Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2023 07:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    246KB

  • MD5

    09ce9db1fe65f1dda9a12ff007ab7c49

  • SHA1

    6de9002994c5b24fd0d47ed7a2634acb0cfc9098

  • SHA256

    a5db0e42dae567e9606ec0c6d97e1329c76069d3843172ff2dd42df3cd3f3c5c

  • SHA512

    de5922106801baac81db1db020de2b2e0d5fe32e16e67899920773f8175475ec041e02adb37e2abf4b856924e35eb12fd55822c74faaa6bcd3faca7b87169f95

  • SSDEEP

    3072:sOmty/raritE/9T3WAEMVIhS5jgII+nijVFYnMOa5:sMrariCVG2jgIbnijVunMO

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gppjkjzd\
      2⤵
        PID:3400
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\dpbgdjiw.exe" C:\Windows\SysWOW64\gppjkjzd\
        2⤵
          PID:3656
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create gppjkjzd binPath= "C:\Windows\SysWOW64\gppjkjzd\dpbgdjiw.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2908
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description gppjkjzd "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:4616
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start gppjkjzd
          2⤵
          • Launches sc.exe
          PID:4644
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:232
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 1152
          2⤵
          • Program crash
          PID:2804
      • C:\Windows\SysWOW64\gppjkjzd\dpbgdjiw.exe
        C:\Windows\SysWOW64\gppjkjzd\dpbgdjiw.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4612
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:2480
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 512
          2⤵
          • Program crash
          PID:4516
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2988 -ip 2988
        1⤵
          PID:1112
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4612 -ip 4612
          1⤵
            PID:4448

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\dpbgdjiw.exe
            Filesize

            13.2MB

            MD5

            33341990d9ab11bc3ddcc1bf14e41d10

            SHA1

            e44173ea5e6fe9fecd22d50f5919892c2207bc84

            SHA256

            fce778eea894c2169ba8849c1cef98c3193ee4e53ed68160b38d4fd65979e0a2

            SHA512

            e8bb5799517bf6f72523ecbf8180d57304e02a343fee61ed714ac0a3aa607e449628b246184d7d96384adedc4ca473acb06fa1a1448e07d4f69c8288e4eb9179

            Download Submit

          • C:\Windows\SysWOW64\gppjkjzd\dpbgdjiw.exe
            Filesize

            13.2MB

            MD5

            33341990d9ab11bc3ddcc1bf14e41d10

            SHA1

            e44173ea5e6fe9fecd22d50f5919892c2207bc84

            SHA256

            fce778eea894c2169ba8849c1cef98c3193ee4e53ed68160b38d4fd65979e0a2

            SHA512

            e8bb5799517bf6f72523ecbf8180d57304e02a343fee61ed714ac0a3aa607e449628b246184d7d96384adedc4ca473acb06fa1a1448e07d4f69c8288e4eb9179

            Download Submit

          • memory/2480-42-0x00000000023D0000-0x00000000023E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2480-47-0x00000000023D0000-0x00000000023E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2480-56-0x00000000023F0000-0x00000000023F7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2480-32-0x00000000023D0000-0x00000000023E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2480-9-0x0000000000E00000-0x0000000000E15000-memory.dmp

            Filesize

            84KB

            Download

          • memory/2480-52-0x0000000007C00000-0x000000000800B000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/2480-13-0x0000000000E00000-0x0000000000E15000-memory.dmp

            Filesize

            84KB

            Download

          • memory/2480-51-0x00000000023E0000-0x00000000023E5000-memory.dmp

            Filesize

            20KB

            Download

          • memory/2480-48-0x00000000023E0000-0x00000000023E5000-memory.dmp

            Filesize

            20KB

            Download

          • memory/2480-33-0x00000000023D0000-0x00000000023E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2480-17-0x0000000000E00000-0x0000000000E15000-memory.dmp

            Filesize

            84KB

            Download

          • memory/2480-18-0x0000000000E00000-0x0000000000E15000-memory.dmp

            Filesize

            84KB

            Download

          • memory/2480-20-0x0000000000E00000-0x0000000000E15000-memory.dmp

            Filesize

            84KB

            Download

          • memory/2480-34-0x00000000023D0000-0x00000000023E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2480-24-0x0000000002C00000-0x0000000002E0F000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/2480-25-0x00000000023C0000-0x00000000023C6000-memory.dmp

            Filesize

            24KB

            Download

          • memory/2480-28-0x00000000023D0000-0x00000000023E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2480-31-0x00000000023D0000-0x00000000023E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2480-55-0x0000000007C00000-0x000000000800B000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/2480-46-0x00000000023D0000-0x00000000023E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2480-21-0x0000000002C00000-0x0000000002E0F000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/2480-35-0x00000000023D0000-0x00000000023E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2480-36-0x00000000023D0000-0x00000000023E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2480-38-0x00000000023D0000-0x00000000023E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2480-39-0x00000000023D0000-0x00000000023E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2480-37-0x00000000023D0000-0x00000000023E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2480-40-0x00000000023D0000-0x00000000023E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2480-41-0x00000000023D0000-0x00000000023E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2480-44-0x00000000023D0000-0x00000000023E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2480-43-0x00000000023D0000-0x00000000023E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2480-45-0x00000000023D0000-0x00000000023E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2988-1-0x0000000000860000-0x0000000000960000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/2988-3-0x0000000000400000-0x000000000070C000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/2988-15-0x0000000000400000-0x000000000070C000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/2988-2-0x00000000007E0000-0x00000000007F3000-memory.dmp

            Filesize

            76KB

            Download

          • memory/4612-16-0x0000000000790000-0x00000000007A3000-memory.dmp

            Filesize

            76KB

            Download

          • memory/4612-14-0x0000000000400000-0x000000000070C000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/4612-11-0x0000000000400000-0x000000000070C000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/4612-8-0x00000000008B0000-0x00000000009B0000-memory.dmp

            Filesize

            1024KB

            Download