Overview

overview

10

Static

static

395523cf56...0c.exe

windows7_x64

10

395523cf56...0c.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    190s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    25-06-2022 11:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    395523cf56f7bb9497764d72ed71bab457bc86cd338e46ee4efe470777c6670c.exe

  • Size

    142KB

  • MD5

    fb665d4a9976f7a8d7d53b4ee8d3a3fd

  • SHA1

    b2bcda3ea607a76f1f96d7b464bcec2950bc3da4

  • SHA256

    395523cf56f7bb9497764d72ed71bab457bc86cd338e46ee4efe470777c6670c

  • SHA512

    78bcc6ac3db476f1bb330c3bbf0fd18306d184c1b2ca189aa20bbd5dd0728a824f475141375ccb194aac76aefde1afc6dcfc0d34e348d8bc415f86dcf4f55ad7

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 2 IoCs
  • Modifies Windows Firewall 1 TTPs 2 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\395523cf56f7bb9497764d72ed71bab457bc86cd338e46ee4efe470777c6670c.exe
    "C:\Users\Admin\AppData\Local\Temp\395523cf56f7bb9497764d72ed71bab457bc86cd338e46ee4efe470777c6670c.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:624
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\oydiena\
      2⤵
        PID:2028
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xvjvwrpv.exe" C:\Windows\SysWOW64\oydiena\
        2⤵
          PID:1992
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create oydiena binPath= "C:\Windows\SysWOW64\oydiena\xvjvwrpv.exe /d\"C:\Users\Admin\AppData\Local\Temp\395523cf56f7bb9497764d72ed71bab457bc86cd338e46ee4efe470777c6670c.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2000
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description oydiena "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:1072
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start oydiena
          2⤵
          • Launches sc.exe
          PID:520
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2044
        • C:\Users\Admin\tplxmbig.exe
          "C:\Users\Admin\tplxmbig.exe" /d"C:\Users\Admin\AppData\Local\Temp\395523cf56f7bb9497764d72ed71bab457bc86cd338e46ee4efe470777c6670c.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:844
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pyoihgpf.exe" C:\Windows\SysWOW64\oydiena\
            3⤵
              PID:1708
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" config oydiena binPath= "C:\Windows\SysWOW64\oydiena\pyoihgpf.exe /d\"C:\Users\Admin\tplxmbig.exe\""
              3⤵
              • Launches sc.exe
              PID:1336
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start oydiena
              3⤵
              • Launches sc.exe
              PID:1908
            • C:\Windows\SysWOW64\netsh.exe
              "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
              3⤵
              • Modifies Windows Firewall
              PID:1568
        • C:\Windows\SysWOW64\oydiena\pyoihgpf.exe
          C:\Windows\SysWOW64\oydiena\pyoihgpf.exe /d"C:\Users\Admin\tplxmbig.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1484
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe
            2⤵
            • Sets service image path in registry
            PID:1108

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        New Service

        1
        T1050

        Modify Existing Service

        1
        T1031

        Registry Run Keys / Startup Folder

        2
        T1060

        Privilege Escalation

        New Service

        1
        T1050

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\pyoihgpf.exe
          Filesize

          13.9MB

          MD5

          ed785ae3a12e7381b260e65a23489cdc

          SHA1

          5dde99f9fcbd8aba3f0034a959c6a76136a21871

          SHA256

          7658610c25dd9ca0feae82c8cfec1f793486eb3c786a64dee8562d7bf7e73edb

          SHA512

          db982b0801f0b9a3e1919c043e0c9a1a7c98d0837cfccd8a31045bd61e0947e9bba77e355e838c200e4adf6dc8cc255ab2fe32d5806940ce3e4a99c87d919e40

          Download Submit
        • C:\Users\Admin\tplxmbig.exe
          Filesize

          14.9MB

          MD5

          0292e73d8635f20b4d8f7d7214f5a2be

          SHA1

          3e55f1155206b339c9cbedbb225e643d08c2d9e4

          SHA256

          88592d35d625fe61ba923bcde49de634835728108f07d1667be266d4d123d641

          SHA512

          3b1c2434cfa48c503a7be3fb99cd7f38b616d82d06604d867e6671f8db7f6838c4ec244dc0aa16c364b49251c68c936e14795fd635cecdb1254a5c983c83f2b4

