Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231025-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/11/2023, 01:00

General

  • Target

    7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe

  • Size

    254KB

  • MD5

    02ac11d7691ed7141949fc5c03d5aae8

  • SHA1

    b122e23b4dfb29d4efedbbe7a72c75d696f8a7ac

  • SHA256

    7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee

  • SHA512

    c437f0cec3cbe5a62a650cafd0814016864c083a2df5a65000d0411b8249daec0744b7c948039a97848135a263ba183a9cb00876fbc3d22ee1e8322dfda0e55e

  • SSDEEP

    3072:M9xGAh803FPqB1HzqotaoQpxVKPk4hjw6EX7eUkpvTRSdnbr4rO/p/4CY/:w/8iYlAxVKMuELrdnbr4yG

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe
    "C:\Users\Admin\AppData\Local\Temp\7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\amjzztdz\
      2⤵
        PID:2524
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\mtsfnnvz.exe" C:\Windows\SysWOW64\amjzztdz\
        2⤵
          PID:5084
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create amjzztdz binPath= "C:\Windows\SysWOW64\amjzztdz\mtsfnnvz.exe /d\"C:\Users\Admin\AppData\Local\Temp\7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:1944
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description amjzztdz "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2312
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start amjzztdz
          2⤵
          • Launches sc.exe
          PID:2956
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:4176
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1040
          2⤵
          • Program crash
          PID:3112
      • C:\Windows\SysWOW64\amjzztdz\mtsfnnvz.exe
        C:\Windows\SysWOW64\amjzztdz\mtsfnnvz.exe /d"C:\Users\Admin\AppData\Local\Temp\7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe"
        1⤵
        • Sets service image path in registry
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1104
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Deletes itself
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:3508
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 520
          2⤵
          • Program crash
          PID:3952
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1768 -ip 1768
        1⤵
          PID:4324
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1104 -ip 1104
          1⤵
            PID:5052

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\mtsfnnvz.exe

                  Filesize

                  10.1MB

                  MD5

                  d2ab16c91c515b41373703961890b49a

                  SHA1

                  e2dd871438b359656edd5fe2008a279ad3e88588

                  SHA256

                  f9dbdcdd845633c7121444e7fa7788a3174d041c9543586b72adc2142dfc421a

                  SHA512

                  de62d37860a123609c5c50bf4e451624b7c07fb57f7b25d42ac8121b3b03c4fd572d43837dff98654a76bb09db294c04487ff20550db344293c926058621e96c

                • C:\Windows\SysWOW64\amjzztdz\mtsfnnvz.exe

                  Filesize

                  10.1MB

                  MD5

                  d2ab16c91c515b41373703961890b49a

                  SHA1

                  e2dd871438b359656edd5fe2008a279ad3e88588

                  SHA256

                  f9dbdcdd845633c7121444e7fa7788a3174d041c9543586b72adc2142dfc421a

                  SHA512

                  de62d37860a123609c5c50bf4e451624b7c07fb57f7b25d42ac8121b3b03c4fd572d43837dff98654a76bb09db294c04487ff20550db344293c926058621e96c

