Overview

overview

10

Static

static

3

6c19be4793...32.exe

windows7-x64

10

6c19be4793...32.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2023, 11:49

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    6c19be479361d119caa214d5acef2232.exe

  • Size

    11.2MB

  • MD5

    6c19be479361d119caa214d5acef2232

  • SHA1

    55923b8e052d384e8f891989e530c6ad3796342f

  • SHA256

    db11c62d3ffd2a11e8631c7e641c66d7518de8cd8f091eba5861b33219709bf0

  • SHA512

    3cccbbe282f73962371fffba0c77275847c76c41e90236b4b8f0b1169283d8c0af724b361fbcd711efb45c73f32dc0721b0cdfa5be826e6568a1f80975f0caf9

  • SSDEEP

    49152:pitpppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp7:pi

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c19be479361d119caa214d5acef2232.exe
    "C:\Users\Admin\AppData\Local\Temp\6c19be479361d119caa214d5acef2232.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\prnyysrc\
      2⤵
        PID:4960
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gpezlkrb.exe" C:\Windows\SysWOW64\prnyysrc\
        2⤵
          PID:1240
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create prnyysrc binPath= "C:\Windows\SysWOW64\prnyysrc\gpezlkrb.exe /d\"C:\Users\Admin\AppData\Local\Temp\6c19be479361d119caa214d5acef2232.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:3196
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description prnyysrc "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:4772
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start prnyysrc
          2⤵
          • Launches sc.exe
          PID:3840
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:4496
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 1188
          2⤵
          • Program crash
          PID:1580
      • C:\Windows\SysWOW64\prnyysrc\gpezlkrb.exe
        C:\Windows\SysWOW64\prnyysrc\gpezlkrb.exe /d"C:\Users\Admin\AppData\Local\Temp\6c19be479361d119caa214d5acef2232.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3108
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          PID:1516
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 516
          2⤵
          • Program crash
          PID:1032
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2320 -ip 2320
        1⤵
          PID:4416
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3108 -ip 3108
          1⤵
            PID:2920

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\gpezlkrb.exe
                  Filesize

                  4.6MB

                  MD5

                  1d442961abffe04421505903b5b4640f

                  SHA1

                  a5183d5b54c84b2028b06b5737009de7830d6ca2

                  SHA256

                  34cdc1fe92245c1ae97fac60d297712d119e200c0e9ca908278e4c5622793484

                  SHA512

                  893a8f928833f08c932c29d72e40058601a95bcd4ac99fe224ebfa47a7faa3e6732e7c5f969ac530a10ebca69ce02b21552f5fca994672b9584f69859ed6e44f

                  Download Submit

                • C:\Windows\SysWOW64\prnyysrc\gpezlkrb.exe
                  Filesize

                  1.3MB

                  MD5

                  e6ae2002d16c5ac5cf4baf3f93049c94

                  SHA1

                  53ded4663b53a01f114e40be93840357f756e2d3

                  SHA256

                  b94511439f631f91e256bac52ae0f6ab9912a9fe05a996a9a1da377cfae7761f

                  SHA512

                  cc0393eb8dc7db8b58fe4342c6edfd2685c8cb1f16eb33bc05d4210361a8cc9b6c2178a3c61af118aaaafe8ea4e35194e064fbe3792ad501242648daec97ba05

                  Download Submit

                • memory/1516-16-0x0000000000830000-0x0000000000845000-memory.dmp

                  Filesize

                  84KB

                  Download

                • memory/1516-11-0x0000000000830000-0x0000000000845000-memory.dmp

                  Filesize

                  84KB

                  Download

                • memory/1516-18-0x0000000000830000-0x0000000000845000-memory.dmp

                  Filesize

                  84KB

                  Download

                • memory/1516-19-0x0000000000830000-0x0000000000845000-memory.dmp

                  Filesize

                  84KB

                  Download

                • memory/2320-4-0x0000000000400000-0x0000000000C14000-memory.dmp

                  Filesize

                  8.1MB

                  Download

                • memory/2320-1-0x0000000000E20000-0x0000000000F20000-memory.dmp

                  Filesize

                  1024KB

                  Download

                • memory/2320-8-0x0000000000DC0000-0x0000000000DD3000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/2320-7-0x0000000000400000-0x0000000000C14000-memory.dmp

                  Filesize

                  8.1MB

                  Download

                • memory/2320-2-0x0000000000DC0000-0x0000000000DD3000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/3108-13-0x0000000000400000-0x0000000000C14000-memory.dmp

                  Filesize

                  8.1MB

                  Download

                • memory/3108-17-0x0000000000400000-0x0000000000C14000-memory.dmp

                  Filesize

                  8.1MB

                  Download

                • memory/3108-10-0x0000000000C60000-0x0000000000D60000-memory.dmp

                  Filesize

                  1024KB

                  Download