Analysis

  • max time kernel
    1793s
  • max time network
    1801s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    22-06-2022 22:38

General

  • Target

    5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe

  • Size

    14MB

  • MD5

    0e23bc0be4b1ddfa9fb1b05987dc7894

  • SHA1

    a7e8682f89910271a131f67cf7bd2ac4c250fe77

  • SHA256

    5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef

  • SHA512

    c6d18bff9c8d9ca5b443a9d19dd3b1e99fa028ca514ac28e6e8093217b9e0fa257bd9e80c31200431b322fa5fd94d6cfad750f2a4a5d259445ed64a285914429

Malware Config

Extracted

Family

tofsee

C2

103.248.137.133

43.231.5.6

115.230.124.76

Signatures 11

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass ⋅ 2 TTPs 1 IoCs
  • Creates new service(s) ⋅ 1 TTPs
  • Executes dropped EXE ⋅ 1 IoCs
  • Modifies Windows Firewall ⋅ 1 TTPs 1 IoCs
  • Sets service image path in registry ⋅ 2 TTPs 1 IoCs
  • Deletes itself ⋅ 1 IoCs
  • Suspicious use of SetThreadContext ⋅ 1 IoCs
  • Launches sc.exe ⋅ 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory ⋅ 30 IoCs

Processes 9

  • C:\Users\Admin\AppData\Local\Temp\5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe
    "C:\Users\Admin\AppData\Local\Temp\5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe"
    Suspicious use of WriteProcessMemory
    PID:1492
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ydxtbtwr\
      PID:1124
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lvjwkio.exe" C:\Windows\SysWOW64\ydxtbtwr\
      PID:2012
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" create ydxtbtwr binPath= "C:\Windows\SysWOW64\ydxtbtwr\lvjwkio.exe /d\"C:\Users\Admin\AppData\Local\Temp\5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe\"" type= own start= auto DisplayName= "P2P Support"
      Launches sc.exe
      PID:1988
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" description ydxtbtwr "Internet Mobile Support"
      Launches sc.exe
      PID:1292
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" start ydxtbtwr
      Launches sc.exe
      PID:1712
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
      Modifies Windows Firewall
      PID:684
  • C:\Windows\SysWOW64\ydxtbtwr\lvjwkio.exe
    C:\Windows\SysWOW64\ydxtbtwr\lvjwkio.exe /d"C:\Users\Admin\AppData\Local\Temp\5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe"
    Executes dropped EXE
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      Windows security bypass
      Sets service image path in registry
      Deletes itself
      PID:732

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Privilege Escalation

                    Replay Monitor

                    00:00 00:00

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\lvjwkio.exe
                      MD5

                      a6f8aad33c2565bb8e792c441012c0b1

                      SHA1

                      ddf38af5db5e015e60dc6c867de31764dbe4f8c1

                      SHA256

                      20f7315a9dd6b92f0ff757419eca682feab1a1bd5175309526e42fba55ab4d73

                      SHA512

                      f3930e8525d7056d3778c12d790eaf6d7ac4bc231a383b9c055fce5a6c93ab3c780f3899f0b1e5bbe47b0e8626a310d6a6ed1acaca12a83170d10ae809e280d7

                    • C:\Windows\SysWOW64\ydxtbtwr\lvjwkio.exe
                      MD5

                      a6f8aad33c2565bb8e792c441012c0b1

                      SHA1

                      ddf38af5db5e015e60dc6c867de31764dbe4f8c1

                      SHA256

                      20f7315a9dd6b92f0ff757419eca682feab1a1bd5175309526e42fba55ab4d73

                      SHA512

                      f3930e8525d7056d3778c12d790eaf6d7ac4bc231a383b9c055fce5a6c93ab3c780f3899f0b1e5bbe47b0e8626a310d6a6ed1acaca12a83170d10ae809e280d7

                    • memory/684-63-0x0000000000000000-mapping.dmp
                    • memory/732-75-0x00000000000D0000-0x00000000000E6000-memory.dmp
                    • memory/732-74-0x00000000000D0000-0x00000000000E6000-memory.dmp
                    • memory/732-70-0x00000000000D9A7B-mapping.dmp
                    • memory/732-69-0x00000000000D0000-0x00000000000E6000-memory.dmp
                    • memory/732-67-0x00000000000D0000-0x00000000000E6000-memory.dmp
                    • memory/1124-56-0x0000000000000000-mapping.dmp
                    • memory/1292-60-0x0000000000000000-mapping.dmp
                    • memory/1492-54-0x0000000000400000-0x000000000041D000-memory.dmp
                    • memory/1492-55-0x0000000074C81000-0x0000000074C83000-memory.dmp
                    • memory/1712-61-0x0000000000000000-mapping.dmp
                    • memory/1988-59-0x0000000000000000-mapping.dmp
                    • memory/2012-57-0x0000000000000000-mapping.dmp