Overview

overview

10

Static

static

3

78ca5753c7...2d.exe

windows7-x64

10

78ca5753c7...2d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    448s
  • max time network
    440s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-05-2023 17:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe

  • Size

    154KB

  • MD5

    5e867ae4a78726523d91eaea386fce6d

  • SHA1

    c9ee64774b15ada9cbd52f88bb47057647978fac

  • SHA256

    78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d

  • SHA512

    74d7fbb706839e32432abb761dbb02dd0e3d85e8f2f22412549d379f42027a99c4af39febb448b150e6d701d25fab4be698eb9439bcb5a247659dbf888bbb344

  • SSDEEP

    1536:n9Hnxm+W0eDrB6CjnMQSoWp0MYS3+MpHiCUywyJqbgoVtcdnA+QA5Hs5W0+MWVO4:npQDBDjnLSZp3+6iCUyw6oVtrA5He1

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 11 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe
    "C:\Users\Admin\AppData\Local\Temp\78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3476
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\koplspzc\
      2⤵
        PID:1216
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\qyrhmjbl.exe" C:\Windows\SysWOW64\koplspzc\
        2⤵
          PID:780
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create koplspzc binPath= "C:\Windows\SysWOW64\koplspzc\qyrhmjbl.exe /d\"C:\Users\Admin\AppData\Local\Temp\78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2528
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description koplspzc "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:4192
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start koplspzc
          2⤵
          • Launches sc.exe
          PID:1100
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:3840
      • C:\Windows\SysWOW64\koplspzc\qyrhmjbl.exe
        C:\Windows\SysWOW64\koplspzc\qyrhmjbl.exe /d"C:\Users\Admin\AppData\Local\Temp\78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3908
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          PID:4940
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:4540
        • C:\Windows\SysWOW64\DllHost.exe
          C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
          1⤵
            PID:1800
          • C:\Windows\explorer.exe
            C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
            1⤵
            • Modifies Internet Explorer settings
            • Modifies registry class
            PID:3128
          • C:\Windows\system32\mspaint.exe
            "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\OptimizeEnter.jfif" /ForceBootstrapPaint3D
            1⤵
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:3088
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
            1⤵
            • Drops file in System32 directory
            PID:1560
          • C:\Windows\system32\OpenWith.exe
            C:\Windows\system32\OpenWith.exe -Embedding
            1⤵
            • Suspicious use of SetWindowsHookEx
            PID:4472

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          New Service

          1
          T1050

          Modify Existing Service

          1
          T1031

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          New Service

          1
          T1050

          Defense Evasion

          Modify Registry

          2
          T1112

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\qyrhmjbl.exe
            Filesize

            14.6MB

            MD5

            b6f6c0d91799f827dd0a61a08d167f3b

            SHA1

            b11fb9ba718fbd7a02e048fb2247f12c551e2ca4

            SHA256

            8a100743e736069c41ab1507f67dbea09179446995b1e85040683e508e4d526d

            SHA512

            ed7f30f3b9d97e830b560855b0d9c4e442f0876745f46044943eb400ac248784333f4cdb2b1dafffaa2b1be8348624c056fab02e6df343a7d9b7f7aaeee40fc6

            Download Submit
          • C:\Windows\SysWOW64\koplspzc\qyrhmjbl.exe
            Filesize

            14.6MB

            MD5

            b6f6c0d91799f827dd0a61a08d167f3b

            SHA1

            b11fb9ba718fbd7a02e048fb2247f12c551e2ca4

            SHA256

            8a100743e736069c41ab1507f67dbea09179446995b1e85040683e508e4d526d

            SHA512

            ed7f30f3b9d97e830b560855b0d9c4e442f0876745f46044943eb400ac248784333f4cdb2b1dafffaa2b1be8348624c056fab02e6df343a7d9b7f7aaeee40fc6

            Download Submit
          • memory/1560-151-0x000002AAA4D30000-0x000002AAA4D40000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1560-170-0x000002AAADAD0000-0x000002AAADAD1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1560-169-0x000002AAADAD0000-0x000002AAADAD1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1560-168-0x000002AAADAC0000-0x000002AAADAC1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1560-167-0x000002AAADAC0000-0x000002AAADAC1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1560-166-0x000002AAADA30000-0x000002AAADA31000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1560-164-0x000002AAADA30000-0x000002AAADA31000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1560-162-0x000002AAAD9B0000-0x000002AAAD9B1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1560-155-0x000002AAA4D70000-0x000002AAA4D80000-memory.dmp
            Filesize

            64KB

            Download
          • memory/3476-139-0x000000005F000000-0x000000005F011000-memory.dmp
            Filesize

            68KB

            Download
          • memory/3476-133-0x0000000000400000-0x0000000000429000-memory.dmp
            Filesize

            164KB

            Download
          • memory/3476-138-0x0000000000400000-0x0000000000429000-memory.dmp
            Filesize

            164KB

            Download
          • memory/3476-135-0x0000000002170000-0x0000000002171000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3476-134-0x00000000006C0000-0x00000000006C1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3908-145-0x0000000000400000-0x0000000000429000-memory.dmp
            Filesize

            164KB

            Download
          • memory/3908-141-0x0000000000400000-0x0000000000429000-memory.dmp
            Filesize

            164KB

            Download
          • memory/4940-149-0x0000000000F20000-0x0000000000F35000-memory.dmp
            Filesize

            84KB

            Download
          • memory/4940-150-0x0000000000F20000-0x0000000000F35000-memory.dmp
            Filesize

            84KB

            Download
          • memory/4940-148-0x0000000000F20000-0x0000000000F35000-memory.dmp
            Filesize

            84KB

            Download
          • memory/4940-146-0x0000000000F20000-0x0000000000F35000-memory.dmp
            Filesize

            84KB

            Download
          • memory/4940-142-0x0000000000F20000-0x0000000000F35000-memory.dmp
            Filesize

            84KB

            Download