Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    28-03-2023 01:01

General

  • Target

    1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe

  • Size

    270KB

  • MD5

    066793cde98c8983ec676ab7e848dd4e

  • SHA1

    1d35175f44ae52a6238dc9ddd3acc6f6af8f5639

  • SHA256

    1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360

  • SHA512

    139c0fa8ae09817403e2c0d422d52170b8234f899316e10e60c6ebd7de0c3ea099727a8b6ed8e0389b9d2e3cad87b8e7f129091e9840e3120b9aac77f965c21d

  • SSDEEP

    3072:+3BLbpwA+dFGTOxXqS+jK+N1nfBFDR24YYi0Fak7mxqZkO5njIrqokdkun78F:wwnYTOxXV+jFM4c0V7m4d2qokd

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs 1 IoCs
  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe
    "C:\Users\Admin\AppData\Local\Temp\1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ycbmdyyo\
      2⤵
        PID:2008
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\igvdwmhd.exe" C:\Windows\SysWOW64\ycbmdyyo\
        2⤵
          PID:1832
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create ycbmdyyo binPath= "C:\Windows\SysWOW64\ycbmdyyo\igvdwmhd.exe /d\"C:\Users\Admin\AppData\Local\Temp\1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:1212
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description ycbmdyyo "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:532
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start ycbmdyyo
          2⤵
          • Launches sc.exe
          PID:580
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:328
      • C:\Windows\SysWOW64\ycbmdyyo\igvdwmhd.exe
        C:\Windows\SysWOW64\ycbmdyyo\igvdwmhd.exe /d"C:\Users\Admin\AppData\Local\Temp\1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1824
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:1524

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\igvdwmhd.exe

        Filesize

        12.7MB

        MD5

        6eccc9c2507b0cbb2bef7a0bcbe36b81

        SHA1

        c8e6ba9ccce083445eeb825f584a32c127af52d5

        SHA256

        bb073f34c26888532dbe2f5489288a827e62cef72c3b9ab0a4d0af934ef23a9e

        SHA512

        aa29e1d9559b0311b7d59078f0308c0031d194e8ba4f2ea942b54d57833332cae7d8a73eb031e7657b081b6dab179f91cf1f7cef798aa11e817e56bbb1eee65b

      • C:\Windows\SysWOW64\ycbmdyyo\igvdwmhd.exe

        Filesize

        12.7MB

        MD5

        6eccc9c2507b0cbb2bef7a0bcbe36b81

        SHA1

        c8e6ba9ccce083445eeb825f584a32c127af52d5

        SHA256

        bb073f34c26888532dbe2f5489288a827e62cef72c3b9ab0a4d0af934ef23a9e

        SHA512

        aa29e1d9559b0311b7d59078f0308c0031d194e8ba4f2ea942b54d57833332cae7d8a73eb031e7657b081b6dab179f91cf1f7cef798aa11e817e56bbb1eee65b

      • memory/1524-62-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/1524-60-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/1524-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/1524-67-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/1524-68-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/1524-69-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/1524-71-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/1728-56-0x0000000000220000-0x0000000000233000-memory.dmp

        Filesize

        76KB

      • memory/1728-66-0x0000000000400000-0x0000000002B71000-memory.dmp

        Filesize

        39.4MB

      • memory/1824-63-0x0000000000400000-0x0000000002B71000-memory.dmp

        Filesize

        39.4MB