Overview

overview

10

Static

static

5f169cada1...a5.exe

windows7-x64

3

5f169cada1...a5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220722-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-07-2022 18:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5f169cada11fffca75af5eb67f6d0fd92c1042cca1ed460aa7196e4a9ecbb1a5.exe

  • Size

    160KB

  • MD5

    0c4d08e0b8da928708643b270420852d

  • SHA1

    fcc3d633223a431ccc725c89403730ef506b49d7

  • SHA256

    5f169cada11fffca75af5eb67f6d0fd92c1042cca1ed460aa7196e4a9ecbb1a5

  • SHA512

    baf7d0ab12f2f0133b24daf6b3cc046c2cc4963de5926e611cd4138d2c49df860e339d39d99a4c17435f00ddcc640a87295a5fbfb688fef044f1d7a0b5b97605

Score
10/10
tofseepersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

103.232.222.57

111.121.193.242

123.249.0.22

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f169cada11fffca75af5eb67f6d0fd92c1042cca1ed460aa7196e4a9ecbb1a5.exe
    "C:\Users\Admin\AppData\Local\Temp\5f169cada11fffca75af5eb67f6d0fd92c1042cca1ed460aa7196e4a9ecbb1a5.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4508
    • C:\Users\Admin\afehymqr.exe
      "C:\Users\Admin\afehymqr.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
          PID:2760
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 472
            4⤵
            • Program crash
            PID:3800
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3264.bat" "
        2⤵
          PID:4128
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2760 -ip 2760
        1⤵
          PID:1284

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\3264.bat
          Filesize

          302B

          MD5

          c03289a40dc74395235d44c31eb9c93d

          SHA1

          06c2803256eca6c7f43627f0b5038a10e8bfc2eb

          SHA256

          8e324c02152e42805f98eb6e4cf0736948fd63a1189b2b127f962ddd55bb3cec

          SHA512

          0947e844ce1590137581c4e35aefa79a97b3ee112e5814f48bf9805a2cc53ecf6116607d02e296deb048012db2ec8b0dc36929aa37c7f74b742ccbfc52ee27f1

          Download Submit
        • C:\Users\Admin\afehymqr.exe
          Filesize

          44.5MB

          MD5

          f7ad663aee2b9e75cb5a9a622b69b3bd

          SHA1

          b470ec135fe779288d16e663404f43bfe14b9da5

          SHA256

          51165abddad2900611d7b061bed90838bceaaff83cbbfa798868a7496696046e

          SHA512

          645738527e7821feeae18bb4b6fc20a69b530139405ff4249e8702d4bc50d6c293aaafb8773b76f8ef72226eca2c947d3274ce7b71af44f0837f905c441bd7db

          Download Submit
        • C:\Users\Admin\afehymqr.exe
          Filesize

          44.5MB

          MD5

          f7ad663aee2b9e75cb5a9a622b69b3bd

          SHA1

          b470ec135fe779288d16e663404f43bfe14b9da5

          SHA256

          51165abddad2900611d7b061bed90838bceaaff83cbbfa798868a7496696046e

          SHA512

          645738527e7821feeae18bb4b6fc20a69b530139405ff4249e8702d4bc50d6c293aaafb8773b76f8ef72226eca2c947d3274ce7b71af44f0837f905c441bd7db

          Download Submit
        • memory/2672-159-0x0000000074F00000-0x000000007505D000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/2672-141-0x0000000000000000-mapping.dmp
          Download
        • memory/2672-147-0x0000000002C71000-0x0000000002C76000-memory.dmp
          Filesize

          20KB

          Download
        • memory/2760-161-0x0000000000580000-0x0000000000592000-memory.dmp
          Filesize

          72KB

          Download
        • memory/2760-157-0x0000000000580000-0x0000000000592000-memory.dmp
          Filesize

          72KB

          Download
        • memory/2760-156-0x0000000000000000-mapping.dmp
          Download
        • memory/4128-148-0x0000000000000000-mapping.dmp
          Download
        • memory/4508-146-0x0000000074F00000-0x000000007505D000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/4508-149-0x0000000074F00000-0x000000007505D000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/4508-134-0x0000000002DF1000-0x0000000002DF6000-memory.dmp
          Filesize

          20KB

          Download
        • memory/4508-140-0x0000000002DF1000-0x0000000002DF6000-memory.dmp
          Filesize

          20KB

          Download
        • memory/4508-136-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download