Analysis

  • max time kernel
    170s
  • max time network
    192s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/11/2023, 17:53

General

  • Target

    file.exe

  • Size

    262KB

  • MD5

    81f5904645e44483a57226ab60e0390b

  • SHA1

    0bd97534d23998b6d554b48bddd0015d199808ec

  • SHA256

    7291a205dba93db221ee6d6da61d00580f9ddbaf9424465522138b6cb1bbc1b7

  • SHA512

    5403b05a65105351fa5b6bc351b3613f930d16bbc0507045a340282029fdc688234fe3f92ef15fcdc9011650a3f96533f9254348bcf33159f381e8914abf281e

  • SSDEEP

    3072:pFzu3GMDmWLo3NrmuvLLCRpKbm/EJx9teHFKe0fk02q5XI7lVEaP:zzu2MqWLo9rmCXCR38biHF080VIjt

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5084
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qlfytich\
      2⤵
        PID:3256
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rhheqcsq.exe" C:\Windows\SysWOW64\qlfytich\
        2⤵
          PID:1328
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create qlfytich binPath= "C:\Windows\SysWOW64\qlfytich\rhheqcsq.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2164
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description qlfytich "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:1000
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start qlfytich
          2⤵
          • Launches sc.exe
          PID:4412
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2692
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1248
          2⤵
          • Program crash
          PID:848
      • C:\Windows\SysWOW64\qlfytich\rhheqcsq.exe
        C:\Windows\SysWOW64\qlfytich\rhheqcsq.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4088
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:2492
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 544
          2⤵
          • Program crash
          PID:3012
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5084 -ip 5084
        1⤵
          PID:3860
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4088 -ip 4088
          1⤵
            PID:4244

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\rhheqcsq.exe

                  Filesize

                  11.8MB

                  MD5

                  809b66108415a4b43cc7f011e25ffd4b

                  SHA1

                  07f68430c8638ca3fe00a06cc3250a97c93ba794

                  SHA256

                  19bce80bcc9f910b614fd3cfdcf8b1d22db18844dc8010497cfa8b511e3a4321

                  SHA512

                  a7a52f7869c32c53987dc66baf2e0c88824fb4c8c94db6e1cbf3b7c647a9b3455ab1bb67874778794ad435a9689c443562f1af268ae71d8ab4d93e6ef5183278

                • C:\Windows\SysWOW64\qlfytich\rhheqcsq.exe

                  Filesize

                  11.8MB

                  MD5

                  809b66108415a4b43cc7f011e25ffd4b

                  SHA1

                  07f68430c8638ca3fe00a06cc3250a97c93ba794

                  SHA256

                  19bce80bcc9f910b614fd3cfdcf8b1d22db18844dc8010497cfa8b511e3a4321

                  SHA512

                  a7a52f7869c32c53987dc66baf2e0c88824fb4c8c94db6e1cbf3b7c647a9b3455ab1bb67874778794ad435a9689c443562f1af268ae71d8ab4d93e6ef5183278

                • memory/2492-52-0x0000000000850000-0x0000000000865000-memory.dmp

                  Filesize

                  84KB

                • memory/2492-48-0x0000000000850000-0x0000000000865000-memory.dmp

                  Filesize

                  84KB

                • memory/2492-31-0x0000000000850000-0x0000000000865000-memory.dmp

                  Filesize

                  84KB

                • memory/2492-28-0x0000000000850000-0x0000000000865000-memory.dmp

                  Filesize

                  84KB

                • memory/2492-25-0x0000000000850000-0x0000000000865000-memory.dmp

                  Filesize

                  84KB

                • memory/4088-22-0x00000000009A0000-0x0000000000AA0000-memory.dmp

                  Filesize

                  1024KB

                • memory/4088-30-0x0000000000400000-0x00000000008A7000-memory.dmp

                  Filesize

                  4.7MB

                • memory/4088-18-0x00000000009A0000-0x0000000000AA0000-memory.dmp

                  Filesize

                  1024KB

                • memory/4088-19-0x0000000000400000-0x00000000008A7000-memory.dmp

                  Filesize

                  4.7MB

                • memory/4088-20-0x0000000000400000-0x00000000008A7000-memory.dmp

                  Filesize

                  4.7MB

                • memory/5084-6-0x0000000000930000-0x0000000000943000-memory.dmp

                  Filesize

                  76KB

                • memory/5084-14-0x0000000000400000-0x00000000008A7000-memory.dmp

                  Filesize

                  4.7MB

                • memory/5084-7-0x0000000000400000-0x00000000008A7000-memory.dmp

                  Filesize

                  4.7MB

                • memory/5084-1-0x00000000009A0000-0x0000000000AA0000-memory.dmp

                  Filesize

                  1024KB

                • memory/5084-5-0x00000000009A0000-0x0000000000AA0000-memory.dmp

                  Filesize

                  1024KB

                • memory/5084-4-0x0000000000400000-0x00000000008A7000-memory.dmp

                  Filesize

                  4.7MB

                • memory/5084-2-0x0000000000930000-0x0000000000943000-memory.dmp

                  Filesize

                  76KB