Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-05-2023 07:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    294KB

  • MD5

    49c95ae2a4f0069f5ef8cb7c70860531

  • SHA1

    1fc8490eb5d14a148a263e744bd791b1f01e6f6a

  • SHA256

    72d074460e5807725c7d6f0ca1f923dbd069b93f86f718f3cb91c9140dd08007

  • SHA512

    28be09331d4bf0191a8bb909fdb17a99bafc193e4433ebd6ff1614ba4ecdb3d3ed8ab0840bcae2b59aee04aea41b6ef9bd12b62332b308417b755c2aaaad5c66

  • SSDEEP

    3072:/pXlqtP8WsLZPdb/3dLhA2AquW0eAb14h+8hsFd825sCwKV1IN:1lkPHsLZPV/3aquSA5U6dUCa

Score
10/10
tofseexmrigevasionminerpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 8 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ykpwlzbv\
      2⤵
        PID:5064
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\auzxsvsu.exe" C:\Windows\SysWOW64\ykpwlzbv\
        2⤵
          PID:2668
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create ykpwlzbv binPath= "C:\Windows\SysWOW64\ykpwlzbv\auzxsvsu.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:4800
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description ykpwlzbv "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:856
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start ykpwlzbv
          2⤵
          • Launches sc.exe
          PID:2792
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:3520
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 1248
          2⤵
          • Program crash
          PID:320
      • C:\Windows\SysWOW64\ykpwlzbv\auzxsvsu.exe
        C:\Windows\SysWOW64\ykpwlzbv\auzxsvsu.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3152
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:344
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.70000 -p x -k -a cn/half
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3932
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 520
          2⤵
          • Program crash
          PID:4020
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2364 -ip 2364
        1⤵
          PID:4856
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3152 -ip 3152
          1⤵
            PID:4272

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          New Service

          1
          T1050

          Modify Existing Service

          1
          T1031

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          New Service

          1
          T1050

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\auzxsvsu.exe
            Filesize

            10.5MB

            MD5

            ddc2912422889b2b86ea70cddbe17faf

            SHA1

            2fd4d4071e6d5361a066452932071d16ace7d355

            SHA256

            434ea5d08fdf931275f02485e773c81009a37038ac12960571c1b060ca7f87c5

            SHA512

            bbf434d445495b86e5c080d7fb2e4cbb23f461f0b32ec391f2df65b850d09d2fdebff83739db7f99a8cb54a1208bbdbb5b4ef667e9f856422d3b3acdf2080a23

            Download Submit
          • C:\Windows\SysWOW64\ykpwlzbv\auzxsvsu.exe
            Filesize

            10.5MB

            MD5

            ddc2912422889b2b86ea70cddbe17faf

            SHA1

            2fd4d4071e6d5361a066452932071d16ace7d355

            SHA256

            434ea5d08fdf931275f02485e773c81009a37038ac12960571c1b060ca7f87c5

            SHA512

            bbf434d445495b86e5c080d7fb2e4cbb23f461f0b32ec391f2df65b850d09d2fdebff83739db7f99a8cb54a1208bbdbb5b4ef667e9f856422d3b3acdf2080a23

            Download Submit
          • memory/344-167-0x0000000001D40000-0x0000000001D50000-memory.dmp
            Filesize

            64KB

            Download
          • memory/344-148-0x0000000002600000-0x000000000280F000-memory.dmp
            Filesize

            2.1MB

            Download
          • memory/344-169-0x0000000001D40000-0x0000000001D50000-memory.dmp
            Filesize

            64KB

            Download
          • memory/344-143-0x00000000007B0000-0x00000000007C5000-memory.dmp
            Filesize

            84KB

            Download
          • memory/344-144-0x00000000007B0000-0x00000000007C5000-memory.dmp
            Filesize

            84KB

            Download
          • memory/344-145-0x00000000007B0000-0x00000000007C5000-memory.dmp
            Filesize

            84KB

            Download
          • memory/344-184-0x0000000001DE0000-0x0000000001DE7000-memory.dmp
            Filesize

            28KB

            Download
          • memory/344-168-0x0000000001D40000-0x0000000001D50000-memory.dmp
            Filesize

            64KB

            Download
          • memory/344-151-0x0000000002600000-0x000000000280F000-memory.dmp
            Filesize

