Overview

overview

10

Static

static

3

189c5efc65...32.exe

windows7-x64

10

189c5efc65...32.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    14-11-2023 19:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    189c5efc65e3b28e3536ffb8616766b36115b058ceb6548c87bb3e4d3a5e0232.exe

  • Size

    11.7MB

  • MD5

    0b9eaf5502101f33252e46846f4db5a5

  • SHA1

    620b46abbe9d9e3884d28d85fe7b949c17538eda

  • SHA256

    189c5efc65e3b28e3536ffb8616766b36115b058ceb6548c87bb3e4d3a5e0232

  • SHA512

    23fda346f08da77d3158d0a9c464a382af17c9a5649ed4b89152dec01d2527ec0cb9f6d43d5b8decf7ebcf0d65e0906f69a2443e72605c4eb7f549a004ce378c

  • SSDEEP

    3072:x8NYa2qJjULtTNupQyEC6pxhhfm5OcVi:xsRItTNKr2f45

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\189c5efc65e3b28e3536ffb8616766b36115b058ceb6548c87bb3e4d3a5e0232.exe
    "C:\Users\Admin\AppData\Local\Temp\189c5efc65e3b28e3536ffb8616766b36115b058ceb6548c87bb3e4d3a5e0232.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\btlvfany\
      2⤵
        PID:2928
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zpvopxnw.exe" C:\Windows\SysWOW64\btlvfany\
        2⤵
          PID:2952
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create btlvfany binPath= "C:\Windows\SysWOW64\btlvfany\zpvopxnw.exe /d\"C:\Users\Admin\AppData\Local\Temp\189c5efc65e3b28e3536ffb8616766b36115b058ceb6548c87bb3e4d3a5e0232.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2116
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description btlvfany "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2732
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start btlvfany
          2⤵
          • Launches sc.exe
          PID:2672
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2612
      • C:\Windows\SysWOW64\btlvfany\zpvopxnw.exe
        C:\Windows\SysWOW64\btlvfany\zpvopxnw.exe /d"C:\Users\Admin\AppData\Local\Temp\189c5efc65e3b28e3536ffb8616766b36115b058ceb6548c87bb3e4d3a5e0232.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2532
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:2660

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\zpvopxnw.exe
        Filesize

        10.8MB

        MD5

        99883f479cb7ba2b7c19d7651ac01070

        SHA1

        1b8b5346dab5d12d3e342a742cebec6ea016688f

        SHA256

        e1647eba7b34bf8c31a7901293e17d1bb4846f38443587280fb810ffa4055950

        SHA512

        99554c07675293901d75ff388fb6d6b44bb0e0c0b1af9a1c8f1e20f89e5edbd9595e69ae04c33da727575f818fae049f0edcf82da911cf8ba820f1f2a0b4e6d9

        Download Submit

      • C:\Windows\SysWOW64\btlvfany\zpvopxnw.exe
        Filesize

        10.8MB

        MD5

        99883f479cb7ba2b7c19d7651ac01070

        SHA1

        1b8b5346dab5d12d3e342a742cebec6ea016688f

        SHA256

        e1647eba7b34bf8c31a7901293e17d1bb4846f38443587280fb810ffa4055950

        SHA512

        99554c07675293901d75ff388fb6d6b44bb0e0c0b1af9a1c8f1e20f89e5edbd9595e69ae04c33da727575f818fae049f0edcf82da911cf8ba820f1f2a0b4e6d9

        Download Submit

      • memory/2532-13-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2532-8-0x0000000000230000-0x0000000000231000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2532-7-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2660-16-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2660-12-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2660-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2660-9-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2660-17-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2660-18-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2660-19-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2876-5-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2876-0-0x00000000003B0000-0x00000000003B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2876-2-0x00000000003C0000-0x00000000003C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2876-1-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download