Overview

overview

10

Static

static

3

38972935c9...JC.exe

windows7-x64

10

38972935c9...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2023, 15:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    38972935c945a1678727dec76e0f3a9d7914647f30f84d01683f6d3a22c2b43f_JC.exe

  • Size

    206KB

  • MD5

    991269e0fee66cecedbefc1c229c5476

  • SHA1

    9d4d824280faed254c0c0c497c918a21336ff69e

  • SHA256

    38972935c945a1678727dec76e0f3a9d7914647f30f84d01683f6d3a22c2b43f

  • SHA512

    13a8bb82fb4cae4f2ac8687d7b3ac171c0e7203e590a5d6db4c882d79cf12b7b5ba3af1eec1bf27e2ad19b64ede293840041f0d95d807b46e4c36bb9844bd07c

  • SSDEEP

    3072:zG2kPKjL6KNCjZNzDpjAQSOLvEpNSL7EeAHxefDPRvTqkz5WMYTgK:JkSjLVNCj/zD9AEwz20efjBGMYTd

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\38972935c945a1678727dec76e0f3a9d7914647f30f84d01683f6d3a22c2b43f_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\38972935c945a1678727dec76e0f3a9d7914647f30f84d01683f6d3a22c2b43f_JC.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4276
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gcjrohse\
      2⤵
        PID:1032
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\seuhvumq.exe" C:\Windows\SysWOW64\gcjrohse\
        2⤵
          PID:340
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create gcjrohse binPath= "C:\Windows\SysWOW64\gcjrohse\seuhvumq.exe /d\"C:\Users\Admin\AppData\Local\Temp\38972935c945a1678727dec76e0f3a9d7914647f30f84d01683f6d3a22c2b43f_JC.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2220
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description gcjrohse "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:3760
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start gcjrohse
          2⤵
          • Launches sc.exe
          PID:4612
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:4308
      • C:\Windows\SysWOW64\gcjrohse\seuhvumq.exe
        C:\Windows\SysWOW64\gcjrohse\seuhvumq.exe /d"C:\Users\Admin\AppData\Local\Temp\38972935c945a1678727dec76e0f3a9d7914647f30f84d01683f6d3a22c2b43f_JC.exe"
        1⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3880
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:4156

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\seuhvumq.exe
        Filesize

        10.4MB

        MD5

        91fed9f28e24d9b3c759887982b4b5f1

        SHA1

        cb8d00bcc38fa16b4625bc41374e3732982ed3a7

        SHA256

        134a18cc7d9e4fc0f3a01a137be724e86c4b050d8e2315deaff60d8b311dbbce

        SHA512

        0ce4ce847882fa164c20fe9b46db93da012def63ce2c4781fd02f6b2020ab2c96c73764edec5cf80682104fc0c59bf2bd2d9b5f22d9ceae11c10cf1d312ccdd2

        Download Submit

      • C:\Windows\SysWOW64\gcjrohse\seuhvumq.exe
        Filesize

        10.4MB

        MD5

        91fed9f28e24d9b3c759887982b4b5f1

        SHA1

        cb8d00bcc38fa16b4625bc41374e3732982ed3a7

        SHA256

        134a18cc7d9e4fc0f3a01a137be724e86c4b050d8e2315deaff60d8b311dbbce

        SHA512

        0ce4ce847882fa164c20fe9b46db93da012def63ce2c4781fd02f6b2020ab2c96c73764edec5cf80682104fc0c59bf2bd2d9b5f22d9ceae11c10cf1d312ccdd2

        Download Submit

      • memory/3880-13-0x0000000000400000-0x00000000004E5000-memory.dmp

        Filesize

        916KB

        Download

      • memory/3880-11-0x0000000000400000-0x00000000004E5000-memory.dmp

        Filesize

        916KB

        Download

      • memory/3880-10-0x0000000000660000-0x0000000000673000-memory.dmp

        Filesize

        76KB

        Download

      • memory/4156-27-0x0000000001BA0000-0x0000000001BB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4156-32-0x0000000001BA0000-0x0000000001BB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4156-55-0x00000000027D0000-0x00000000027D7000-memory.dmp

        Filesize

        28KB

        Download

      • memory/4156-54-0x0000000007300000-0x000000000770B000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4156-51-0x0000000007300000-0x000000000770B000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4156-50-0x0000000001BF0000-0x0000000001BF5000-memory.dmp

        Filesize

        20KB

        Download

      • memory/4156-47-0x0000000001BF0000-0x0000000001BF5000-memory.dmp

        Filesize

        20KB

        Download

      • memory/4156-12-0x00000000006D0000-0x00000000006E5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/4156-15-0x00000000006D0000-0x00000000006E5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/4156-16-0x00000000006D0000-0x00000000006E5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/4156-17-0x00000000006D0000-0x00000000006E5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/4156-19-0x00000000006D0000-0x00000000006E5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/4156-20-0x0000000002400000-0x000000000260F000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/4156-23-0x0000000002400000-0x000000000260F000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/4156-24-0x0000000000F20000-0x0000000000F26000-memory.dmp

        Filesize

        24KB

        Download

      • memory/4156-46-0x0000000001BA0000-0x0000000001BB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4156-30-0x0000000001BA0000-0x0000000001BB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4156-31-0x0000000001BA0000-0x0000000001BB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4156-33-0x0000000001BA0000-0x0000000001BB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4156-43-0x0000000001BA0000-0x0000000001BB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4156-34-0x0000000001BA0000-0x0000000001BB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4156-35-0x0000000001BA0000-0x0000000001BB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4156-36-0x0000000001BA0000-0x0000000001BB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4156-38-0x0000000001BA0000-0x0000000001BB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4156-37-0x0000000001BA0000-0x0000000001BB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4156-39-0x0000000001BA0000-0x0000000001BB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4156-40-0x0000000001BA0000-0x0000000001BB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4156-41-0x0000000001BA0000-0x0000000001BB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4156-42-0x0000000001BA0000-0x0000000001BB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4156-44-0x0000000001BA0000-0x0000000001BB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4156-45-0x0000000001BA0000-0x0000000001BB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4276-7-0x0000000000890000-0x00000000008A5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/4276-0-0x0000000000890000-0x00000000008A5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/4276-1-0x0000000002260000-0x0000000002273000-memory.dmp

        Filesize

        76KB

        Download

      • memory/4276-2-0x0000000000400000-0x00000000004E5000-memory.dmp

        Filesize

        916KB

        Download

      • memory/4276-5-0x0000000000400000-0x00000000004E5000-memory.dmp

        Filesize

        916KB

        Download

      • memory/4276-6-0x0000000000400000-0x00000000004E5000-memory.dmp

        Filesize

        916KB

        Download

      • memory/4276-8-0x0000000002260000-0x0000000002273000-memory.dmp

        Filesize

        76KB

        Download