Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 08:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    147KB

  • MD5

    4eb62a4c6ef0b767b031754502a53d39

  • SHA1

    1031001a9972fadf5308ade23eaa3010a168c256

  • SHA256

    e8ee109e27398ee0a3db27958f243924c1bba9523919c375a49e606acc53cc54

  • SHA512

    d5765daac7a19123e203e0f7e90c2ed43e6aebb1246c5516b7141f526a007a3d06310e278ebf2e0dece2e0a0446a602fea22a537d4caa6f79aa2625e23859047

  • SSDEEP

    3072:YrEIFtEGVCjl65U0o000FBUFfmEeVdvw46LkxC:HZGVy0o000FBUYnvwL

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4200
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\wkdjfwfl\
      2⤵
        PID:64
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nkefckah.exe" C:\Windows\SysWOW64\wkdjfwfl\
        2⤵
          PID:2864
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create wkdjfwfl binPath= "C:\Windows\SysWOW64\wkdjfwfl\nkefckah.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:220
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description wkdjfwfl "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:1800
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start wkdjfwfl
          2⤵
          • Launches sc.exe
          PID:684
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:1964
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 676
          2⤵
          • Program crash
          PID:2264
      • C:\Windows\SysWOW64\wkdjfwfl\nkefckah.exe
        C:\Windows\SysWOW64\wkdjfwfl\nkefckah.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3652
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          PID:2116
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 516
          2⤵
          • Program crash
          PID:3656
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4200 -ip 4200
        1⤵
          PID:2908
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3652 -ip 3652
          1⤵
            PID:3440

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          New Service

          1
          T1050

          Modify Existing Service

          1
          T1031

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          New Service

          1
          T1050

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\nkefckah.exe
            Filesize

            11.3MB

            MD5

            c2594377a665439cc2a005c055d02d0e

            SHA1

            aea7c41de2b35d14a6c23703d1c51277ccfa700f

            SHA256

            659a445217756934707ccffe5126bff2562acc5638189ee132caf04708dec065

            SHA512

            f9a9d95abdaa0f3dbe1e19983bd23eb2ddc05fea01383b1e87f299400d18dbc5c836b8195d4155858a297d06999aabf0a633b5be39f377a64d436855c9e6004c

            Download Submit
          • C:\Windows\SysWOW64\wkdjfwfl\nkefckah.exe
            Filesize

            11.3MB

            MD5

            c2594377a665439cc2a005c055d02d0e

            SHA1

            aea7c41de2b35d14a6c23703d1c51277ccfa700f

            SHA256

            659a445217756934707ccffe5126bff2562acc5638189ee132caf04708dec065

            SHA512

            f9a9d95abdaa0f3dbe1e19983bd23eb2ddc05fea01383b1e87f299400d18dbc5c836b8195d4155858a297d06999aabf0a633b5be39f377a64d436855c9e6004c

            Download Submit
          • memory/64-135-0x0000000000000000-mapping.dmp
            Download
          • memory/220-138-0x0000000000000000-mapping.dmp
            Download
          • memory/684-140-0x0000000000000000-mapping.dmp
            Download
          • memory/1800-139-0x0000000000000000-mapping.dmp
            Download
          • memory/1964-144-0x0000000000000000-mapping.dmp
            Download
          • memory/2116-147-0x0000000000CB0000-0x0000000000CC5000-memory.dmp
            Filesize

            84KB

            Download
          • memory/2116-146-0x0000000000000000-mapping.dmp
            Download
          • memory/2116-152-0x0000000000CB0000-0x0000000000CC5000-memory.dmp
            Filesize

            84KB

            Download
          • memory/2116-153-0x0000000000CB0000-0x0000000000CC5000-memory.dmp
            Filesize

            84KB

            Download
          • memory/2864-136-0x0000000000000000-mapping.dmp
            Download
          • memory/3652-150-0x0000000000DF8000-0x0000000000E09000-memory.dmp
            Filesize

            68KB

            Download
          • memory/3652-151-0x0000000000400000-0x0000000000AD6000-memory.dmp
            Filesize

            6.8MB

            Download
          • memory/4200-141-0x0000000000DFD000-0x0000000000E0E000-memory.dmp
            Filesize

            68KB

            Download
          • memory/4200-142-0x0000000000D30000-0x0000000000D43000-memory.dmp
            Filesize

            76KB

            Download
          • memory/4200-134-0x0000000000400000-0x0000000000AD6000-memory.dmp
            Filesize

            6.8MB

            Download
          • memory/4200-133-0x0000000000D30000-0x0000000000D43000-memory.dmp
            Filesize

            76KB

            Download
          • memory/4200-145-0x0000000000400000-0x0000000000AD6000-memory.dmp
            Filesize

            6.8MB

            Download
          • memory/4200-132-0x0000000000DFD000-0x0000000000E0E000-memory.dmp
            Filesize

            68KB

            Download