Overview

overview

10

Static

static

3

1c0a51e46a...35.exe

windows7-x64

10

1c0a51e46a...35.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    162s
  • max time network
    176s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 11:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1c0a51e46a97e39af8c7f2d756563035.exe

  • Size

    14.8MB

  • MD5

    1c0a51e46a97e39af8c7f2d756563035

  • SHA1

    937759508af670d83b558012cfd57d90a7570755

  • SHA256

    bc933a99a23308afd8537adc4da5ccefa080eaaf26c31b1e9a804f557ba258c7

  • SHA512

    ebbb6969eb48bf2ce1eb8fa8eef358861aadf2505d45042050c27586366cd9df74323491f6966cc8d4f7a5695dd6fe8659750834479a57ec60b7a9f6a9c981ad

  • SSDEEP

    49152:SkVuhFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFP:Sk

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1c0a51e46a97e39af8c7f2d756563035.exe
    "C:\Users\Admin\AppData\Local\Temp\1c0a51e46a97e39af8c7f2d756563035.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1224
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dxgmfkxq\
      2⤵
        PID:452
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\khecozoc.exe" C:\Windows\SysWOW64\dxgmfkxq\
        2⤵
          PID:4988
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create dxgmfkxq binPath= "C:\Windows\SysWOW64\dxgmfkxq\khecozoc.exe /d\"C:\Users\Admin\AppData\Local\Temp\1c0a51e46a97e39af8c7f2d756563035.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2012
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description dxgmfkxq "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2548
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start dxgmfkxq
          2⤵
          • Launches sc.exe
          PID:3760
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2416
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 1308
          2⤵
          • Program crash
          PID:3552
      • C:\Windows\SysWOW64\dxgmfkxq\khecozoc.exe
        C:\Windows\SysWOW64\dxgmfkxq\khecozoc.exe /d"C:\Users\Admin\AppData\Local\Temp\1c0a51e46a97e39af8c7f2d756563035.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4948
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          PID:4884
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 220
          2⤵
          • Program crash
          PID:1892
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4948 -ip 4948
        1⤵
          PID:1528
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1224 -ip 1224
          1⤵
            PID:648

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\khecozoc.exe
            Filesize

            8.4MB

            MD5

            4b665e63bc3f01a4167aa4aeac6f6910

            SHA1

            16e402b2acb49ba7199cdc86b66b55834c66395f

            SHA256

            d408c9e69b40dc32c244cd10493816350eebbac0d199c8cf756faac911371483

            SHA512

            c77e7b6043fb3882f23af9753a2acedbf07adf074ffafb87b5e1252a27516a496023ac737c9899a6cef6b998190caf1a1de3b8f8bc597f5a65c643d5ab54fd08

            Download Submit

          • C:\Windows\SysWOW64\dxgmfkxq\khecozoc.exe
            Filesize

            11.8MB

            MD5

            e119825255e138b1fa9426876ce97c1a

            SHA1

            5b84e609dacadbb157215d5d0f646d15e0b6e5b4

            SHA256

            1563644ece51748ad4799ee1ec4762251b64ade3269a7f0aa6d6af7d82f50125

            SHA512

            cd0dffec02452cd4241c9192bae559bca861ccbabfb3f7f6b4924530d4674d59f6aff0befa3b4881c678e4fcd8c6c726188c95eb29bffe33807d3daaa3e57ff2

            Download Submit

          • memory/1224-12-0x0000000000400000-0x0000000000C17000-memory.dmp

            Filesize

            8.1MB

            Download

          • memory/1224-5-0x0000000000400000-0x0000000000C17000-memory.dmp

            Filesize

            8.1MB

            Download

          • memory/1224-4-0x0000000000400000-0x0000000000C17000-memory.dmp

            Filesize

            8.1MB

            Download

          • memory/1224-2-0x0000000002820000-0x0000000002833000-memory.dmp

            Filesize

            76KB

            Download

          • memory/1224-1-0x0000000000D60000-0x0000000000E60000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/1224-14-0x0000000000D60000-0x0000000000E60000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/4884-23-0x0000000000720000-0x0000000000735000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4884-22-0x0000000000720000-0x0000000000735000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4884-18-0x0000000000720000-0x0000000000735000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4884-13-0x0000000000720000-0x0000000000735000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4884-21-0x0000000000720000-0x0000000000735000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4948-11-0x0000000000400000-0x0000000000C17000-memory.dmp

            Filesize

            8.1MB

            Download

          • memory/4948-17-0x0000000000400000-0x0000000000C17000-memory.dmp

            Filesize

            8.1MB

            Download

          • memory/4948-10-0x0000000000D70000-0x0000000000D83000-memory.dmp

            Filesize

            76KB

            Download

          • memory/4948-9-0x0000000000F00000-0x0000000001000000-memory.dmp

            Filesize

            1024KB

            Download