          Download Submit
        • C:\Users\Admin\tplxmbig.exe
          Filesize

          14.9MB

          MD5

          0292e73d8635f20b4d8f7d7214f5a2be

          SHA1

          3e55f1155206b339c9cbedbb225e643d08c2d9e4

          SHA256

          88592d35d625fe61ba923bcde49de634835728108f07d1667be266d4d123d641

          SHA512

          3b1c2434cfa48c503a7be3fb99cd7f38b616d82d06604d867e6671f8db7f6838c4ec244dc0aa16c364b49251c68c936e14795fd635cecdb1254a5c983c83f2b4

          Download Submit
        • C:\Windows\SysWOW64\oydiena\pyoihgpf.exe
          Filesize

          13.9MB

          MD5

          ed785ae3a12e7381b260e65a23489cdc

          SHA1

          5dde99f9fcbd8aba3f0034a959c6a76136a21871

          SHA256

          7658610c25dd9ca0feae82c8cfec1f793486eb3c786a64dee8562d7bf7e73edb

          SHA512

          db982b0801f0b9a3e1919c043e0c9a1a7c98d0837cfccd8a31045bd61e0947e9bba77e355e838c200e4adf6dc8cc255ab2fe32d5806940ce3e4a99c87d919e40

          Download Submit
        • \Users\Admin\tplxmbig.exe
          Filesize

          14.9MB

          MD5

          0292e73d8635f20b4d8f7d7214f5a2be

          SHA1

          3e55f1155206b339c9cbedbb225e643d08c2d9e4

          SHA256

          88592d35d625fe61ba923bcde49de634835728108f07d1667be266d4d123d641

          SHA512

          3b1c2434cfa48c503a7be3fb99cd7f38b616d82d06604d867e6671f8db7f6838c4ec244dc0aa16c364b49251c68c936e14795fd635cecdb1254a5c983c83f2b4

          Download Submit
        • \Users\Admin\tplxmbig.exe
          Filesize

          14.9MB

          MD5

          0292e73d8635f20b4d8f7d7214f5a2be

          SHA1

          3e55f1155206b339c9cbedbb225e643d08c2d9e4

          SHA256

          88592d35d625fe61ba923bcde49de634835728108f07d1667be266d4d123d641

          SHA512

          3b1c2434cfa48c503a7be3fb99cd7f38b616d82d06604d867e6671f8db7f6838c4ec244dc0aa16c364b49251c68c936e14795fd635cecdb1254a5c983c83f2b4

          Download Submit
        • memory/520-60-0x0000000000000000-mapping.dmp
          Download
        • memory/624-54-0x0000000000400000-0x0000000000426000-memory.dmp
          Filesize

          152KB

          Download
        • memory/624-55-0x0000000075801000-0x0000000075803000-memory.dmp
          Filesize

          8KB

          Download
        • memory/844-67-0x0000000000400000-0x0000000000426000-memory.dmp
          Filesize

          152KB

          Download
        • memory/844-64-0x0000000000000000-mapping.dmp
          Download
        • memory/1072-59-0x0000000000000000-mapping.dmp
          Download
        • memory/1108-85-0x0000000000080000-0x0000000000095000-memory.dmp
          Filesize

          84KB

          Download
        • memory/1108-81-0x0000000000080000-0x0000000000095000-memory.dmp
          Filesize

          84KB

          Download
        • memory/1108-86-0x0000000000080000-0x0000000000095000-memory.dmp
          Filesize

          84KB

          Download
        • memory/1108-79-0x0000000000080000-0x0000000000095000-memory.dmp
          Filesize

          84KB

          Download
        • memory/1108-82-0x0000000000089A6B-mapping.dmp
          Download
        • memory/1336-72-0x0000000000000000-mapping.dmp
          Download
        • memory/1484-77-0x0000000000400000-0x0000000000426000-memory.dmp
          Filesize

          152KB

          Download
        • memory/1568-75-0x0000000000000000-mapping.dmp
          Download
        • memory/1708-70-0x0000000000000000-mapping.dmp
          Download
        • memory/1908-73-0x0000000000000000-mapping.dmp
          Download
        • memory/1992-57-0x0000000000000000-mapping.dmp
          Download
        • memory/2000-58-0x0000000000000000-mapping.dmp
          Download
        • memory/2028-56-0x0000000000000000-mapping.dmp
          Download
        • memory/2044-61-0x0000000000000000-mapping.dmp
          Download