Overview

overview

10

Static

static

5f662e5221...89.exe

windows7-x64

10

5f662e5221...89.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    216s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-07-2022 12:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe

  • Size

    102KB

  • MD5

    58c848f7841d332fc990a34e4ebe87d0

  • SHA1

    5ef60b4f3aba6c5fbc0f37dd0fab98e207801710

  • SHA256

    5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89

  • SHA512

    596a8d135ca17dfdfaa3b2a6d8f2ccc14073c711224023b26fa8c8d4003ce54ee96c0884140e4e22af4ce05d7783298ad499fabb01a28ec5cb23e99a335c5381

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe
    "C:\Users\Admin\AppData\Local\Temp\5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:204
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bluiadtr\
      2⤵
        PID:664
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\azplsot.exe" C:\Windows\SysWOW64\bluiadtr\
        2⤵
          PID:3488
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create bluiadtr binPath= "C:\Windows\SysWOW64\bluiadtr\azplsot.exe /d\"C:\Users\Admin\AppData\Local\Temp\5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:4792
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description bluiadtr "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:764
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start bluiadtr
          2⤵
          • Launches sc.exe
          PID:1132
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2820

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      New Service

      1
      T1050

      Modify Existing Service

      1
      T1031

      Privilege Escalation

      New Service

      1
      T1050

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\azplsot.exe
        Filesize

        13.3MB

        MD5

        c8f922ea46698db2b2d5454f4cab8c7a

        SHA1

        87a1bb778781e2ae85c848dd65509c6e7c316aae

        SHA256

        65944cea62ca1b2f7e8a0fa0f1434f3ef5b0d4b5cb51e57223a36bf952f5f2fe

        SHA512

        422f745bfbd3658b309497b8da93df01b27033fc49ec61a0bc81b0591a6bbecb02459d613311290d3d35415d13f0508003659a40d8f7475eb2dcce2b6b7b7697

        Download Submit
      • memory/204-130-0x0000000000400000-0x000000000041C000-memory.dmp
        Filesize

        112KB

        Download
      • memory/664-131-0x0000000000000000-mapping.dmp
        Download
      • memory/764-135-0x0000000000000000-mapping.dmp
        Download
      • memory/1132-136-0x0000000000000000-mapping.dmp
        Download
      • memory/2820-137-0x0000000000000000-mapping.dmp
        Download
      • memory/3488-132-0x0000000000000000-mapping.dmp
        Download
      • memory/4792-134-0x0000000000000000-mapping.dmp
        Download