Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    06-02-2023 22:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    299KB

  • MD5

    f4d9f3f1009be26ad902f44ac9082c4e

  • SHA1

    9814e5e8e6ce762b7e0544f8f44d1eddd9658415

  • SHA256

    15188d63048c1646ce4b4070eb5ff19ed65e9e63af1c884e3b314d5536bb695a

  • SHA512

    c09ec10ea165108655f52c1e001d37777c66ff205cd8936c79f5991e838ec29cc76d0ad8c7b7c129ef3fa41007559c3869d7483f5ae3fbb52d0ffe60a95208c6

  • SSDEEP

    6144:COUmLTe6RYq4N306/C/ryGOhXDuQj96oah:CBmvjYjNda2GOhXDljD

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xksgpfzr\
      2⤵
        PID:1984
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\loxiieeb.exe" C:\Windows\SysWOW64\xksgpfzr\
        2⤵
          PID:1664
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create xksgpfzr binPath= "C:\Windows\SysWOW64\xksgpfzr\loxiieeb.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:1120
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description xksgpfzr "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:380
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start xksgpfzr
          2⤵
          • Launches sc.exe
          PID:1932
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:928
      • C:\Windows\SysWOW64\xksgpfzr\loxiieeb.exe
        C:\Windows\SysWOW64\xksgpfzr\loxiieeb.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1052
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:1176

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\loxiieeb.exe
        Filesize

        12.8MB

        MD5

        19fda7fd36228cb53f6041fa9d403e17

        SHA1

        eb875d8c87fd7d0c3df6026b789b12fc8e9f4251

        SHA256

        a9b445ece9dcf4d925e0176c429283c4300fbd8865f257cad439198d118eaead

        SHA512

        89b33bfabd9ee1a1a4ffeb797bdbe05e5ec540fa27f21c15b08a4627d8772b2cc488a02b45056e21a3a9c6ae30129f1d3d23f6150740ad3bd96c300803238706

        Download Submit
      • C:\Windows\SysWOW64\xksgpfzr\loxiieeb.exe
        Filesize

        12.8MB

        MD5

        19fda7fd36228cb53f6041fa9d403e17

        SHA1

        eb875d8c87fd7d0c3df6026b789b12fc8e9f4251

        SHA256

        a9b445ece9dcf4d925e0176c429283c4300fbd8865f257cad439198d118eaead

        SHA512

        89b33bfabd9ee1a1a4ffeb797bdbe05e5ec540fa27f21c15b08a4627d8772b2cc488a02b45056e21a3a9c6ae30129f1d3d23f6150740ad3bd96c300803238706

        Download Submit
      • memory/380-62-0x0000000000000000-mapping.dmp
        Download
      • memory/928-65-0x0000000000000000-mapping.dmp
        Download
      • memory/1052-76-0x0000000000400000-0x00000000004C8000-memory.dmp
        Filesize

        800KB

        Download
      • memory/1052-75-0x000000000063C000-0x0000000000651000-memory.dmp
        Filesize

        84KB

        Download
      • memory/1120-61-0x0000000000000000-mapping.dmp
        Download
      • memory/1176-72-0x00000000000C0000-0x00000000000D5000-memory.dmp
        Filesize

        84KB

        Download
      • memory/1176-73-0x00000000000C9A6B-mapping.dmp
        Download
      • memory/1176-80-0x00000000000C0000-0x00000000000D5000-memory.dmp
        Filesize

        84KB

        Download
      • memory/1176-79-0x00000000000C0000-0x00000000000D5000-memory.dmp
        Filesize

        84KB

        Download
      • memory/1176-70-0x00000000000C0000-0x00000000000D5000-memory.dmp
        Filesize

        84KB

        Download
      • memory/1664-59-0x0000000000000000-mapping.dmp
        Download
      • memory/1932-63-0x0000000000000000-mapping.dmp
        Download
      • memory/1984-55-0x0000000000000000-mapping.dmp
        Download
      • memory/2032-66-0x00000000005AC000-0x00000000005C1000-memory.dmp
        Filesize

        84KB

        Download
      • memory/2032-54-0x00000000767B1000-0x00000000767B3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2032-57-0x0000000000230000-0x0000000000243000-memory.dmp
        Filesize

        76KB

        Download
      • memory/2032-67-0x0000000000400000-0x00000000004C8000-memory.dmp
        Filesize

        800KB

        Download
      • memory/2032-56-0x00000000005AC000-0x00000000005C1000-memory.dmp
        Filesize

        84KB

        Download
      • memory/2032-58-0x0000000000400000-0x00000000004C8000-memory.dmp
        Filesize

        800KB

        Download