Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-02-2023 00:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    299KB

  • MD5

    389e0bbeb62bafda651f89609f6155f1

  • SHA1

    d1a66088ee38a570160c43f294b1e21129a55d0a

  • SHA256

    2f459f27c19518f315b8233ab7af6fdcd04c7c886d11a3117a23e9e28c532e2c

  • SHA512

    ce6f0b55206251d60acd2023f8c363cd07f4840e726e5d245bc765ac6a6ea83da2fe1bf8709ddb81d0baedf94997f584347406100eeb6b8b0752d775508ac0b6

  • SSDEEP

    3072:5nb6blhL62RmhK3XIOAtjtVcT00ppPaO5M4seFd/XFuQjiMTE5jptoia5D:FWhL6l82Be3/5M4scNuQj986ia

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:868
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ytakoyhl\
      2⤵
        PID:4972
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hbdlhbha.exe" C:\Windows\SysWOW64\ytakoyhl\
        2⤵
          PID:3856
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create ytakoyhl binPath= "C:\Windows\SysWOW64\ytakoyhl\hbdlhbha.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:460
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description ytakoyhl "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:3396
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start ytakoyhl
          2⤵
          • Launches sc.exe
          PID:524
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:804
      • C:\Windows\SysWOW64\ytakoyhl\hbdlhbha.exe
        C:\Windows\SysWOW64\ytakoyhl\hbdlhbha.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:320
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:2980

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\hbdlhbha.exe
        Filesize

        14.5MB

        MD5

        197918505226f202afaa7718cf99415a

        SHA1

        3ae1f7102196332a591821a631e513fec4bf6a87

        SHA256

        18ac7cdacd32b6d58a8c7e72dd0c96d511fd6ab403161e18d80087782965cd15

        SHA512

        1dfbbbd574272d5ca76b5b62499285bf3e1fafc334d29b0f20729fc716cbbb996c3ea925454303fdd894b00682cf2a31b168ae11694f329e5c37c7da3437b04e

        Download Submit
      • C:\Windows\SysWOW64\ytakoyhl\hbdlhbha.exe
        Filesize

        14.5MB

        MD5

        197918505226f202afaa7718cf99415a

        SHA1

        3ae1f7102196332a591821a631e513fec4bf6a87

        SHA256

        18ac7cdacd32b6d58a8c7e72dd0c96d511fd6ab403161e18d80087782965cd15

        SHA512

        1dfbbbd574272d5ca76b5b62499285bf3e1fafc334d29b0f20729fc716cbbb996c3ea925454303fdd894b00682cf2a31b168ae11694f329e5c37c7da3437b04e

        Download Submit
      • memory/320-151-0x0000000000400000-0x00000000004C7000-memory.dmp
        Filesize

        796KB

        Download
      • memory/320-149-0x00000000006BA000-0x00000000006CF000-memory.dmp
        Filesize

        84KB

        Download
      • memory/460-138-0x0000000000000000-mapping.dmp
        Download
      • memory/524-140-0x0000000000000000-mapping.dmp
        Download
      • memory/804-141-0x0000000000000000-mapping.dmp
        Download
      • memory/868-142-0x00000000007EE000-0x0000000000804000-memory.dmp
        Filesize

        88KB

        Download
      • memory/868-132-0x00000000007EE000-0x0000000000804000-memory.dmp
        Filesize

        88KB

        Download
      • memory/868-143-0x0000000000760000-0x0000000000773000-memory.dmp
        Filesize

        76KB

        Download
      • memory/868-144-0x0000000000400000-0x00000000004C7000-memory.dmp
        Filesize

        796KB

        Download
      • memory/868-134-0x0000000000400000-0x00000000004C7000-memory.dmp
        Filesize

        796KB

        Download
      • memory/868-133-0x0000000000760000-0x0000000000773000-memory.dmp
        Filesize

        76KB

        Download
      • memory/2980-146-0x0000000000000000-mapping.dmp
        Download
      • memory/2980-147-0x0000000000970000-0x0000000000985000-memory.dmp
        Filesize

        84KB

        Download
      • memory/2980-152-0x0000000000970000-0x0000000000985000-memory.dmp
        Filesize

        84KB

        Download
      • memory/2980-153-0x0000000000970000-0x0000000000985000-memory.dmp
        Filesize

        84KB

        Download
      • memory/3396-139-0x0000000000000000-mapping.dmp
        Download
      • memory/3856-136-0x0000000000000000-mapping.dmp
        Download
      • memory/4972-135-0x0000000000000000-mapping.dmp
        Download