Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 22:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    167KB

  • MD5

    068af12a4fde5998014522a0e8eaeb06

  • SHA1

    e51abb1d6ef5a889b398a670c60f20cec46f7f95

  • SHA256

    ddeaca50e21813ebb8ee743cca315e0f1d7a05900d4369b652f68f5baeaa6f38

  • SHA512

    9b931733b2b6a478d639aa5cca89e36fe37d3a225277e985ae845a8362bd14186e59f879435ecd3a975010df752c9e8e9c8cedf62a760c87246383e22bdad71c

  • SSDEEP

    3072:zBl9IavvucboHS5J1VQErTHNXrDDJkbV5vw:h/HLboi/QEPVDlkB

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4244
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ppvtmumf\
      2⤵
        PID:4796
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ngdlcvpm.exe" C:\Windows\SysWOW64\ppvtmumf\
        2⤵
          PID:4760
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create ppvtmumf binPath= "C:\Windows\SysWOW64\ppvtmumf\ngdlcvpm.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:1012
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description ppvtmumf "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2304
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start ppvtmumf
          2⤵
          • Launches sc.exe
          PID:2316
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:3424
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 1040
          2⤵
          • Program crash
          PID:3940
      • C:\Windows\SysWOW64\ppvtmumf\ngdlcvpm.exe
        C:\Windows\SysWOW64\ppvtmumf\ngdlcvpm.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4464
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:784
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 508
          2⤵
          • Program crash
          PID:4352
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4244 -ip 4244
        1⤵
          PID:4296
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4464 -ip 4464
          1⤵
            PID:2616

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          New Service

          1
          T1050

          Modify Existing Service

          1
          T1031

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          New Service

          1
          T1050

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\ngdlcvpm.exe
            Filesize

            11.8MB

            MD5

            84e69288fd9865e7a97aa13d50b3be22

            SHA1

            956210829f2e2698ee71ddc3875aaab3786321a0

            SHA256

            1442de796a0c59de03ba19314c5d765b70b9867b3e91c36317e6357e6ac15e8b

            SHA512

            0bc86e171b6cf93a82ae6eef3d6b49e41e0577499c72c44c2f3075849e11f74089ea1a07e0d647cb392b9b641d7eb954624cb9b03b5098958ac76a3541832c95

            Download Submit
          • C:\Windows\SysWOW64\ppvtmumf\ngdlcvpm.exe
            Filesize

            11.8MB

            MD5

            84e69288fd9865e7a97aa13d50b3be22

            SHA1

            956210829f2e2698ee71ddc3875aaab3786321a0

            SHA256

            1442de796a0c59de03ba19314c5d765b70b9867b3e91c36317e6357e6ac15e8b

            SHA512

            0bc86e171b6cf93a82ae6eef3d6b49e41e0577499c72c44c2f3075849e11f74089ea1a07e0d647cb392b9b641d7eb954624cb9b03b5098958ac76a3541832c95

            Download Submit
          • memory/784-152-0x0000000000510000-0x0000000000525000-memory.dmp
            Filesize

            84KB

            Download
          • memory/784-151-0x0000000000510000-0x0000000000525000-memory.dmp
            Filesize

            84KB

            Download
          • memory/784-146-0x0000000000510000-0x0000000000525000-memory.dmp
            Filesize

            84KB

            Download
          • memory/784-145-0x0000000000000000-mapping.dmp
            Download
          • memory/1012-138-0x0000000000000000-mapping.dmp
            Download
          • memory/2304-139-0x0000000000000000-mapping.dmp
            Download
          • memory/2316-140-0x0000000000000000-mapping.dmp
            Download
          • memory/3424-142-0x0000000000000000-mapping.dmp
            Download
          • memory/4244-144-0x0000000000400000-0x000000000070B000-memory.dmp
            Filesize

            3.0MB

            Download
          • memory/4244-143-0x00000000008A0000-0x00000000008B3000-memory.dmp
            Filesize

            76KB

            Download
          • memory/4244-132-0x000000000093D000-0x000000000094D000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4244-134-0x0000000000400000-0x000000000070B000-memory.dmp
            Filesize

            3.0MB

            Download
          • memory/4244-133-0x00000000008A0000-0x00000000008B3000-memory.dmp
            Filesize

            76KB

            Download
          • memory/4464-149-0x00000000007A8000-0x00000000007B9000-memory.dmp
            Filesize

            68KB

            Download
          • memory/4464-150-0x0000000000400000-0x000000000070B000-memory.dmp
            Filesize

            3.0MB

            Download
          • memory/4760-136-0x0000000000000000-mapping.dmp
            Download
          • memory/4796-135-0x0000000000000000-mapping.dmp
            Download