Analysis

  • max time kernel
    141s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 12:16

General

  • Target

    955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe

  • Size

    136KB

  • MD5

    67291715c45c4594b8866e90fbf5c7c4

  • SHA1

    a86dcb1d04be68a9f2d2373ee55cbe15fd299452

  • SHA256

    955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c

  • SHA512

    703a9a69239ffe3bddf44fecf09136cb1e9872708d8e3d2d39f9904a4cc075d9e63d6b421bea8f1affeef855f8d9c5b903a517779777febaa84521824b4a07e1

  • SSDEEP

    3072:htd6tsZzcJ4vPX2sQ0mxrH6b6/Gz7KEMvFT:N6kAaHhpeb6+/kKE2T

Malware Config

Extracted

Family

tofsee

C2

111.121.193.238

202.146.217.143

188.190.113.149

188.165.132.183

213.155.0.208

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe
    "C:\Users\Admin\AppData\Local\Temp\955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3868
    • C:\Users\Admin\AppData\Local\Temp\955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe
      "C:\Users\Admin\AppData\Local\Temp\955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Users\Admin\gkbfiimc.exe
        "C:\Users\Admin\gkbfiimc.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3980
        • C:\Users\Admin\gkbfiimc.exe
          "C:\Users\Admin\gkbfiimc.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:3120
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe
            5⤵
              PID:1868
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 484
                6⤵
                • Program crash
                PID:4116
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1141.bat" "
          3⤵
            PID:3596
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1868 -ip 1868
        1⤵
          PID:4852

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\1141.bat

          Filesize

          302B

          MD5

          1639c47626da43335eac31d44f937efe

          SHA1

          89202c374ce119a967f81dde3ed6ccb89b52f692

          SHA256

          84e91c9e44fb7a01f5aab6f38394b5f9f13fc59c9d1c7f3010ce6f21f94fdfe6

          SHA512

          d12c732c9c08a4ab660aa01791658c05a367df3a6bef31c208b84c951bdca2d0c2575100ca1bda27e76dda25f7832695c4316ff4e2822d6225cee56bf31236d8

        • C:\Users\Admin\gkbfiimc.exe

          Filesize

          39.5MB

          MD5

          db8c92067446d8fa1b48f2d283b516f4

          SHA1

          fb5b07ad19afd450eece22cac32cb525d7ad17d8

          SHA256

          e9ec5353cd244391660baeb539b283c443b68848bcd21cb0db2376d1e03d29bc

          SHA512

          8dc8d50b9faab1fe10e466008643ffca5302fbc1a932788c906e2bebf137283bbc18b68143add371f415a32af2436c6169e5a016a4665e72148584475acb387f

        • C:\Users\Admin\gkbfiimc.exe

          Filesize

          39.5MB

          MD5

          db8c92067446d8fa1b48f2d283b516f4

          SHA1

          fb5b07ad19afd450eece22cac32cb525d7ad17d8

          SHA256

          e9ec5353cd244391660baeb539b283c443b68848bcd21cb0db2376d1e03d29bc

          SHA512

          8dc8d50b9faab1fe10e466008643ffca5302fbc1a932788c906e2bebf137283bbc18b68143add371f415a32af2436c6169e5a016a4665e72148584475acb387f

        • C:\Users\Admin\gkbfiimc.exe

          Filesize

          39.5MB

          MD5

          db8c92067446d8fa1b48f2d283b516f4

          SHA1

          fb5b07ad19afd450eece22cac32cb525d7ad17d8

          SHA256

          e9ec5353cd244391660baeb539b283c443b68848bcd21cb0db2376d1e03d29bc

          SHA512

          8dc8d50b9faab1fe10e466008643ffca5302fbc1a932788c906e2bebf137283bbc18b68143add371f415a32af2436c6169e5a016a4665e72148584475acb387f

        • memory/1868-158-0x0000000000EE0000-0x0000000000EF2000-memory.dmp

          Filesize

          72KB

        • memory/1868-157-0x0000000000EE0000-0x0000000000EF2000-memory.dmp

          Filesize

          72KB

        • memory/1868-153-0x0000000000EE0000-0x0000000000EF2000-memory.dmp

          Filesize

          72KB

        • memory/1868-152-0x0000000000000000-mapping.dmp

        • memory/2320-145-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

        • memory/2320-134-0x0000000000000000-mapping.dmp

        • memory/2320-138-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

        • memory/2320-137-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

        • memory/2320-135-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

        • memory/3120-147-0x0000000000000000-mapping.dmp

        • memory/3120-154-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

        • memory/3596-144-0x0000000000000000-mapping.dmp

        • memory/3980-139-0x0000000000000000-mapping.dmp