                • memory/1104-17-0x0000000000400000-0x00000000004F3000-memory.dmp

                  Filesize

                  972KB

                • memory/1104-10-0x00000000008A0000-0x00000000009A0000-memory.dmp

                  Filesize

                  1024KB

                • memory/1104-11-0x0000000000400000-0x00000000004F3000-memory.dmp

                  Filesize

                  972KB

                • memory/1768-2-0x0000000000660000-0x0000000000673000-memory.dmp

                  Filesize

                  76KB

                • memory/1768-3-0x0000000000400000-0x00000000004F3000-memory.dmp

                  Filesize

                  972KB

                • memory/1768-7-0x0000000000400000-0x00000000004F3000-memory.dmp

                  Filesize

                  972KB

                • memory/1768-8-0x0000000000660000-0x0000000000673000-memory.dmp

                  Filesize

                  76KB

                • memory/1768-1-0x0000000000700000-0x0000000000800000-memory.dmp

                  Filesize

                  1024KB

                • memory/3508-33-0x0000000002770000-0x0000000002780000-memory.dmp

                  Filesize

                  64KB

                • memory/3508-37-0x0000000002770000-0x0000000002780000-memory.dmp

                  Filesize

                  64KB

                • memory/3508-15-0x00000000012B0000-0x00000000012C5000-memory.dmp

                  Filesize

                  84KB

                • memory/3508-18-0x00000000012B0000-0x00000000012C5000-memory.dmp

                  Filesize

                  84KB

                • memory/3508-20-0x0000000003000000-0x000000000320F000-memory.dmp

                  Filesize

                  2.1MB

                • memory/3508-23-0x0000000003000000-0x000000000320F000-memory.dmp

                  Filesize

                  2.1MB

                • memory/3508-24-0x0000000002760000-0x0000000002766000-memory.dmp

                  Filesize

                  24KB

                • memory/3508-27-0x0000000002770000-0x0000000002780000-memory.dmp

                  Filesize

                  64KB

                • memory/3508-30-0x0000000002770000-0x0000000002780000-memory.dmp

                  Filesize

                  64KB

                • memory/3508-31-0x0000000002770000-0x0000000002780000-memory.dmp

                  Filesize

                  64KB

                • memory/3508-12-0x00000000012B0000-0x00000000012C5000-memory.dmp

                  Filesize

                  84KB

                • memory/3508-32-0x0000000002770000-0x0000000002780000-memory.dmp

                  Filesize

                  64KB

                • memory/3508-34-0x0000000002770000-0x0000000002780000-memory.dmp

                  Filesize

                  64KB

                • memory/3508-35-0x0000000002770000-0x0000000002780000-memory.dmp

                  Filesize

                  64KB

                • memory/3508-36-0x0000000002770000-0x0000000002780000-memory.dmp

                  Filesize

                  64KB

                • memory/3508-16-0x00000000012B0000-0x00000000012C5000-memory.dmp

                  Filesize

                  84KB

                • memory/3508-38-0x0000000002770000-0x0000000002780000-memory.dmp

                  Filesize

                  64KB

                • memory/3508-40-0x0000000002770000-0x0000000002780000-memory.dmp

                  Filesize

                  64KB

                • memory/3508-41-0x0000000002770000-0x0000000002780000-memory.dmp

                  Filesize

                  64KB

                • memory/3508-42-0x0000000002770000-0x0000000002780000-memory.dmp

                  Filesize

                  64KB

                • memory/3508-43-0x0000000002770000-0x0000000002780000-memory.dmp

                  Filesize

                  64KB

                • memory/3508-39-0x0000000002770000-0x0000000002780000-memory.dmp

                  Filesize

                  64KB

                • memory/3508-45-0x0000000002770000-0x0000000002780000-memory.dmp

                  Filesize

                  64KB

                • memory/3508-44-0x0000000002770000-0x0000000002780000-memory.dmp

                  Filesize

                  64KB

                • memory/3508-46-0x0000000002770000-0x0000000002780000-memory.dmp

                  Filesize

                  64KB

                • memory/3508-47-0x00000000033D0000-0x00000000033D5000-memory.dmp

                  Filesize

                  20KB

                • memory/3508-50-0x00000000033D0000-0x00000000033D5000-memory.dmp

                  Filesize

                  20KB

                • memory/3508-51-0x0000000007E80000-0x000000000828B000-memory.dmp

                  Filesize

                  4.0MB

                • memory/3508-54-0x0000000007E80000-0x000000000828B000-memory.dmp

                  Filesize

                  4.0MB

                • memory/3508-55-0x00000000033E0000-0x00000000033E7000-memory.dmp

                  Filesize

                  28KB

                • memory/3508-59-0x00000000012B0000-0x00000000012C5000-memory.dmp

                  Filesize

                  84KB