Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2022 08:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    146KB

  • MD5

    1fd5ff320a44cfc6d33a505c24efa590

  • SHA1

    6db5b5667f7861e163344f95ec9f0f3616d14130

  • SHA256

    662a375950d1b16ceb51ea7d50fbaa9121f087d7d148d3be65705a2c4b8b3d08

  • SHA512

    83177f1f72249deaca68249ee5b2f4b755dd0481fb7b24c55f3f28183d5b54edf40f4e330bb00156210eea1f6d73414474df4f3b5b8b69cb14150d058983c29d

  • SSDEEP

    3072:/EBurucqyxil650IRnGOamWe3BYL7aoBUSl3X:cVcqd6Bg7aj+n

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qnbzkhed\
      2⤵
        PID:1552
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gnnrscmx.exe" C:\Windows\SysWOW64\qnbzkhed\
        2⤵
          PID:628
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create qnbzkhed binPath= "C:\Windows\SysWOW64\qnbzkhed\gnnrscmx.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:516
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description qnbzkhed "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:108
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start qnbzkhed
          2⤵
          • Launches sc.exe
          PID:1360
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:1876
      • C:\Windows\SysWOW64\qnbzkhed\gnnrscmx.exe
        C:\Windows\SysWOW64\qnbzkhed\gnnrscmx.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:968
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:1064

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      New Service

      1
      T1050

      Modify Existing Service

      1
      T1031

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      New Service

      1
      T1050

      Defense Evasion

      Disabling Security Tools

      1
      T1089

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\gnnrscmx.exe
        Filesize

        14.5MB

        MD5

        0ec4ad5e651a11dd707ee932e974e827

        SHA1

        2cc75805748439c86f6510dc07c01075df3527d0

        SHA256

        899c746077c448e72627b67b09f22f3113ddd482fb786a6a03ea856b8ce24290

        SHA512

        b07507bcc5ca59f3632a73bc60a412f0d365e122b28ce811e7f191685ff1eee39b4ec95836b42498bc5a0fc7d8ce5b17683e59f8d0f2eca8579f2d7920c653b2

        Download Submit
      • C:\Windows\SysWOW64\qnbzkhed\gnnrscmx.exe
        Filesize

        14.5MB

        MD5

        0ec4ad5e651a11dd707ee932e974e827

        SHA1

        2cc75805748439c86f6510dc07c01075df3527d0

        SHA256

        899c746077c448e72627b67b09f22f3113ddd482fb786a6a03ea856b8ce24290

        SHA512

        b07507bcc5ca59f3632a73bc60a412f0d365e122b28ce811e7f191685ff1eee39b4ec95836b42498bc5a0fc7d8ce5b17683e59f8d0f2eca8579f2d7920c653b2

        Download Submit
      • memory/108-62-0x0000000000000000-mapping.dmp
        Download
      • memory/516-61-0x0000000000000000-mapping.dmp
        Download
      • memory/628-59-0x0000000000000000-mapping.dmp
        Download
      • memory/968-78-0x0000000000400000-0x0000000000AD6000-memory.dmp
        Filesize

        6.8MB

        Download
      • memory/968-75-0x000000000028B000-0x000000000029C000-memory.dmp
        Filesize

        68KB

        Download
      • memory/1064-72-0x0000000000080000-0x0000000000095000-memory.dmp
        Filesize

        84KB

        Download
      • memory/1064-80-0x0000000000080000-0x0000000000095000-memory.dmp
        Filesize

        84KB

        Download
      • memory/1064-79-0x0000000000080000-0x0000000000095000-memory.dmp
        Filesize

        84KB

        Download
      • memory/1064-73-0x0000000000089A6B-mapping.dmp
        Download
      • memory/1064-70-0x0000000000080000-0x0000000000095000-memory.dmp
        Filesize

        84KB

        Download
      • memory/1360-63-0x0000000000000000-mapping.dmp
        Download
      • memory/1552-55-0x0000000000000000-mapping.dmp
        Download
      • memory/1672-67-0x0000000000400000-0x0000000000AD6000-memory.dmp
        Filesize

        6.8MB

        Download
      • memory/1672-66-0x00000000002EB000-0x00000000002FC000-memory.dmp
        Filesize

        68KB

        Download
      • memory/1672-54-0x0000000075111000-0x0000000075113000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1672-56-0x00000000002EB000-0x00000000002FC000-memory.dmp
        Filesize

        68KB

        Download
      • memory/1672-57-0x00000000001B0000-0x00000000001C3000-memory.dmp
        Filesize

        76KB

        Download
      • memory/1672-58-0x0000000000400000-0x0000000000AD6000-memory.dmp
        Filesize

        6.8MB

        Download
      • memory/1876-65-0x0000000000000000-mapping.dmp
        Download