Overview

overview

10

Static

static

3

12ea280381...54.exe

windows7-x64

10

12ea280381...54.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 12:48

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    12ea2803817cfe70a85e0766b35de554.exe

  • Size

    14.8MB

  • MD5

    12ea2803817cfe70a85e0766b35de554

  • SHA1

    df4fbcfa11b195bd8836c8ad7ec86c7ab9e0299f

  • SHA256

    4f743258a31bb67f3b4a52a2ce3b63cbdb9f1e4c2727a42787f3d0d13f803d60

  • SHA512

    9dde9a20f5c14503d678044f6e7070878218e26f9f7dbd70b042d7cf4696497501e8e3c8e3eca99084afce80c85aaf64f2ce83adf8c305c9c56c491fe411f059

  • SSDEEP

    49152:Kgnttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttn:K

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\12ea2803817cfe70a85e0766b35de554.exe
    "C:\Users\Admin\AppData\Local\Temp\12ea2803817cfe70a85e0766b35de554.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1012
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qsoxocal\
      2⤵
        PID:3956
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\mujnayhh.exe" C:\Windows\SysWOW64\qsoxocal\
        2⤵
          PID:5076
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create qsoxocal binPath= "C:\Windows\SysWOW64\qsoxocal\mujnayhh.exe /d\"C:\Users\Admin\AppData\Local\Temp\12ea2803817cfe70a85e0766b35de554.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2036
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description qsoxocal "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:552
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start qsoxocal
          2⤵
          • Launches sc.exe
          PID:1504
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:4880
      • C:\Windows\SysWOW64\qsoxocal\mujnayhh.exe
        C:\Windows\SysWOW64\qsoxocal\mujnayhh.exe /d"C:\Users\Admin\AppData\Local\Temp\12ea2803817cfe70a85e0766b35de554.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3592
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          PID:1096

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\mujnayhh.exe
              Filesize

              522KB

              MD5

              7758d78038b12ed3bf8edb6fe070ada1

              SHA1

              27e0cfb2bf8ee063c7934c2b847d08e405a5a844

              SHA256

              6075924046fdbb645c7870261e26bde4348c4e249c247c3143b49d00353dd9f0

              SHA512

              f5011f3acd5450aaf0d6bddd908da571e4da7e09d984e8278c4125020912abd84acb8bd096ce328a1dc1c71375cc34921902e3d4bb6d910b01795d7fbf743153

              Download Submit

            • C:\Windows\SysWOW64\qsoxocal\mujnayhh.exe
              Filesize

              166KB

              MD5

              d3e7febc3f950cea5f17506770d7f641

              SHA1

              8c8c54bcff865216be8df128d54c6148b40789a5

              SHA256

              27779d7bfb496c9986344ad103003589e9daa2ce325ed84491f9ae735c8c1f47

              SHA512

              2fe6b60d732091817cc9b548e91a17a1b634ab9c35d4a0e2817fb1d66b35cfc5e758b4f82bffb25b6d853343c337ab83a0870afbce8d7c723b4538c96ae1c129

              Download Submit

            • memory/1012-8-0x0000000000700000-0x0000000000713000-memory.dmp

              Filesize

              76KB

              Download

            • memory/1012-1-0x0000000000780000-0x0000000000880000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/1012-3-0x0000000000400000-0x000000000045E000-memory.dmp

              Filesize

              376KB

              Download

            • memory/1012-7-0x0000000000400000-0x000000000045E000-memory.dmp

              Filesize

              376KB

              Download

            • memory/1012-2-0x0000000000700000-0x0000000000713000-memory.dmp

              Filesize

              76KB

              Download

            • memory/1096-12-0x00000000004A0000-0x00000000004B5000-memory.dmp

              Filesize

              84KB

              Download

            • memory/1096-17-0x00000000004A0000-0x00000000004B5000-memory.dmp

              Filesize

              84KB

              Download

            • memory/1096-18-0x00000000004A0000-0x00000000004B5000-memory.dmp

              Filesize

              84KB

              Download

            • memory/1096-16-0x00000000004A0000-0x00000000004B5000-memory.dmp

              Filesize

              84KB

              Download

            • memory/1096-19-0x00000000004A0000-0x00000000004B5000-memory.dmp

              Filesize

              84KB

              Download

            • memory/3592-13-0x0000000000400000-0x000000000045E000-memory.dmp

              Filesize

              376KB

              Download

            • memory/3592-11-0x0000000000400000-0x000000000045E000-memory.dmp

              Filesize

              376KB

              Download

            • memory/3592-10-0x00000000004F0000-0x00000000005F0000-memory.dmp

              Filesize

              1024KB

              Download