Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-09-2023 15:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    245KB

  • MD5

    df15de798e52159e6541c0373445a9c7

  • SHA1

    f6b9c5e494c8385c5d63b2908f7e6d5f540670ee

  • SHA256

    c9fd78bfd543098028bb45708460fe553e498c350aed74a9397061c1cc10d5fd

  • SHA512

    dcf71d349d91879761c32267d685d79765ed20db244c5e235451d2e73ea9731fa72984a6a75eb73e7503f64b38c8ab92c6ecb8f3914d92b11980499e110bb403

  • SSDEEP

    3072:K5gq7QWTvquIQSWJ5uCekqO5A+sgfoucB9hZn7gi:G7QWNFJ5uCHq4nghPh7

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3284
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kygsjnde\
      2⤵
        PID:2304
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nzpcqphl.exe" C:\Windows\SysWOW64\kygsjnde\
        2⤵
          PID:2332
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create kygsjnde binPath= "C:\Windows\SysWOW64\kygsjnde\nzpcqphl.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:3108
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description kygsjnde "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:3932
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start kygsjnde
          2⤵
          • Launches sc.exe
          PID:412
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2656
      • C:\Windows\SysWOW64\kygsjnde\nzpcqphl.exe
        C:\Windows\SysWOW64\kygsjnde\nzpcqphl.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:752
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:2792

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\nzpcqphl.exe
        Filesize

        15.0MB

        MD5

        0839cdfe68ce738d6b0747da65c50640

        SHA1

        82d698e0a532bb97714665cbc5ffb32c0fe076cc

        SHA256

        c92829bd61f7c71df89b8e0f13eee90c8f4e32d1106c56f09c5e0ba74fb5be00

        SHA512

        0734035c0f4dfce02dfc3ecbaefc11d8e3b6d41b97cba9c3decdcf31af198aca0968c19bf099471a03ddb25e5a8195a1e62a07da0f943df03a4d8dc93198b6c4

        Download Submit

      • C:\Windows\SysWOW64\kygsjnde\nzpcqphl.exe
        Filesize

        15.0MB

        MD5

        0839cdfe68ce738d6b0747da65c50640

        SHA1

        82d698e0a532bb97714665cbc5ffb32c0fe076cc

        SHA256

        c92829bd61f7c71df89b8e0f13eee90c8f4e32d1106c56f09c5e0ba74fb5be00

        SHA512

        0734035c0f4dfce02dfc3ecbaefc11d8e3b6d41b97cba9c3decdcf31af198aca0968c19bf099471a03ddb25e5a8195a1e62a07da0f943df03a4d8dc93198b6c4

        Download Submit

      • memory/752-13-0x0000000000400000-0x000000000070B000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/752-11-0x0000000000400000-0x000000000070B000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/752-10-0x0000000000910000-0x0000000000A10000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2792-34-0x00000000009D0000-0x00000000009E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2792-35-0x00000000009D0000-0x00000000009E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2792-56-0x00000000009F0000-0x00000000009F7000-memory.dmp

        Filesize

        28KB

        Download

      • memory/2792-55-0x0000000007080000-0x000000000748B000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2792-12-0x0000000000460000-0x0000000000475000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2792-44-0x00000000009D0000-0x00000000009E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2792-17-0x0000000000460000-0x0000000000475000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2792-18-0x0000000000460000-0x0000000000475000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2792-20-0x0000000000460000-0x0000000000475000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2792-21-0x0000000002200000-0x000000000240F000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2792-24-0x0000000002200000-0x000000000240F000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2792-25-0x00000000005F0000-0x00000000005F6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/2792-28-0x00000000009D0000-0x00000000009E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2792-31-0x00000000009D0000-0x00000000009E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2792-32-0x00000000009D0000-0x00000000009E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2792-47-0x00000000009D0000-0x00000000009E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2792-33-0x00000000009D0000-0x00000000009E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2792-46-0x00000000009D0000-0x00000000009E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2792-36-0x00000000009D0000-0x00000000009E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2792-38-0x00000000009D0000-0x00000000009E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2792-40-0x00000000009D0000-0x00000000009E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2792-37-0x00000000009D0000-0x00000000009E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2792-41-0x00000000009D0000-0x00000000009E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2792-39-0x00000000009D0000-0x00000000009E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2792-43-0x00000000009D0000-0x00000000009E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2792-42-0x00000000009D0000-0x00000000009E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2792-45-0x00000000009D0000-0x00000000009E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2792-48-0x00000000009E0000-0x00000000009E5000-memory.dmp

        Filesize

        20KB

        Download

      • memory/2792-51-0x00000000009E0000-0x00000000009E5000-memory.dmp

        Filesize

        20KB

        Download

      • memory/2792-52-0x0000000007080000-0x000000000748B000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/3284-7-0x0000000002450000-0x0000000002463000-memory.dmp

        Filesize

        76KB

        Download

      • memory/3284-1-0x0000000000890000-0x0000000000990000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/3284-2-0x0000000002450000-0x0000000002463000-memory.dmp

        Filesize

        76KB

        Download

      • memory/3284-3-0x0000000000400000-0x000000000070B000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/3284-6-0x0000000000400000-0x000000000070B000-memory.dmp

        Filesize

        3.0MB

        Download