Overview

overview

10

Static

static

d228aa5ef0...1a.exe

windows7-x64

10

d228aa5ef0...1a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    164s
  • max time network
    180s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-12-2022 04:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe

  • Size

    169KB

  • MD5

    d32ba71dfd5df6fc649515bbb0ba16bc

  • SHA1

    dd0738787a869066c025b836ae631e5f883a5170

  • SHA256

    d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a

  • SHA512

    49ee9e6416745bd0c8c1a25ee438d38d3f87ab82671775de213ba093f08bce31f8c3cd9ca847f10b6cef58b90963fd2f8097a3aaf0ce39f68bbddebb490a5278

  • SSDEEP

    3072:TNnz4Uk1hIMY8JCLiwMiCjcLUZtHdnXzN2yWTtpFfhYL:TNXkJY8JGC4UzQZtpFhYL

Score
10/10
tofseetrojan

Malware Config

Extracted

Family

tofsee

C2

64.20.54.234

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe
    "C:\Users\Admin\AppData\Local\Temp\d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Users\Admin\AppData\Local\Temp\d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe
      "C:\Users\Admin\AppData\Local\Temp\d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe"
      2⤵
        PID:4436
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 308
          3⤵
          • Program crash
          PID:4196
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 328
          3⤵
          • Program crash
          PID:2920
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4436 -ip 4436
      1⤵
        PID:548
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4436 -ip 4436
        1⤵
          PID:4548

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/3052-132-0x0000000000400000-0x0000000000437000-memory.dmp
          Filesize

          220KB

          Download
        • memory/3052-136-0x0000000000400000-0x0000000000437000-memory.dmp
          Filesize

          220KB

          Download
        • memory/4436-133-0x0000000000000000-mapping.dmp
          Download
        • memory/4436-134-0x0000000000400000-0x0000000000410000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4436-137-0x0000000000400000-0x0000000000410000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4436-138-0x0000000000400000-0x0000000000437000-memory.dmp
          Filesize

          220KB

          Download
        • memory/4436-139-0x0000000000400000-0x0000000000437000-memory.dmp
          Filesize

          220KB

          Download
        • memory/4436-140-0x0000000000400000-0x0000000000437000-memory.dmp
          Filesize

          220KB

          Download
        • memory/4436-141-0x0000000000400000-0x0000000000437000-memory.dmp
          Filesize

          220KB

          Download