Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    158s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/10/2023, 16:29

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    253KB

  • MD5

    127450d6d27fe7279152ee41f2000e84

  • SHA1

    364c48ec0e18867e64dd1b2e55c11f40952fe8fa

  • SHA256

    4086a65a6f05acad63c7c0bfe30805912a17e560ac8817af73717ef9fdc8ce71

  • SHA512

    49f3826a2fd3b040dccb0cae9ae9f962aa7b913a541b4239a1133acd803bff90ff680a3c8e9a486858314991c0b1b60338490e37cf4ad21978ebce73240611b9

  • SSDEEP

    3072:hwXAGaRVLR6OGOyfDYYX2oREGsmA0gi7R5d8p1GpufrAV:e1aRVL8bOCDYY+Gs7i961U

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\uvpyeklh\
      2⤵
        PID:3988
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lxnaonfj.exe" C:\Windows\SysWOW64\uvpyeklh\
        2⤵
          PID:1724
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create uvpyeklh binPath= "C:\Windows\SysWOW64\uvpyeklh\lxnaonfj.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2172
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description uvpyeklh "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:1508
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start uvpyeklh
          2⤵
          • Launches sc.exe
          PID:4952
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:4540
      • C:\Windows\SysWOW64\uvpyeklh\lxnaonfj.exe
        C:\Windows\SysWOW64\uvpyeklh\lxnaonfj.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3280
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:2580

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\lxnaonfj.exe
              Filesize

              13.2MB

              MD5

              93bf68bbd39bcafc950db00df5f05334

              SHA1

              e33f12847255cc2eaa87160ca45f07d04958aa97

              SHA256

              cb39b1ddce05c82668ed9ce105cf7636a075b40a0b16695e3081250b92d321bd

              SHA512

              9dfbbd6d2a54e1f2f82a536c9c9de1094dda477cc58c91c9209866322d9c42b82d5dd1121c0689282ecfc108f2286ffc5552f7029522b1a85b85b944bc129726

              Download Submit

            • C:\Windows\SysWOW64\uvpyeklh\lxnaonfj.exe
              Filesize

              13.2MB

              MD5

              93bf68bbd39bcafc950db00df5f05334

              SHA1

              e33f12847255cc2eaa87160ca45f07d04958aa97

              SHA256

              cb39b1ddce05c82668ed9ce105cf7636a075b40a0b16695e3081250b92d321bd

              SHA512

              9dfbbd6d2a54e1f2f82a536c9c9de1094dda477cc58c91c9209866322d9c42b82d5dd1121c0689282ecfc108f2286ffc5552f7029522b1a85b85b944bc129726

              Download Submit

            • memory/1960-1-0x00000000006D0000-0x00000000007D0000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/1960-2-0x00000000006A0000-0x00000000006B3000-memory.dmp

              Filesize

              76KB

              Download

            • memory/1960-3-0x0000000000400000-0x00000000004F4000-memory.dmp

              Filesize

              976KB

              Download

            • memory/1960-6-0x00000000006D0000-0x00000000007D0000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/1960-7-0x00000000006A0000-0x00000000006B3000-memory.dmp

              Filesize

              76KB

              Download

            • memory/1960-8-0x0000000000400000-0x00000000004F4000-memory.dmp

              Filesize

              976KB

              Download

            • memory/2580-35-0x0000000001B20000-0x0000000001B30000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2580-37-0x0000000001B20000-0x0000000001B30000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2580-13-0x0000000000550000-0x0000000000565000-memory.dmp

              Filesize

              84KB

              Download

            • memory/2580-57-0x00000000029D0000-0x00000000029D7000-memory.dmp

              Filesize

              28KB

              Download

            • memory/2580-18-0x0000000000550000-0x0000000000565000-memory.dmp

              Filesize

              84KB

              Download

            • memory/2580-19-0x0000000000550000-0x0000000000565000-memory.dmp

              Filesize

              84KB

              Download

            • memory/2580-21-0x0000000000550000-0x0000000000565000-memory.dmp

              Filesize

              84KB

              Download

            • memory/2580-22-0x0000000002400000-0x000000000260F000-memory.dmp

              Filesize

              2.1MB

              Download

            • memory/2580-25-0x0000000002400000-0x000000000260F000-memory.dmp

              Filesize

              2.1MB

              Download

            • memory/2580-26-0x00000000009F0000-0x00000000009F6000-memory.dmp

              Filesize

              24KB

              Download

            • memory/2580-29-0x0000000001B20000-0x0000000001B30000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2580-33-0x0000000001B20000-0x0000000001B30000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2580-56-0x0000000007340000-0x000000000774B000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/2580-32-0x0000000001B20000-0x0000000001B30000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2580-36-0x0000000001B20000-0x0000000001B30000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2580-34-0x0000000001B20000-0x0000000001B30000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2580-38-0x0000000001B20000-0x0000000001B30000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2580-49-0x0000000001BF0000-0x0000000001BF5000-memory.dmp

              Filesize

              20KB

              Download

            • memory/2580-40-0x0000000001B20000-0x0000000001B30000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2580-39-0x0000000001B20000-0x0000000001B30000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2580-43-0x0000000001B20000-0x0000000001B30000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2580-42-0x0000000001B20000-0x0000000001B30000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2580-45-0x0000000001B20000-0x0000000001B30000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2580-44-0x0000000001B20000-0x0000000001B30000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2580-46-0x0000000001B20000-0x0000000001B30000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2580-41-0x0000000001B20000-0x0000000001B30000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2580-47-0x0000000001B20000-0x0000000001B30000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2580-48-0x0000000001B20000-0x0000000001B30000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2580-52-0x0000000001BF0000-0x0000000001BF5000-memory.dmp

              Filesize

              20KB

              Download

            • memory/2580-53-0x0000000007340000-0x000000000774B000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/3280-12-0x0000000000400000-0x00000000004F4000-memory.dmp

              Filesize

              976KB

              Download

            • memory/3280-11-0x0000000000680000-0x0000000000780000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/3280-14-0x0000000000400000-0x00000000004F4000-memory.dmp

              Filesize

              976KB

              Download