Overview

overview

10

Static

static

3

00c5663547...9f.exe

windows7-x64

10

00c5663547...9f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/12/2023, 18:41

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    00c56635473dd208896b29f6a030d19f.exe

  • Size

    11.7MB

  • MD5

    00c56635473dd208896b29f6a030d19f

  • SHA1

    b11bd4e24d06d3249e7e0f0fb1d4c92fa4027b0c

  • SHA256

    0d5ef3fe0be680bbdf3fa207553673a3ca01e500476cd7364bcf8357f6fb0bc3

  • SHA512

    5dcb84ffbaee4b44efeba5b400d51a248fbc01eb9df957d77cb06c391709aea1dc93c734875e08f9b1fd8fc4566e56eb4d5815000ffbb4b3267e7d6bef1d7fd5

  • SSDEEP

    49152:Kjrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrz:0

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\00c56635473dd208896b29f6a030d19f.exe
    "C:\Users\Admin\AppData\Local\Temp\00c56635473dd208896b29f6a030d19f.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4592
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ufvvqhps\
      2⤵
        PID:3776
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\arknuhts.exe" C:\Windows\SysWOW64\ufvvqhps\
        2⤵
          PID:4512
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create ufvvqhps binPath= "C:\Windows\SysWOW64\ufvvqhps\arknuhts.exe /d\"C:\Users\Admin\AppData\Local\Temp\00c56635473dd208896b29f6a030d19f.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:1192
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description ufvvqhps "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:5104
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start ufvvqhps
          2⤵
          • Launches sc.exe
          PID:4764
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:3012
      • C:\Windows\SysWOW64\ufvvqhps\arknuhts.exe
        C:\Windows\SysWOW64\ufvvqhps\arknuhts.exe /d"C:\Users\Admin\AppData\Local\Temp\00c56635473dd208896b29f6a030d19f.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4904
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          PID:1964

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\arknuhts.exe
              Filesize

              347KB

              MD5

              aab2c023d3e22cbf8972bf884cc01afe

              SHA1

              b18cc74a898e915023c1db6c981999227b8ee39c

              SHA256

              a0ab69030fd54d2d137076e8ab6132ffb1b7f46d047d08a6474d04296ce1dd89

              SHA512

              78dce08fe45499c0f8a4053037d2645acea16b433d8ee8721301c9691252475b4b8ae47589c6f3e14e655fb04cce73b6668cef1e8843b6b78ddae3f9dd01c166

              Download Submit

            • C:\Windows\SysWOW64\ufvvqhps\arknuhts.exe
              Filesize

              381KB

              MD5

              698496572af3d68659a8118a852636b1

              SHA1

              6ccb1db6108a2237a3f6f79623a2f86cb9020e81

              SHA256

              9b97b8ba9bba1896b7792d195a19f43f89a859a0b8cb706f3241131ff0846477

              SHA512

              f03454f8bca2f4f456f7716db9770949121024bb155f490e738de8aa055fb25222dbf59775f7a88bf77b3e8a6d8978a6022ed78c4b7a06439dfc0bc04403f81c

              Download Submit

            • memory/1964-18-0x0000000000110000-0x0000000000125000-memory.dmp

              Filesize

              84KB

              Download

            • memory/1964-17-0x0000000000110000-0x0000000000125000-memory.dmp

              Filesize

              84KB

              Download

            • memory/1964-15-0x0000000000110000-0x0000000000125000-memory.dmp

              Filesize

              84KB

              Download

            • memory/1964-16-0x0000000000110000-0x0000000000125000-memory.dmp

              Filesize

              84KB

              Download

            • memory/1964-11-0x0000000000110000-0x0000000000125000-memory.dmp

              Filesize

              84KB

              Download

            • memory/4592-1-0x00000000004F0000-0x00000000004F1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4592-6-0x0000000000400000-0x000000000041E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/4592-0-0x0000000000400000-0x000000000041E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/4592-2-0x0000000000400000-0x000000000041E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/4592-3-0x0000000000500000-0x0000000000501000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4904-8-0x0000000000400000-0x000000000041E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/4904-9-0x00000000004A0000-0x00000000004A1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4904-12-0x0000000000400000-0x000000000041E000-memory.dmp

              Filesize

              120KB

              Download