Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    218s
  • max time network
    254s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2023, 13:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    282KB

  • MD5

    cde34ee43b3dca973c48845866288b1f

  • SHA1

    fa471ef6829d39f3baced3520132a880dd761aa3

  • SHA256

    d61d14ad2202f45d962f4c843d513cda5cdae9febbd70c180f4164a226bfb5d5

  • SHA512

    cdaf0d577d38d216aef124b480225950121c75675346e89447ac087dc13d9971ad2cf33aad51e737ca1c2317fbf8a066d5a06597cb0df7ba562968726bfd7f00

  • SSDEEP

    3072:fdIzwHcmhLYhdh5WbwnO1WUedoubQXRQEeoFv6YnlP1lnQC4:lIzw8mFAdhAtKlQXRbeoVp5

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2144
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hsrvgnof\
      2⤵
        PID:2724
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\brroamca.exe" C:\Windows\SysWOW64\hsrvgnof\
        2⤵
          PID:828
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create hsrvgnof binPath= "C:\Windows\SysWOW64\hsrvgnof\brroamca.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2644
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description hsrvgnof "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2992
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start hsrvgnof
          2⤵
          • Launches sc.exe
          PID:2504
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2860
      • C:\Windows\SysWOW64\hsrvgnof\brroamca.exe
        C:\Windows\SysWOW64\hsrvgnof\brroamca.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2192
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:1616

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\brroamca.exe
        Filesize

        12.2MB

        MD5

        afca395a8a478dc5daf51f8027b2ce40

        SHA1

        4c556a5087c051956536bf033e8f1e696fe27fbd

        SHA256

        d797b7c8a7e6461d34d44040c35be2a9e9af4e39edaaa38a2f1ae73530154052

        SHA512

        f0a6edb3d2b81ecb93687a6d75e58756ad93f096f0d83a2b93c1a0db2cd1c1c28d1966c3af0836ef48193c8e605031a98f2a1779a51582ec8fd0a1ccc8e96e6e

        Download Submit

      • C:\Windows\SysWOW64\hsrvgnof\brroamca.exe
        Filesize

        12.2MB

        MD5

        afca395a8a478dc5daf51f8027b2ce40

        SHA1

        4c556a5087c051956536bf033e8f1e696fe27fbd

        SHA256

        d797b7c8a7e6461d34d44040c35be2a9e9af4e39edaaa38a2f1ae73530154052

        SHA512

        f0a6edb3d2b81ecb93687a6d75e58756ad93f096f0d83a2b93c1a0db2cd1c1c28d1966c3af0836ef48193c8e605031a98f2a1779a51582ec8fd0a1ccc8e96e6e

        Download Submit

      • memory/1616-34-0x00000000000A0000-0x00000000000A6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1616-26-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/1616-65-0x00000000001B0000-0x00000000001B7000-memory.dmp

        Filesize

        28KB

        Download

      • memory/1616-64-0x0000000005820000-0x0000000005C2B000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/1616-60-0x0000000000120000-0x0000000000125000-memory.dmp

        Filesize

        20KB

        Download

      • memory/1616-61-0x0000000005820000-0x0000000005C2B000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/1616-57-0x0000000000120000-0x0000000000125000-memory.dmp

        Filesize

        20KB

        Download

      • memory/1616-56-0x00000000000D0000-0x00000000000E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1616-55-0x00000000000D0000-0x00000000000E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1616-54-0x00000000000D0000-0x00000000000E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1616-53-0x00000000000D0000-0x00000000000E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1616-52-0x00000000000D0000-0x00000000000E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1616-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1616-41-0x00000000000D0000-0x00000000000E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1616-21-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/1616-40-0x00000000000D0000-0x00000000000E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1616-51-0x00000000000D0000-0x00000000000E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1616-27-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/1616-29-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/1616-30-0x0000000001A70000-0x0000000001C7F000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/1616-50-0x00000000000D0000-0x00000000000E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1616-33-0x0000000001A70000-0x0000000001C7F000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/1616-49-0x00000000000D0000-0x00000000000E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1616-37-0x00000000000D0000-0x00000000000E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1616-18-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/1616-42-0x00000000000D0000-0x00000000000E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1616-43-0x00000000000D0000-0x00000000000E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1616-44-0x00000000000D0000-0x00000000000E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1616-45-0x00000000000D0000-0x00000000000E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1616-47-0x00000000000D0000-0x00000000000E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1616-46-0x00000000000D0000-0x00000000000E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1616-48-0x00000000000D0000-0x00000000000E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2144-10-0x0000000000400000-0x0000000002599000-memory.dmp

        Filesize

        33.6MB

        Download

      • memory/2144-1-0x0000000000230000-0x0000000000330000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2144-12-0x00000000003B0000-0x00000000003C3000-memory.dmp

        Filesize

        76KB

        Download

      • memory/2144-8-0x0000000000400000-0x0000000002599000-memory.dmp

        Filesize

        33.6MB

        Download

      • memory/2144-4-0x0000000000230000-0x0000000000330000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2144-11-0x0000000000400000-0x0000000002599000-memory.dmp

        Filesize

        33.6MB

        Download

      • memory/2144-2-0x00000000003B0000-0x00000000003C3000-memory.dmp

        Filesize

        76KB

        Download

      • memory/2144-3-0x0000000000400000-0x0000000002599000-memory.dmp

        Filesize

        33.6MB

        Download

      • memory/2144-13-0x0000000000230000-0x0000000000330000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2144-6-0x0000000000400000-0x0000000002599000-memory.dmp

        Filesize

        33.6MB

        Download

      • memory/2192-22-0x0000000000400000-0x0000000002599000-memory.dmp

        Filesize

        33.6MB

        Download

      • memory/2192-17-0x0000000000400000-0x0000000002599000-memory.dmp

        Filesize

        33.6MB

        Download

      • memory/2192-16-0x0000000002630000-0x0000000002730000-memory.dmp

        Filesize

        1024KB

        Download