            2.1MB

            Download
          • memory/344-152-0x0000000001D30000-0x0000000001D36000-memory.dmp
            Filesize

            24KB

            Download
          • memory/344-155-0x0000000001D40000-0x0000000001D50000-memory.dmp
            Filesize

            64KB

            Download
          • memory/344-158-0x0000000001D40000-0x0000000001D50000-memory.dmp
            Filesize

            64KB

            Download
          • memory/344-183-0x0000000007580000-0x000000000798B000-memory.dmp
            Filesize

            4.0MB

            Download
          • memory/344-160-0x0000000001D40000-0x0000000001D50000-memory.dmp
            Filesize

            64KB

            Download
          • memory/344-161-0x0000000001D40000-0x0000000001D50000-memory.dmp
            Filesize

            64KB

            Download
          • memory/344-162-0x0000000001D40000-0x0000000001D50000-memory.dmp
            Filesize

            64KB

            Download
          • memory/344-164-0x0000000001D40000-0x0000000001D50000-memory.dmp
            Filesize

            64KB

            Download
          • memory/344-165-0x0000000001D40000-0x0000000001D50000-memory.dmp
            Filesize

            64KB

            Download
          • memory/344-163-0x0000000001D40000-0x0000000001D50000-memory.dmp
            Filesize

            64KB

            Download
          • memory/344-166-0x0000000001D40000-0x0000000001D50000-memory.dmp
            Filesize

            64KB

            Download
          • memory/344-159-0x0000000001D40000-0x0000000001D50000-memory.dmp
            Filesize

            64KB

            Download
          • memory/344-182-0x00000000007B0000-0x00000000007C5000-memory.dmp
            Filesize

            84KB

            Download
          • memory/344-140-0x00000000007B0000-0x00000000007C5000-memory.dmp
            Filesize

            84KB

            Download
          • memory/344-170-0x0000000001D40000-0x0000000001D50000-memory.dmp
            Filesize

            64KB

            Download
          • memory/344-171-0x0000000001D40000-0x0000000001D50000-memory.dmp
            Filesize

            64KB

            Download
          • memory/344-172-0x0000000001D40000-0x0000000001D50000-memory.dmp
            Filesize

            64KB

            Download
          • memory/344-173-0x0000000001D40000-0x0000000001D50000-memory.dmp
            Filesize

            64KB

            Download
          • memory/344-174-0x0000000001D40000-0x0000000001D50000-memory.dmp
            Filesize

            64KB

            Download
          • memory/344-175-0x0000000001DD0000-0x0000000001DD5000-memory.dmp
            Filesize

            20KB

            Download
          • memory/344-178-0x0000000001DD0000-0x0000000001DD5000-memory.dmp
            Filesize

            20KB

            Download
          • memory/344-179-0x0000000007580000-0x000000000798B000-memory.dmp
            Filesize

            4.0MB

            Download
          • memory/2364-139-0x0000000000400000-0x0000000002367000-memory.dmp
            Filesize

            31.4MB

            Download
          • memory/2364-135-0x0000000002520000-0x0000000002533000-memory.dmp
            Filesize

            76KB

            Download
          • memory/3152-146-0x0000000000400000-0x0000000002367000-memory.dmp
            Filesize

            31.4MB

            Download
          • memory/3932-188-0x0000000000C00000-0x0000000000CF1000-memory.dmp
            Filesize

            964KB

            Download
          • memory/3932-193-0x0000000000C00000-0x0000000000CF1000-memory.dmp
            Filesize

            964KB

            Download
          • memory/3932-194-0x0000000000C00000-0x0000000000CF1000-memory.dmp
            Filesize

            964KB

            Download
          • memory/3932-195-0x0000000000C00000-0x0000000000CF1000-memory.dmp
            Filesize

            964KB

            Download
          • memory/3932-196-0x0000000000C00000-0x0000000000CF1000-memory.dmp
            Filesize

            964KB

            Download
          • memory/3932-197-0x0000000000C00000-0x0000000000CF1000-memory.dmp
            Filesize

            964KB

            Download
          • memory/3932-198-0x0000000000C00000-0x0000000000CF1000-memory.dmp
            Filesize

            964KB

            Download
          • memory/3932-199-0x0000000000C00000-0x0000000000CF1000-memory.dmp
            Filesize

            964KB

            Download