Overview

overview

10

Static

static

3

00c6c6c227...64.exe

windows7-x64

10

00c6c6c227...64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    29/12/2023, 18:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    00c6c6c2279d82386f35e313b20e2f64.exe

  • Size

    14.9MB

  • MD5

    00c6c6c2279d82386f35e313b20e2f64

  • SHA1

    3fb56c91e1f98a1947b0e46a6670eff8608e7607

  • SHA256

    11f82a741fea978323326417b3632e106ad60c8f9005dc23d2daff6a4e51e8d6

  • SHA512

    42b4726ff580b27108a19dae2e0c662666a611fc417a24e988a92cb20ea296d987e6410d6c7003a93d5e282cc78396d4caa43f41c8965f61bd2e86a6c5ccba06

  • SSDEEP

    12288:gRXQK44fy611111111111111111111111111111111111111111111111111111l:gRx2

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\00c6c6c2279d82386f35e313b20e2f64.exe
    "C:\Users\Admin\AppData\Local\Temp\00c6c6c2279d82386f35e313b20e2f64.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kbizuled\
      2⤵
        PID:2280
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\disnhtqs.exe" C:\Windows\SysWOW64\kbizuled\
        2⤵
          PID:2864
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create kbizuled binPath= "C:\Windows\SysWOW64\kbizuled\disnhtqs.exe /d\"C:\Users\Admin\AppData\Local\Temp\00c6c6c2279d82386f35e313b20e2f64.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2580
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description kbizuled "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2688
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start kbizuled
          2⤵
          • Launches sc.exe
          PID:2916
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2568
      • C:\Windows\SysWOW64\kbizuled\disnhtqs.exe
        C:\Windows\SysWOW64\kbizuled\disnhtqs.exe /d"C:\Users\Admin\AppData\Local\Temp\00c6c6c2279d82386f35e313b20e2f64.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2188
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          PID:2192

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\disnhtqs.exe
        Filesize

        1.8MB

        MD5

        dff494aa49d9959421751a463bc892eb

        SHA1

        9c458126187a597ea0f2124cbc6b82b7414c4897

        SHA256

        6d4874af562d7a2295fbb9c5b5ca40128fcff07612ce20361e570f2708f4aead

        SHA512

        e8863e729da8db2a10fe2039bf4b600e44ca0b94578881bcb7f2225ef8a5a252de0a00f43abdfbb5493205aba07eb10c4ed979f2be735d23613ddf4dcb4613e7

        Download Submit

      • C:\Windows\SysWOW64\kbizuled\disnhtqs.exe
        Filesize

        1.1MB

        MD5

        56b12808b156e34c638fb246312b5ec1

        SHA1

        e2b11e0c8e81fae673b4997105cef2ec757acf73

        SHA256

        55265254069535ac88f4f798159e9689be107d4f112d1c5d79259857d48fa45e

        SHA512

        db546e14f5bc20e1d753afc8d868d92c3edb2a00ab6c3ed48e1a7d590aae01df7256d0cf5665ac4463c0e50b7df79298ba28c0ef5f46342f298bb51351271bb2

        Download Submit

      • memory/2188-19-0x0000000000400000-0x0000000003359000-memory.dmp

        Filesize

        47.3MB

        Download

      • memory/2188-10-0x0000000003400000-0x0000000003500000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2188-22-0x0000000000400000-0x0000000003359000-memory.dmp

        Filesize

        47.3MB

        Download

      • memory/2188-17-0x0000000000400000-0x0000000003359000-memory.dmp

        Filesize

        47.3MB

        Download

      • memory/2192-14-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2192-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2192-11-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2192-18-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2192-20-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2192-21-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2192-23-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2372-4-0x0000000000400000-0x0000000003359000-memory.dmp

        Filesize

        47.3MB

        Download

      • memory/2372-1-0x00000000034F0000-0x00000000035F0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2372-2-0x0000000000020000-0x0000000000033000-memory.dmp

        Filesize

        76KB

        Download

      • memory/2372-7-0x0000000000400000-0x0000000003359000-memory.dmp

        Filesize

        47.3MB

        Download