Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/11/2023, 17:32

General

  • Target

    file.exe

  • Size

    254KB

  • MD5

    03b34511e2b93c772e8effc9f6ee7a88

  • SHA1

    cd0498093ce14b3c41b98b82d27e02906e756de8

  • SHA256

    4470acf5c0eef39191bafcdc34243ed0dc02d72f99ac148987b1eefdbd198adf

  • SHA512

    9acfe12a79febc08ed710b917daf18c066048b742c943a8137225320716cd289f39cf2f30c02424a2746675869156183671953b3aa9fc0a8a96004d1ed115cf4

  • SSDEEP

    3072:XFRLY++OCLyi6Q0YCJNspaJkGQq94IXkihxd79nD6zBgwoq5Xa2lVEf:VRLY+lCLyiWY27JkBq9Dhn72gCaGI

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4180
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\seajbizg\
      2⤵
        PID:4276
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nzpcqphl.exe" C:\Windows\SysWOW64\seajbizg\
        2⤵
          PID:3792
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create seajbizg binPath= "C:\Windows\SysWOW64\seajbizg\nzpcqphl.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:1116
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description seajbizg "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2208
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start seajbizg
          2⤵
          • Launches sc.exe
          PID:432
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:4612
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 1032
          2⤵
          • Program crash
          PID:4120
      • C:\Windows\SysWOW64\seajbizg\nzpcqphl.exe
        C:\Windows\SysWOW64\seajbizg\nzpcqphl.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4972
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:1120
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 540
          2⤵
          • Program crash
          PID:4988
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4180 -ip 4180
        1⤵
          PID:1960
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4972 -ip 4972
          1⤵
            PID:1956

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\nzpcqphl.exe

                  Filesize

                  13.8MB

                  MD5

                  5ed581cc8eebbd87bafe1469ae0b9c9d

                  SHA1

                  3867f2f6f02d9d767c1c8bf3ea4a19fdde7c9b23

                  SHA256

                  bdfb2510fae1fabd96edc72c2339488898aebfa5b04109acea43089ed30287cd

                  SHA512

                  15811198a389d8ddd242a3ee2ae43ba00ef2c83b1283c5ee9c314d96fd7f854cf287a5a26eaa097116269d28214c3bacc741393cf648375e0fa73797f5350de3

                • C:\Windows\SysWOW64\seajbizg\nzpcqphl.exe

                  Filesize

                  13.8MB

                  MD5

                  5ed581cc8eebbd87bafe1469ae0b9c9d

                  SHA1

                  3867f2f6f02d9d767c1c8bf3ea4a19fdde7c9b23

                  SHA256

                  bdfb2510fae1fabd96edc72c2339488898aebfa5b04109acea43089ed30287cd

                  SHA512

                  15811198a389d8ddd242a3ee2ae43ba00ef2c83b1283c5ee9c314d96fd7f854cf287a5a26eaa097116269d28214c3bacc741393cf648375e0fa73797f5350de3

                • memory/1120-33-0x0000000001950000-0x0000000001960000-memory.dmp

                  Filesize

                  64KB

                • memory/1120-35-0x0000000001950000-0x0000000001960000-memory.dmp

                  Filesize

                  64KB

                • memory/1120-56-0x00000000019F0000-0x00000000019F7000-memory.dmp

                  Filesize

                  28KB

                • memory/1120-55-0x0000000007180000-0x000000000758B000-memory.dmp

                  Filesize

                  4.0MB

                • memory/1120-11-0x0000000000390000-0x00000000003A5000-memory.dmp

                  Filesize

                  84KB

                • memory/1120-52-0x0000000007180000-0x000000000758B000-memory.dmp

                  Filesize

                  4.0MB

                • memory/1120-51-0x00000000019E0000-0x00000000019E5000-memory.dmp

                  Filesize

                  20KB

                • memory/1120-48-0x00000000019E0000-0x00000000019E5000-memory.dmp

                  Filesize

                  20KB

                • memory/1120-16-0x0000000000390000-0x00000000003A5000-memory.dmp

                  Filesize

                  84KB

                • memory/1120-34-0x0000000001950000-0x0000000001960000-memory.dmp

                  Filesize

                  64KB

                • memory/1120-18-0x0000000000390000-0x00000000003A5000-memory.dmp

                  Filesize

                  84KB

                • memory/1120-20-0x0000000000390000-0x00000000003A5000-memory.dmp

                  Filesize

                  84KB

                • memory/1120-21-0x0000000002200000-0x000000000240F000-memory.dmp

                  Filesize

                  2.1MB

                • memory/1120-24-0x0000000002200000-0x000000000240F000-memory.dmp

                  Filesize

                  2.1MB

                • memory/1120-25-0x0000000001940000-0x0000000001946000-memory.dmp

                  Filesize

                  24KB

                • memory/1120-28-0x0000000001950000-0x0000000001960000-memory.dmp

                  Filesize

                  64KB

                • memory/1120-31-0x0000000001950000-0x0000000001960000-memory.dmp

                  Filesize

                  64KB

                • memory/1120-32-0x0000000001950000-0x0000000001960000-memory.dmp

                  Filesize

                  64KB

                • memory/1120-47-0x0000000001950000-0x0000000001960000-memory.dmp

                  Filesize

                  64KB

                • memory/1120-46-0x0000000001950000-0x0000000001960000-memory.dmp

                  Filesize

                  64KB

                • memory/1120-45-0x0000000001950000-0x0000000001960000-memory.dmp

                  Filesize

                  64KB

                • memory/1120-36-0x0000000001950000-0x0000000001960000-memory.dmp

                  Filesize

                  64KB

                • memory/1120-37-0x0000000001950000-0x0000000001960000-memory.dmp

                  Filesize

                  64KB

                • memory/1120-38-0x0000000001950000-0x0000000001960000-memory.dmp

                  Filesize

                  64KB

                • memory/1120-39-0x0000000001950000-0x0000000001960000-memory.dmp

                  Filesize

                  64KB

                • memory/1120-41-0x0000000001950000-0x0000000001960000-memory.dmp

                  Filesize

                  64KB

                • memory/1120-42-0x0000000001950000-0x0000000001960000-memory.dmp

                  Filesize

                  64KB

                • memory/1120-40-0x0000000001950000-0x0000000001960000-memory.dmp

                  Filesize

                  64KB

                • memory/1120-43-0x0000000001950000-0x0000000001960000-memory.dmp

                  Filesize

                  64KB

                • memory/1120-44-0x0000000001950000-0x0000000001960000-memory.dmp

                  Filesize

                  64KB

                • memory/4180-1-0x0000000000510000-0x0000000000610000-memory.dmp

                  Filesize

                  1024KB

                • memory/4180-3-0x0000000000400000-0x00000000004F4000-memory.dmp

                  Filesize

                  976KB

                • memory/4180-8-0x0000000000400000-0x00000000004F4000-memory.dmp

                  Filesize

                  976KB

                • memory/4180-9-0x0000000002240000-0x0000000002253000-memory.dmp

                  Filesize

                  76KB

                • memory/4180-2-0x0000000002240000-0x0000000002253000-memory.dmp

                  Filesize

                  76KB

                • memory/4972-17-0x0000000000400000-0x00000000004F4000-memory.dmp

                  Filesize

                  976KB

                • memory/4972-10-0x0000000000670000-0x0000000000770000-memory.dmp

                  Filesize

                  1024KB

                • memory/4972-12-0x0000000000400000-0x00000000004F4000-memory.dmp

                  Filesize

                  976KB