

        f5a875b720e3a08fdc95b89b62dad873

        SHA1

        a092b462af7258829eb02572378fd6622c91db17

        SHA256

        9421855e78d7b761841603d4db0096b9b5fb4d910c7cc862f1607a4c9fd3ba34

        SHA512

        b98559151932af011358ad3797ec3bddae5214d3c12205d934cd88dfc574ba0cd6dcc384f6d2cc933493730ffaccbf1801ab03caaa8d0686db8fc70305414790

      • C:\Windows\SysWOW64\nwgedvkd\svddbzdm.exe
        Filesize

        10.9MB

        MD5

        f5a875b720e3a08fdc95b89b62dad873

        SHA1

        a092b462af7258829eb02572378fd6622c91db17

        SHA256

        9421855e78d7b761841603d4db0096b9b5fb4d910c7cc862f1607a4c9fd3ba34

        SHA512

        b98559151932af011358ad3797ec3bddae5214d3c12205d934cd88dfc574ba0cd6dcc384f6d2cc933493730ffaccbf1801ab03caaa8d0686db8fc70305414790

      • memory/1976-135-0x0000000000000000-mapping.dmp
      • memory/2288-131-0x0000000000000000-mapping.dmp
      • memory/2424-130-0x0000000000400000-0x0000000000420000-memory.dmp
        Filesize

        128KB

      • memory/2916-134-0x0000000000000000-mapping.dmp
      • memory/3676-140-0x00000000012F0000-0x0000000001305000-memory.dmp
        Filesize

        84KB

      • memory/3676-139-0x0000000000000000-mapping.dmp
      • memory/3676-144-0x00000000012F0000-0x0000000001305000-memory.dmp
        Filesize

        84KB

      • memory/3676-145-0x00000000012F0000-0x0000000001305000-memory.dmp
        Filesize

        84KB

      • memory/3704-132-0x0000000000000000-mapping.dmp
      • memory/4220-138-0x0000000000400000-0x0000000000420000-memory.dmp
        Filesize

        128KB

      • memory/4608-143-0x0000000000000000-mapping.dmp
      • memory/5008-136-0x0000000000000000-mapping.dmp