Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-02-2023 01:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    299KB

  • MD5

    389e0bbeb62bafda651f89609f6155f1

  • SHA1

    d1a66088ee38a570160c43f294b1e21129a55d0a

  • SHA256

    2f459f27c19518f315b8233ab7af6fdcd04c7c886d11a3117a23e9e28c532e2c

  • SHA512

    ce6f0b55206251d60acd2023f8c363cd07f4840e726e5d245bc765ac6a6ea83da2fe1bf8709ddb81d0baedf94997f584347406100eeb6b8b0752d775508ac0b6

  • SSDEEP

    3072:5nb6blhL62RmhK3XIOAtjtVcT00ppPaO5M4seFd/XFuQjiMTE5jptoia5D:FWhL6l82Be3/5M4scNuQj986ia

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3440
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qiygxujl\
      2⤵
        PID:2416
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\tjcaxgnm.exe" C:\Windows\SysWOW64\qiygxujl\
        2⤵
          PID:2948
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create qiygxujl binPath= "C:\Windows\SysWOW64\qiygxujl\tjcaxgnm.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:4216
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description qiygxujl "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:1840
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start qiygxujl
          2⤵
          • Launches sc.exe
          PID:3588
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:4976
      • C:\Windows\SysWOW64\qiygxujl\tjcaxgnm.exe
        C:\Windows\SysWOW64\qiygxujl\tjcaxgnm.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4192
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:4252

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tjcaxgnm.exe
        Filesize

        13.6MB

        MD5

        1af7382ca0b9c02c9ce24ea030d07428

        SHA1

        a6e32cd9b835472aeb3429d0904d48601095a9cf

        SHA256

        2d9738b9d1b4f299c0ff6f3366c306f908bbdfcacc3969f1104e0d858335d65b

        SHA512

        c58b6eadd72465c5c7b5c448f51ae796fa8aafc40674c833658df6e209ea269edec8519222074663ed24c834ae6e5510206bb0457711c5b1a8c25f385ff0bf92

        Download Submit
      • C:\Windows\SysWOW64\qiygxujl\tjcaxgnm.exe
        Filesize

        13.6MB

        MD5

        1af7382ca0b9c02c9ce24ea030d07428

        SHA1

        a6e32cd9b835472aeb3429d0904d48601095a9cf

        SHA256

        2d9738b9d1b4f299c0ff6f3366c306f908bbdfcacc3969f1104e0d858335d65b

        SHA512

        c58b6eadd72465c5c7b5c448f51ae796fa8aafc40674c833658df6e209ea269edec8519222074663ed24c834ae6e5510206bb0457711c5b1a8c25f385ff0bf92

        Download Submit
      • memory/1840-140-0x0000000000000000-mapping.dmp
        Download
      • memory/2416-133-0x0000000000000000-mapping.dmp
        Download
      • memory/2948-137-0x0000000000000000-mapping.dmp
        Download
      • memory/3440-134-0x0000000000530000-0x0000000000630000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/3440-135-0x0000000002200000-0x0000000002213000-memory.dmp
        Filesize

        76KB

        Download
      • memory/3440-136-0x0000000000400000-0x00000000004C7000-memory.dmp
        Filesize

        796KB

        Download
      • memory/3440-144-0x0000000000400000-0x00000000004C7000-memory.dmp
        Filesize

        796KB

        Download
      • memory/3588-141-0x0000000000000000-mapping.dmp
        Download
      • memory/4192-150-0x0000000000400000-0x00000000004C7000-memory.dmp
        Filesize

        796KB

        Download
      • memory/4192-147-0x0000000000609000-0x000000000061F000-memory.dmp
        Filesize

        88KB

        Download
      • memory/4216-139-0x0000000000000000-mapping.dmp
        Download
      • memory/4252-145-0x0000000000000000-mapping.dmp
        Download
      • memory/4252-146-0x0000000000900000-0x0000000000915000-memory.dmp
        Filesize

        84KB

        Download
      • memory/4252-151-0x0000000000900000-0x0000000000915000-memory.dmp
        Filesize

        84KB

        Download
      • memory/4252-152-0x0000000000900000-0x0000000000915000-memory.dmp
        Filesize

        84KB

        Download
      • memory/4976-143-0x0000000000000000-mapping.dmp
        Download