Analysis

  • max time kernel
    148s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2023 07:22

General

  • Target

    5c377c45c77ff6a4746edfac21e2c069.exe

  • Size

    11.5MB

  • MD5

    5c377c45c77ff6a4746edfac21e2c069

  • SHA1

    53cdb3538fbd9111031bfa5286fd4908a0b2ba8f

  • SHA256

    2506360adfcecd45ae92155363fdaadd0d3fa888942cb1a3dc6251c05317726b

  • SHA512

    7bf7e437b3aa39684723d8f4771c9f35d009925de9575acb449e4d649a949ea46b411b536e3ce6bf75b4e530a6349babbdb30edaf87eae4a5ed08b669261a5a5

  • SSDEEP

    49152:/O2iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii6:/O

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c377c45c77ff6a4746edfac21e2c069.exe
    "C:\Users\Admin\AppData\Local\Temp\5c377c45c77ff6a4746edfac21e2c069.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1480
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xlkhptq\
      2⤵
        PID:904
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ttucidfr.exe" C:\Windows\SysWOW64\xlkhptq\
        2⤵
          PID:1556
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create xlkhptq binPath= "C:\Windows\SysWOW64\xlkhptq\ttucidfr.exe /d\"C:\Users\Admin\AppData\Local\Temp\5c377c45c77ff6a4746edfac21e2c069.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:3144
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description xlkhptq "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:1992
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start xlkhptq
          2⤵
          • Launches sc.exe
          PID:3732
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 1260
          2⤵
          • Program crash
          PID:4700
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:3612
      • C:\Windows\SysWOW64\xlkhptq\ttucidfr.exe
        C:\Windows\SysWOW64\xlkhptq\ttucidfr.exe /d"C:\Users\Admin\AppData\Local\Temp\5c377c45c77ff6a4746edfac21e2c069.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3960
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          PID:1180
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 508
          2⤵
          • Program crash
          PID:2632
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1480 -ip 1480
        1⤵
          PID:4760
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3960 -ip 3960
          1⤵
            PID:3944

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\ttucidfr.exe

            Filesize

            2.4MB

            MD5

            2538a5e46fc6ec6c73ed7aaa108328c5

            SHA1

            368ced06f4475b8ab90f05a42fa4da6e4d83369f

            SHA256

            e313a913d3fccb5b2596ddcc7dedaebdaf7555c33d5af1ed5de253a5029eba5e

            SHA512

            0ffae1673f9b155038038100ba7393aaffd07cd059705f5e6d073094a338e3aa33c3dc0e445838773b15808ffe92cbcf52796f19e373f2ebaa0fd7c8220dee13

          • C:\Windows\SysWOW64\xlkhptq\ttucidfr.exe

            Filesize

            2.3MB

            MD5

            a86feb9e0a820ed37f19626d2c65e811

            SHA1

            4d1ca3b396694b816e482226fe4bf50bc09fdb74

            SHA256

            f63643371ec48ae5037358549534349b58349e7ee065c2f23e44f95ba8636415

            SHA512

            501cc3fcf0eddd432520286660b711457e2a7aa95cbcebbe3d5d77c26709f97fa186a8f5f4d2833cd31f901694d099198630cf1116864d0e8151bd77e727fc4b

          • memory/1180-16-0x0000000000960000-0x0000000000975000-memory.dmp

            Filesize

            84KB

          • memory/1180-19-0x0000000000960000-0x0000000000975000-memory.dmp

            Filesize

            84KB

          • memory/1180-10-0x0000000000960000-0x0000000000975000-memory.dmp

            Filesize

            84KB

          • memory/1180-15-0x0000000000960000-0x0000000000975000-memory.dmp

            Filesize

            84KB

          • memory/1180-18-0x0000000000960000-0x0000000000975000-memory.dmp

            Filesize

            84KB

          • memory/1480-7-0x0000000000400000-0x00000000008E9000-memory.dmp

            Filesize

            4.9MB

          • memory/1480-1-0x0000000000AA0000-0x0000000000BA0000-memory.dmp

            Filesize

            1024KB

          • memory/1480-8-0x0000000002640000-0x0000000002653000-memory.dmp

            Filesize

            76KB

          • memory/1480-4-0x0000000000400000-0x00000000008E9000-memory.dmp

            Filesize

            4.9MB

          • memory/1480-2-0x0000000002640000-0x0000000002653000-memory.dmp

            Filesize

            76KB

          • memory/3960-17-0x0000000000400000-0x00000000008E9000-memory.dmp

            Filesize

            4.9MB

          • memory/3960-13-0x0000000000400000-0x00000000008E9000-memory.dmp

            Filesize

            4.9MB

          • memory/3960-11-0x00000000009C0000-0x0000000000AC0000-memory.dmp

            Filesize

            1024KB