Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    157s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2023, 00:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    294KB

  • MD5

    a8585854c7a75192794f345a352c62eb

  • SHA1

    84e1c2d35214090bfbd91d5d20d23c5a787beb45

  • SHA256

    577f7a89f71c92f7aa26e8edac4ba449327b75251b4aef85861d0fab35e3d7f5

  • SHA512

    7db0cecd08e50b08bcd9b1c9fd66060835bebe4e99534d1261813ce3cc74d7acfdbf1f10b86fff4eb2c00dfb6f7160d2600fb44bd75e52198cdc2ee71bb7375a

  • SSDEEP

    3072:Gyv5Sfz6m3uahPDRQLptm4Gvq4cS+oiCHbqdCLO30:xwfz6aPD2LptHaq5S+OHbqSO

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3568
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ihsxwehx\
      2⤵
        PID:2188
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\uxqbbkll.exe" C:\Windows\SysWOW64\ihsxwehx\
        2⤵
          PID:1684
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create ihsxwehx binPath= "C:\Windows\SysWOW64\ihsxwehx\uxqbbkll.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:4624
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description ihsxwehx "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:3448
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start ihsxwehx
          2⤵
          • Launches sc.exe
          PID:216
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:1216
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 1044
          2⤵
          • Program crash
          PID:3640
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3568 -ip 3568
        1⤵
          PID:3232
        • C:\Windows\SysWOW64\ihsxwehx\uxqbbkll.exe
          C:\Windows\SysWOW64\ihsxwehx\uxqbbkll.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:824
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe
            2⤵
            • Sets service image path in registry
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            PID:1148
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 516
            2⤵
            • Program crash
            PID:2164
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 824 -ip 824
          1⤵
            PID:844

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\uxqbbkll.exe
            Filesize

            13.1MB

            MD5

            d70159c19236f28a236e75682835ccb3

            SHA1

            83c60660cef194282116def9edb094e1b9d508fc

            SHA256

            ed3157a04fab502a1ad3e49de4ff02c8b4077e76228981a49f8d2a5700c1d316

            SHA512

            3ce9ee9882baa2e42854ac62c0cceaabf6d4019b14a2acbbf6b1f9b6e6ff2e0b2b2ab13fa85a7a20468b65291afa6a5c2f3f4cffe27252b82f8a18091621a679

            Download Submit

          • C:\Windows\SysWOW64\ihsxwehx\uxqbbkll.exe
            Filesize

            13.1MB

            MD5

            d70159c19236f28a236e75682835ccb3

            SHA1

            83c60660cef194282116def9edb094e1b9d508fc

            SHA256

            ed3157a04fab502a1ad3e49de4ff02c8b4077e76228981a49f8d2a5700c1d316

            SHA512

            3ce9ee9882baa2e42854ac62c0cceaabf6d4019b14a2acbbf6b1f9b6e6ff2e0b2b2ab13fa85a7a20468b65291afa6a5c2f3f4cffe27252b82f8a18091621a679

            Download Submit

          • memory/824-19-0x0000000000400000-0x0000000002287000-memory.dmp

            Filesize

            30.5MB

            Download

          • memory/824-17-0x0000000000400000-0x0000000002287000-memory.dmp

            Filesize

            30.5MB

            Download

          • memory/824-12-0x00000000022D0000-0x00000000023D0000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/1148-30-0x00000000023B0000-0x00000000023C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1148-45-0x00000000023B0000-0x00000000023C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1148-57-0x0000000007C00000-0x000000000800B000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/1148-58-0x00000000031E0000-0x00000000031E7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1148-54-0x0000000007C00000-0x000000000800B000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/1148-13-0x0000000001000000-0x0000000001015000-memory.dmp

            Filesize

            84KB

            Download

          • memory/1148-16-0x0000000001000000-0x0000000001015000-memory.dmp

            Filesize

            84KB

            Download

          • memory/1148-53-0x00000000031D0000-0x00000000031D5000-memory.dmp

            Filesize

            20KB

            Download

          • memory/1148-18-0x0000000001000000-0x0000000001015000-memory.dmp

            Filesize

            84KB

            Download

          • memory/1148-20-0x0000000001000000-0x0000000001015000-memory.dmp

            Filesize

            84KB

            Download

          • memory/1148-50-0x00000000031D0000-0x00000000031D5000-memory.dmp

            Filesize

            20KB

            Download

          • memory/1148-22-0x0000000001000000-0x0000000001015000-memory.dmp

            Filesize

            84KB

            Download

          • memory/1148-23-0x0000000002C00000-0x0000000002E0F000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/1148-26-0x0000000002C00000-0x0000000002E0F000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/1148-27-0x00000000023A0000-0x00000000023A6000-memory.dmp

            Filesize

            24KB

            Download

          • memory/1148-49-0x00000000023B0000-0x00000000023C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1148-33-0x00000000023B0000-0x00000000023C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1148-35-0x00000000023B0000-0x00000000023C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1148-34-0x00000000023B0000-0x00000000023C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1148-36-0x00000000023B0000-0x00000000023C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1148-37-0x00000000023B0000-0x00000000023C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1148-38-0x00000000023B0000-0x00000000023C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1148-39-0x00000000023B0000-0x00000000023C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1148-40-0x00000000023B0000-0x00000000023C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1148-41-0x00000000023B0000-0x00000000023C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1148-42-0x00000000023B0000-0x00000000023C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1148-44-0x00000000023B0000-0x00000000023C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1148-43-0x00000000023B0000-0x00000000023C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1148-48-0x00000000023B0000-0x00000000023C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1148-46-0x00000000023B0000-0x00000000023C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1148-47-0x00000000023B0000-0x00000000023C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3568-7-0x0000000002530000-0x0000000002543000-memory.dmp

            Filesize

            76KB

            Download

          • memory/3568-1-0x0000000002570000-0x0000000002670000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/3568-2-0x0000000002530000-0x0000000002543000-memory.dmp

            Filesize

            76KB

            Download

          • memory/3568-4-0x0000000000400000-0x0000000002287000-memory.dmp

            Filesize

            30.5MB

            Download

          • memory/3568-5-0x0000000000400000-0x0000000002287000-memory.dmp

            Filesize

            30.5MB

            Download

          • memory/3568-9-0x0000000000400000-0x0000000002287000-memory.dmp

            Filesize

            30.5MB

            Download

          • memory/3568-6-0x0000000002570000-0x0000000002670000-memory.dmp

            Filesize

            1024KB

            Download