Analysis

  • max time kernel
    1798s
  • max time network
    1770s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    22-06-2022 22:38

General

  • Target

    5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe

  • Size

    14MB

  • MD5

    0e23bc0be4b1ddfa9fb1b05987dc7894

  • SHA1

    a7e8682f89910271a131f67cf7bd2ac4c250fe77

  • SHA256

    5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef

  • SHA512

    c6d18bff9c8d9ca5b443a9d19dd3b1e99fa028ca514ac28e6e8093217b9e0fa257bd9e80c31200431b322fa5fd94d6cfad750f2a4a5d259445ed64a285914429

Malware Config

Extracted

Family

tofsee

C2

103.248.137.133

43.231.5.6

115.230.124.76

Signatures 10

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Creates new service(s) ⋅ 1 TTPs
  • Executes dropped EXE ⋅ 1 IoCs
  • Modifies Windows Firewall ⋅ 1 TTPs 1 IoCs
  • Sets service image path in registry ⋅ 2 TTPs 1 IoCs
  • Checks computer location settings ⋅ 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext ⋅ 1 IoCs
  • Launches sc.exe ⋅ 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory ⋅ 23 IoCs

Processes 9

  • C:\Users\Admin\AppData\Local\Temp\5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe
    "C:\Users\Admin\AppData\Local\Temp\5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe"
    Checks computer location settings
    Suspicious use of WriteProcessMemory
    PID:864
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\phdmmqhk\
      PID:3080
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xpmigpvr.exe" C:\Windows\SysWOW64\phdmmqhk\
      PID:1460
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" create phdmmqhk binPath= "C:\Windows\SysWOW64\phdmmqhk\xpmigpvr.exe /d\"C:\Users\Admin\AppData\Local\Temp\5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe\"" type= own start= auto DisplayName= "P2P Support"
      Launches sc.exe
      PID:5080
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" description phdmmqhk "Internet Mobile Support"
      Launches sc.exe
      PID:4500
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" start phdmmqhk
      Launches sc.exe
      PID:4004
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
      Modifies Windows Firewall
      PID:2672
  • C:\Windows\SysWOW64\phdmmqhk\xpmigpvr.exe
    C:\Windows\SysWOW64\phdmmqhk\xpmigpvr.exe /d"C:\Users\Admin\AppData\Local\Temp\5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe"
    Executes dropped EXE
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      Sets service image path in registry
      PID:3580

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Privilege Escalation

                    Replay Monitor

                    00:00 00:00

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\xpmigpvr.exe
                      MD5

                      509457857f28e3a1c53493ea845936ff

                      SHA1

                      a9025bf46dc4ce0ae4773e6b842f517565def413

                      SHA256

                      61fceff8676fc5315ed7f59e8c76f2f390f2d53cc712e2ed3cab5444ea28d057

                      SHA512

                      47d2809adfedd9b54ff988d4d125315fc54eaabcaf632b9d5a1ae29a53ed3046f0ba34ab1f9176a10a9b01b7926ed6cca78988844efc9183020ddecea8a123f4

                    • C:\Windows\SysWOW64\phdmmqhk\xpmigpvr.exe
                      MD5

                      509457857f28e3a1c53493ea845936ff

                      SHA1

                      a9025bf46dc4ce0ae4773e6b842f517565def413

                      SHA256

                      61fceff8676fc5315ed7f59e8c76f2f390f2d53cc712e2ed3cab5444ea28d057

                      SHA512

                      47d2809adfedd9b54ff988d4d125315fc54eaabcaf632b9d5a1ae29a53ed3046f0ba34ab1f9176a10a9b01b7926ed6cca78988844efc9183020ddecea8a123f4

                    • memory/864-130-0x0000000000400000-0x000000000041D000-memory.dmp
                    • memory/1460-132-0x0000000000000000-mapping.dmp
                    • memory/2672-138-0x0000000000000000-mapping.dmp
                    • memory/3080-131-0x0000000000000000-mapping.dmp
                    • memory/3580-140-0x0000000000000000-mapping.dmp
                    • memory/3580-141-0x0000000000AD0000-0x0000000000AE6000-memory.dmp
                    • memory/3580-144-0x0000000000AD0000-0x0000000000AE6000-memory.dmp
                    • memory/3580-145-0x0000000000AD0000-0x0000000000AE6000-memory.dmp
                    • memory/4004-136-0x0000000000000000-mapping.dmp
                    • memory/4500-135-0x0000000000000000-mapping.dmp
                    • memory/5080-134-0x0000000000000000-mapping.dmp