Overview

overview

10

Static

static

6b5ee5602c...e0.exe

windows7-x64

10

6b5ee5602c...e0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    246s
  • max time network
    337s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2022 04:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6b5ee5602cb0301d703e53c641d838110c049ae5a21295d4f8597dc794b172e0.exe

  • Size

    183KB

  • MD5

    a9e7925167a97ff59857551875890545

  • SHA1

    b96371041a3f82abc88bded8d79a52672070ce8b

  • SHA256

    6b5ee5602cb0301d703e53c641d838110c049ae5a21295d4f8597dc794b172e0

  • SHA512

    60e4281118df51ba56bf7ccec44f19e68c09c699c4eaaaaf803ea4e39ca1959c7719e9f34dc2e97d50a22d9eeac755edbcc24ec04325a44628cea9c67c4d95f4

  • SSDEEP

    3072:/mEMgK6cyCsPbWmQW5lb4OjiUh6f9dhiEZw/oQ3q:pMBsPbWZz6qI

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b5ee5602cb0301d703e53c641d838110c049ae5a21295d4f8597dc794b172e0.exe
    "C:\Users\Admin\AppData\Local\Temp\6b5ee5602cb0301d703e53c641d838110c049ae5a21295d4f8597dc794b172e0.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:360
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dutsnnnu\
      2⤵
        PID:1064
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\senbawfk.exe" C:\Windows\SysWOW64\dutsnnnu\
        2⤵
          PID:728
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create dutsnnnu binPath= "C:\Windows\SysWOW64\dutsnnnu\senbawfk.exe /d\"C:\Users\Admin\AppData\Local\Temp\6b5ee5602cb0301d703e53c641d838110c049ae5a21295d4f8597dc794b172e0.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:688
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description dutsnnnu "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:1684
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start dutsnnnu
          2⤵
          • Launches sc.exe
          PID:980
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:1636

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      New Service

      1
      T1050

      Modify Existing Service

      1
      T1031

      Privilege Escalation

      New Service

      1
      T1050

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\senbawfk.exe
        Filesize

        11.8MB

        MD5

        0ee8115f8fa9d710f629128673f6b7f6

        SHA1

        55eafdfa0852f080e3896a8d891d77b28d85bd35

        SHA256

        5c273e579f3e380454ae83a00180e6b5d25d2ecb317607df326fd4fd36e75b17

        SHA512

        c6c663082ee6e6cc320c0e21dc7c53f838c6323da42256638c60930425ccc91f0842b2a499841117917629e952234008d69d73111d7eb93900c8299121fd0699

        Download Submit
      • memory/360-56-0x00000000005AD000-0x00000000005BE000-memory.dmp
        Filesize

        68KB

        Download
      • memory/360-57-0x0000000000240000-0x0000000000253000-memory.dmp
        Filesize

        76KB

        Download
      • memory/360-54-0x0000000075C11000-0x0000000075C13000-memory.dmp
        Filesize

        8KB

        Download
      • memory/360-58-0x0000000000400000-0x0000000000463000-memory.dmp
        Filesize

        396KB

        Download
      • memory/360-64-0x00000000005AD000-0x00000000005BE000-memory.dmp
        Filesize

        68KB

        Download
      • memory/360-67-0x0000000000400000-0x0000000000463000-memory.dmp
        Filesize

        396KB

        Download
      • memory/360-66-0x00000000005AD000-0x00000000005BE000-memory.dmp
        Filesize

        68KB

        Download
      • memory/688-61-0x0000000000000000-mapping.dmp
        Download
      • memory/728-59-0x0000000000000000-mapping.dmp
        Download
      • memory/980-63-0x0000000000000000-mapping.dmp
        Download
      • memory/1064-55-0x0000000000000000-mapping.dmp
        Download
      • memory/1636-65-0x0000000000000000-mapping.dmp
        Download
      • memory/1684-62-0x0000000000000000-mapping.dmp
        Download