Analysis

  • max time kernel
    151s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    27-06-2022 00:07

General

  • Target

    3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455.exe

  • Size

    104KB

  • MD5

    67260c5c5215244985a54f8c8092bc8d

  • SHA1

    5d8c9edaee2219781a8488f21fdb1e193b8dc8a6

  • SHA256

    3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455

  • SHA512

    f31c7f275b42366eed39d5517be6a406645929c92bc6a471a1ebbc83ed1318c0c23982dca33b3351fd2088a335b213ef3db45fa6ba025c00b13a5427ae13e2df

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures 10

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Creates new service(s) ⋅ 1 TTPs
  • Executes dropped EXE ⋅ 1 IoCs
  • Modifies Windows Firewall ⋅ 1 TTPs 1 IoCs
  • Sets service image path in registry ⋅ 2 TTPs 1 IoCs
  • Checks computer location settings ⋅ 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext ⋅ 1 IoCs
  • Launches sc.exe ⋅ 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory ⋅ 23 IoCs

Processes 9

  • C:\Users\Admin\AppData\Local\Temp\3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455.exe
    "C:\Users\Admin\AppData\Local\Temp\3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455.exe"
    Checks computer location settings
    Suspicious use of WriteProcessMemory
    PID:4060
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xngfiiku\
      PID:2636
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nlsonwul.exe" C:\Windows\SysWOW64\xngfiiku\
      PID:3508
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" create xngfiiku binPath= "C:\Windows\SysWOW64\xngfiiku\nlsonwul.exe /d\"C:\Users\Admin\AppData\Local\Temp\3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455.exe\"" type= own start= auto DisplayName= "wifi support"
      Launches sc.exe
      PID:4228
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" description xngfiiku "wifi internet conection"
      Launches sc.exe
      PID:1664
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" start xngfiiku
      Launches sc.exe
      PID:3532
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
      Modifies Windows Firewall
      PID:2140
  • C:\Windows\SysWOW64\xngfiiku\nlsonwul.exe
    C:\Windows\SysWOW64\xngfiiku\nlsonwul.exe /d"C:\Users\Admin\AppData\Local\Temp\3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455.exe"
    Executes dropped EXE
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:4560
    • C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      Sets service image path in registry
      PID:2364

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Privilege Escalation

                    Replay Monitor

                    00:00 00:00

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\nlsonwul.exe
                      MD5

                      70a6dc63429eac823590883e372e1c58

                      SHA1

                      b225cf4241c2b5d5e1eb781c615d334134c40f80

                      SHA256

                      a10a11a3648fac2d3eb17917cac3b10eca8db938a4356783366a3e6322813b07

                      SHA512

                      b5d20fb3a2dd741926df0945a90ad06360833c9e41681f2dc91dc105a103b36e29d8b9337cc1f77e9c4defee45cf2b5836c49be9c8ba01d08b1f96bbd13ee865

                    • C:\Windows\SysWOW64\xngfiiku\nlsonwul.exe
                      MD5

                      70a6dc63429eac823590883e372e1c58

                      SHA1

                      b225cf4241c2b5d5e1eb781c615d334134c40f80

                      SHA256

                      a10a11a3648fac2d3eb17917cac3b10eca8db938a4356783366a3e6322813b07

                      SHA512

                      b5d20fb3a2dd741926df0945a90ad06360833c9e41681f2dc91dc105a103b36e29d8b9337cc1f77e9c4defee45cf2b5836c49be9c8ba01d08b1f96bbd13ee865

                    • memory/1664-135-0x0000000000000000-mapping.dmp
                    • memory/2140-137-0x0000000000000000-mapping.dmp
                    • memory/2364-141-0x0000000000B90000-0x0000000000BA5000-memory.dmp
                    • memory/2364-145-0x0000000000B90000-0x0000000000BA5000-memory.dmp
                    • memory/2364-144-0x0000000000B90000-0x0000000000BA5000-memory.dmp
                    • memory/2364-143-0x0000000000B90000-0x0000000000BA5000-memory.dmp
                    • memory/2364-140-0x0000000000000000-mapping.dmp
                    • memory/2636-131-0x0000000000000000-mapping.dmp
                    • memory/3508-132-0x0000000000000000-mapping.dmp
                    • memory/3532-136-0x0000000000000000-mapping.dmp
                    • memory/4060-130-0x0000000000400000-0x000000000041D000-memory.dmp
                    • memory/4228-134-0x0000000000000000-mapping.dmp
                    • memory/4560-139-0x0000000000400000-0x000000000041D000-memory.dmp