Overview

overview

10

Static

static

3

cf08ecb08e...31.exe

windows7-x64

10

cf08ecb08e...31.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-06-2023 01:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf08ecb08edbc52e65c8f40215d1e631.exe

  • Size

    235KB

  • MD5

    cf08ecb08edbc52e65c8f40215d1e631

  • SHA1

    1de7abbfa87a31b694ee92413c83f7a22a55c2f8

  • SHA256

    19dd9c0331cc180aa3c5d1b2c7d9b8897274b393c5f36957e10281f3965f9580

  • SHA512

    2044e021e7d8eed05ca30205eefd65a586fb23c7eb73bd7b5848895ebc49ebe869d103e935c70564ecb0e573bc22cd0d017501934f781254b1bc40b0888327f4

  • SSDEEP

    3072:uXj1yteXDZ65fyY4RxozmJXEoVyROKipzmmpARedR5TPx2qc:2lI6Cz1oAABfARedf0

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf08ecb08edbc52e65c8f40215d1e631.exe
    "C:\Users\Admin\AppData\Local\Temp\cf08ecb08edbc52e65c8f40215d1e631.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:5076
    • C:\Users\Admin\AppData\Local\Temp\cf08ecb08edbc52e65c8f40215d1e631.exe
      "C:\Users\Admin\AppData\Local\Temp\cf08ecb08edbc52e65c8f40215d1e631.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1752
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\uxqeisyt\
        3⤵
          PID:1492
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zxmundyu.exe" C:\Windows\SysWOW64\uxqeisyt\
          3⤵
            PID:1984
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" create uxqeisyt binPath= "C:\Windows\SysWOW64\uxqeisyt\zxmundyu.exe /d\"C:\Users\Admin\AppData\Local\Temp\cf08ecb08edbc52e65c8f40215d1e631.exe\"" type= own start= auto DisplayName= "wifi support"
            3⤵
            • Launches sc.exe
            PID:3908
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description uxqeisyt "wifi internet conection"
            3⤵
            • Launches sc.exe
            PID:2676
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" start uxqeisyt
            3⤵
            • Launches sc.exe
            PID:4036
          • C:\Windows\SysWOW64\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
            3⤵
            • Modifies Windows Firewall
            PID:1660
      • C:\Windows\SysWOW64\uxqeisyt\zxmundyu.exe
        C:\Windows\SysWOW64\uxqeisyt\zxmundyu.exe /d"C:\Users\Admin\AppData\Local\Temp\cf08ecb08edbc52e65c8f40215d1e631.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4164
        • C:\Windows\SysWOW64\uxqeisyt\zxmundyu.exe
          C:\Windows\SysWOW64\uxqeisyt\zxmundyu.exe /d"C:\Users\Admin\AppData\Local\Temp\cf08ecb08edbc52e65c8f40215d1e631.exe"
          2⤵
          • Executes dropped EXE
          PID:4664

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      New Service

      1
      T1050

      Modify Existing Service

      1
      T1031

      Privilege Escalation

      New Service

      1
      T1050

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\zxmundyu.exe
        Filesize

        10.3MB

        MD5

        cc9e3d8eb4515ff4493458d485da722a

        SHA1

        4ea08190db41dfb7f9a647c70803cd87a503bef3

        SHA256

        e809347525bd728cdca22dcbe8a08beff048bb8d0a13ae149d5d272f4bfca49e

        SHA512

        16e2b9b64f67be9dff93f09ce11b1d50bb0a7a576057bd02d87639fa71f78354ac06ba99b8921ad010584378be3f74c65679a560655bae1ad5d0c4c246615d18

        Download Submit
      • C:\Windows\SysWOW64\uxqeisyt\zxmundyu.exe
        Filesize

        10.3MB

        MD5

        cc9e3d8eb4515ff4493458d485da722a

        SHA1

        4ea08190db41dfb7f9a647c70803cd87a503bef3

        SHA256

        e809347525bd728cdca22dcbe8a08beff048bb8d0a13ae149d5d272f4bfca49e

        SHA512

        16e2b9b64f67be9dff93f09ce11b1d50bb0a7a576057bd02d87639fa71f78354ac06ba99b8921ad010584378be3f74c65679a560655bae1ad5d0c4c246615d18

        Download Submit
      • C:\Windows\SysWOW64\uxqeisyt\zxmundyu.exe
        Filesize

        10.3MB

        MD5

        cc9e3d8eb4515ff4493458d485da722a

        SHA1

        4ea08190db41dfb7f9a647c70803cd87a503bef3

        SHA256

        e809347525bd728cdca22dcbe8a08beff048bb8d0a13ae149d5d272f4bfca49e

        SHA512

        16e2b9b64f67be9dff93f09ce11b1d50bb0a7a576057bd02d87639fa71f78354ac06ba99b8921ad010584378be3f74c65679a560655bae1ad5d0c4c246615d18

        Download Submit
      • memory/1752-138-0x0000000000400000-0x0000000000415000-memory.dmp
        Filesize

        84KB

        Download
      • memory/1752-140-0x0000000000400000-0x0000000000415000-memory.dmp
        Filesize

        84KB

        Download
      • memory/1752-142-0x0000000000400000-0x0000000000415000-memory.dmp
        Filesize

        84KB

        Download
      • memory/1752-148-0x0000000000400000-0x0000000000415000-memory.dmp
        Filesize

        84KB

        Download
      • memory/4664-152-0x0000000000400000-0x0000000000415000-memory.dmp
        Filesize

        84KB

        Download
      • memory/5076-137-0x00000000042A0000-0x00000000042B4000-memory.dmp
        Filesize

        80KB

        Download