Analysis

  • max time kernel
    157s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/11/2023, 04:13

General

  • Target

    file.exe

  • Size

    272KB

  • MD5

    6896508d64289108686ce180937f1421

  • SHA1

    5fd6c54b3ab237aa4caf04f98a852b130f474b04

  • SHA256

    1086d5f9adf63d6c82831e48cffabb2775d60789635ef6f5709bc06213ff69d3

  • SHA512

    29e8580c7645babd80ec0d0044220557f3e72574051572562c78b36dd376d4861cd2a02058c268edd21bbf1e2d7a0050f5117a5e483a6a7baf0e060de6c1ac23

  • SSDEEP

    3072:9VXpKjioLc3nMszZ2UQz5yrzGAeRqvigxv4T5tLU3U:vpK2oLinM8NQz5yrzbeRqvfxs

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rbqrjzbe\
      2⤵
        PID:3084
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\mbtafdia.exe" C:\Windows\SysWOW64\rbqrjzbe\
        2⤵
          PID:1788
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create rbqrjzbe binPath= "C:\Windows\SysWOW64\rbqrjzbe\mbtafdia.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:1828
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description rbqrjzbe "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2456
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start rbqrjzbe
          2⤵
          • Launches sc.exe
          PID:4596
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:692
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 652
          2⤵
          • Program crash
          PID:1792
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2084 -ip 2084
        1⤵
          PID:4532
        • C:\Windows\SysWOW64\rbqrjzbe\mbtafdia.exe
          C:\Windows\SysWOW64\rbqrjzbe\mbtafdia.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2784
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe
            2⤵
            • Sets service image path in registry
            • Deletes itself
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            PID:2928
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 516
            2⤵
            • Program crash
            PID:2364
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2784 -ip 2784
          1⤵
            PID:1704

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\mbtafdia.exe

                  Filesize

                  14.1MB

                  MD5

                  3878fd5df9bfda3813ac24a82a77400b

                  SHA1

                  9cb72bfded6fea0f382a15d4e1c36adfbea9c700

                  SHA256

                  16e09be1e4576942e624f013503b8ffefcae2b657364630fdeb8b72901709c1b

                  SHA512

                  a388cbf170ddf3a616ecdcd89dac8d47e69cf47fc5454a22083b543415bf63372b13258f8a98dce268473a413d92c531ef63762e3ea81840ceeb66e4b50bfaee

                • C:\Windows\SysWOW64\rbqrjzbe\mbtafdia.exe

                  Filesize

                  14.1MB

                  MD5

                  3878fd5df9bfda3813ac24a82a77400b

                  SHA1

                  9cb72bfded6fea0f382a15d4e1c36adfbea9c700

                  SHA256

                  16e09be1e4576942e624f013503b8ffefcae2b657364630fdeb8b72901709c1b

                  SHA512

                  a388cbf170ddf3a616ecdcd89dac8d47e69cf47fc5454a22083b543415bf63372b13258f8a98dce268473a413d92c531ef63762e3ea81840ceeb66e4b50bfaee

