Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 04:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    147KB

  • MD5

    1eb05ec5bc5982ebc88aa1ad6b69fb46

  • SHA1

    fcfc2f0c0f5cc446961959165b6dc01b29b23701

  • SHA256

    c841cb96a9a0648f1d9df6b16c244bc1e80aca79eebd77e733c2c33ddcef5e1a

  • SHA512

    c591a73be6073da3ee9a2f80336ba386c31c9f5f08332d5b8a6ec959bb8a6cc929dae51309832c648af44c69e712082f930e11ae3324a528bcfe5ff1265bb9f6

  • SSDEEP

    3072:fkJxzH6d2wC065TLWslukoo1Cl7U8onB:f4i2wklukooS7U8

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hdeaudju\
      2⤵
        PID:4644
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ztjadben.exe" C:\Windows\SysWOW64\hdeaudju\
        2⤵
          PID:2456
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create hdeaudju binPath= "C:\Windows\SysWOW64\hdeaudju\ztjadben.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:4232
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description hdeaudju "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2524
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start hdeaudju
          2⤵
          • Launches sc.exe
          PID:2920
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:4016
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 648
          2⤵
          • Program crash
          PID:3212
      • C:\Windows\SysWOW64\hdeaudju\ztjadben.exe
        C:\Windows\SysWOW64\hdeaudju\ztjadben.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:224
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          PID:3528
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 516
          2⤵
          • Program crash
          PID:4492
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1752 -ip 1752
        1⤵
          PID:1992
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 224 -ip 224
          1⤵
            PID:2532

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          New Service

          1
          T1050

          Modify Existing Service

          1
          T1031

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          New Service

          1
          T1050

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\ztjadben.exe
            Filesize

            14.4MB

            MD5

            fcfe10c254fe5b17b2b0f490121d2894

            SHA1

            a771604400e87a4e6df52e3404fd09594390aaa2

            SHA256

            5504c3d153bf5e3fdfa6626e6a966961d83ddfc8fa6a624be0f031dafc4081ae

            SHA512

            4dfd6f34718ad5246626358f609d3b48296f3d70c307172c77325bc07e8ad65d9ad5858651447d25fc187fd08f43dd397bc48794f62a323cc0d6ba40803812ee

            Download Submit
          • C:\Windows\SysWOW64\hdeaudju\ztjadben.exe
            Filesize

            14.4MB

            MD5

            fcfe10c254fe5b17b2b0f490121d2894

            SHA1

            a771604400e87a4e6df52e3404fd09594390aaa2

            SHA256

            5504c3d153bf5e3fdfa6626e6a966961d83ddfc8fa6a624be0f031dafc4081ae

            SHA512

            4dfd6f34718ad5246626358f609d3b48296f3d70c307172c77325bc07e8ad65d9ad5858651447d25fc187fd08f43dd397bc48794f62a323cc0d6ba40803812ee

            Download Submit
          • memory/224-152-0x0000000000400000-0x0000000000AD6000-memory.dmp
            Filesize

            6.8MB

            Download
          • memory/224-146-0x0000000000400000-0x0000000000AD6000-memory.dmp
            Filesize

            6.8MB

            Download
          • memory/224-151-0x0000000000C39000-0x0000000000C49000-memory.dmp
            Filesize

            64KB

            Download
          • memory/224-145-0x0000000000C39000-0x0000000000C49000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1752-134-0x0000000000400000-0x0000000000AD6000-memory.dmp
            Filesize

            6.8MB

            Download
          • memory/1752-133-0x0000000002810000-0x0000000002823000-memory.dmp
            Filesize

            76KB

            Download
          • memory/1752-132-0x0000000000B3D000-0x0000000000B4D000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1752-143-0x0000000002810000-0x0000000002823000-memory.dmp
            Filesize

            76KB

            Download
          • memory/1752-144-0x0000000000400000-0x0000000000AD6000-memory.dmp
            Filesize

            6.8MB

            Download
          • memory/2456-136-0x0000000000000000-mapping.dmp
            Download
          • memory/2524-139-0x0000000000000000-mapping.dmp
            Download
          • memory/2920-140-0x0000000000000000-mapping.dmp
            Download
          • memory/3528-147-0x0000000000000000-mapping.dmp
            Download
          • memory/3528-148-0x00000000006D0000-0x00000000006E5000-memory.dmp
            Filesize

            84KB

            Download
          • memory/3528-153-0x00000000006D0000-0x00000000006E5000-memory.dmp
            Filesize

            84KB

            Download
          • memory/3528-154-0x00000000006D0000-0x00000000006E5000-memory.dmp
            Filesize

            84KB

            Download
          • memory/4016-142-0x0000000000000000-mapping.dmp
            Download
          • memory/4232-138-0x0000000000000000-mapping.dmp
            Download
          • memory/4644-135-0x0000000000000000-mapping.dmp
            Download