Overview

overview

10

Static

static

3

18643a9a6e...07.exe

windows7-x64

10

18643a9a6e...07.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-05-2023 07:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exe

  • Size

    303KB

  • MD5

    dd18a455e9d700d656ce6965cee1a068

  • SHA1

    bb23d970e98a6a6ec178fc6c9c82689b3e92ee7c

  • SHA256

    18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207

  • SHA512

    71dc5ce080f2f95f2b68bcd135cfbbb9d020e10f58972b4f90ac98a3794f7791857139d45f417d127182bb26caca996a94c95008f2fc0ccc8a3c1b16dd07b531

  • SSDEEP

    3072:duhpDHOnUv1WfCBuL4IdkVDJNhA+GHRIBiSp5z5DT4zknffhd+OH:shpDH9vEfQQrdkB7Fi05ykn3v+y

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exe
    "C:\Users\Admin\AppData\Local\Temp\18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\pzrozvwf\
      2⤵
        PID:324
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lxnaonfj.exe" C:\Windows\SysWOW64\pzrozvwf\
        2⤵
          PID:3388
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create pzrozvwf binPath= "C:\Windows\SysWOW64\pzrozvwf\lxnaonfj.exe /d\"C:\Users\Admin\AppData\Local\Temp\18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2868
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description pzrozvwf "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:3672
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start pzrozvwf
          2⤵
          • Launches sc.exe
          PID:756
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2116
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 1188
          2⤵
          • Program crash
          PID:3904
      • C:\Windows\SysWOW64\pzrozvwf\lxnaonfj.exe
        C:\Windows\SysWOW64\pzrozvwf\lxnaonfj.exe /d"C:\Users\Admin\AppData\Local\Temp\18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2000
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:3796
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 528
          2⤵
          • Program crash
          PID:3976
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1912 -ip 1912
        1⤵
          PID:4896
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2000 -ip 2000
          1⤵
            PID:4252

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          New Service

          1
          T1050

          Modify Existing Service

          1
          T1031

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          New Service

          1
          T1050

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\lxnaonfj.exe
            Filesize

            11.9MB

            MD5

            a985b323a5251167e06831bbddf39165

            SHA1

            40327ab6e793e41c8c6090dd43bba30ccdc353b8

            SHA256

            6a1694f4b2da13734e2f5a959bee4740e1056a809d2e1668e1b471bacf227ffc

            SHA512

            9b9342113c7712e40ff4d4dc94e9127a7fdc0563edb6ede58a6b47b3d4d78ea3992b2567a5080138dc95209ddafeb574c73afeae3a6294a7502b9c7197b7d1d8

            Download Submit
          • C:\Windows\SysWOW64\pzrozvwf\lxnaonfj.exe
            Filesize

            11.9MB

            MD5

            a985b323a5251167e06831bbddf39165

            SHA1

            40327ab6e793e41c8c6090dd43bba30ccdc353b8

            SHA256

            6a1694f4b2da13734e2f5a959bee4740e1056a809d2e1668e1b471bacf227ffc

            SHA512

            9b9342113c7712e40ff4d4dc94e9127a7fdc0563edb6ede58a6b47b3d4d78ea3992b2567a5080138dc95209ddafeb574c73afeae3a6294a7502b9c7197b7d1d8

            Download Submit
          • memory/1912-135-0x0000000000CF0000-0x0000000000D03000-memory.dmp
            Filesize

            76KB

            Download
          • memory/1912-139-0x0000000000400000-0x0000000000A5C000-memory.dmp
            Filesize

            6.4MB

            Download
          • memory/2000-145-0x0000000000400000-0x0000000000A5C000-memory.dmp
            Filesize

            6.4MB

            Download
          • memory/3796-140-0x0000000000140000-0x0000000000155000-memory.dmp
            Filesize

            84KB

            Download
          • memory/3796-143-0x0000000000140000-0x0000000000155000-memory.dmp
            Filesize

            84KB

            Download
          • memory/3796-144-0x0000000000140000-0x0000000000155000-memory.dmp
            Filesize

            84KB

            Download
          • memory/3796-146-0x0000000000140000-0x0000000000155000-memory.dmp
            Filesize

            84KB

            Download
          • memory/3796-147-0x0000000000140000-0x0000000000155000-memory.dmp
            Filesize

            84KB

            Download