                • memory/2084-2-0x0000000002240000-0x0000000002253000-memory.dmp

                  Filesize

                  76KB

                • memory/2084-3-0x0000000000400000-0x00000000004F7000-memory.dmp

                  Filesize

                  988KB

                • memory/2084-5-0x0000000000400000-0x00000000004F7000-memory.dmp

                  Filesize

                  988KB

                • memory/2084-7-0x00000000005B0000-0x00000000006B0000-memory.dmp

                  Filesize

                  1024KB

                • memory/2084-8-0x0000000002240000-0x0000000002253000-memory.dmp

                  Filesize

                  76KB

                • memory/2084-9-0x0000000000400000-0x00000000004F7000-memory.dmp

                  Filesize

                  988KB

                • memory/2084-1-0x00000000005B0000-0x00000000006B0000-memory.dmp

                  Filesize

                  1024KB

                • memory/2784-20-0x0000000000400000-0x00000000004F7000-memory.dmp

                  Filesize

                  988KB

                • memory/2784-13-0x0000000000720000-0x0000000000820000-memory.dmp

                  Filesize

                  1024KB

                • memory/2784-14-0x0000000000400000-0x00000000004F7000-memory.dmp

                  Filesize

                  988KB

                • memory/2928-34-0x0000000002790000-0x00000000027A0000-memory.dmp

                  Filesize

                  64KB

                • memory/2928-43-0x0000000002790000-0x00000000027A0000-memory.dmp

                  Filesize

                  64KB

                • memory/2928-21-0x00000000012D0000-0x00000000012E5000-memory.dmp

                  Filesize

                  84KB

                • memory/2928-23-0x00000000012D0000-0x00000000012E5000-memory.dmp

                  Filesize

                  84KB

                • memory/2928-24-0x0000000003000000-0x000000000320F000-memory.dmp

                  Filesize

                  2.1MB

                • memory/2928-27-0x0000000003000000-0x000000000320F000-memory.dmp

                  Filesize

                  2.1MB

                • memory/2928-28-0x0000000002780000-0x0000000002786000-memory.dmp

                  Filesize

                  24KB

                • memory/2928-31-0x0000000002790000-0x00000000027A0000-memory.dmp

                  Filesize

                  64KB

                • memory/2928-15-0x00000000012D0000-0x00000000012E5000-memory.dmp

                  Filesize

                  84KB

                • memory/2928-35-0x0000000002790000-0x00000000027A0000-memory.dmp

                  Filesize

                  64KB

                • memory/2928-36-0x0000000002790000-0x00000000027A0000-memory.dmp

                  Filesize

                  64KB

                • memory/2928-37-0x0000000002790000-0x00000000027A0000-memory.dmp

                  Filesize

                  64KB

                • memory/2928-38-0x0000000002790000-0x00000000027A0000-memory.dmp

                  Filesize

                  64KB

                • memory/2928-39-0x0000000002790000-0x00000000027A0000-memory.dmp

                  Filesize

                  64KB

                • memory/2928-40-0x0000000002790000-0x00000000027A0000-memory.dmp

                  Filesize

                  64KB

                • memory/2928-19-0x00000000012D0000-0x00000000012E5000-memory.dmp

                  Filesize

                  84KB

                • memory/2928-42-0x0000000002790000-0x00000000027A0000-memory.dmp

                  Filesize

                  64KB

                • memory/2928-44-0x0000000002790000-0x00000000027A0000-memory.dmp

                  Filesize

                  64KB

                • memory/2928-41-0x0000000002790000-0x00000000027A0000-memory.dmp

                  Filesize

                  64KB

                • memory/2928-45-0x0000000002790000-0x00000000027A0000-memory.dmp

                  Filesize

                  64KB

                • memory/2928-48-0x0000000002790000-0x00000000027A0000-memory.dmp

                  Filesize

                  64KB

                • memory/2928-47-0x0000000002790000-0x00000000027A0000-memory.dmp

                  Filesize

                  64KB

                • memory/2928-49-0x0000000002790000-0x00000000027A0000-memory.dmp

                  Filesize

                  64KB

                • memory/2928-50-0x0000000002790000-0x00000000027A0000-memory.dmp

                  Filesize

                  64KB

                • memory/2928-46-0x0000000002790000-0x00000000027A0000-memory.dmp

                  Filesize

                  64KB

                • memory/2928-54-0x00000000027E0000-0x00000000027E5000-memory.dmp

                  Filesize

                  20KB

                • memory/2928-51-0x00000000027E0000-0x00000000027E5000-memory.dmp

                  Filesize

                  20KB

                • memory/2928-55-0x0000000007F00000-0x000000000830B000-memory.dmp

                  Filesize

                  4.0MB

                • memory/2928-58-0x0000000007F00000-0x000000000830B000-memory.dmp

                  Filesize

                  4.0MB

                • memory/2928-59-0x00000000027F0000-0x00000000027F7000-memory.dmp

                  Filesize

                  28KB