Overview

overview

10

Static

static

3

3757421ea9...d5.exe

windows7-x64

10

3757421ea9...d5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 13:09

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    3757421ea9ac7501daf8319fd8dfbad5.exe

  • Size

    14.3MB

  • MD5

    3757421ea9ac7501daf8319fd8dfbad5

  • SHA1

    a20ee5932e9f907109e3aca3eecc8c031978ba71

  • SHA256

    092573f07c86f7c1637cc647a266c59a5e6f1b23c4524832fe36fc406551bfe4

  • SHA512

    18b7cc5b8828ada39a47248b93218ee8918304d94f52246f1ce19cb0cfbe7d31e5a50c2d98e0cb48cc02c41dc977f51935af04ae35a3321507cf6828efae42a5

  • SSDEEP

    24576:okTlFKR1iLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLX:oLi

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3757421ea9ac7501daf8319fd8dfbad5.exe
    "C:\Users\Admin\AppData\Local\Temp\3757421ea9ac7501daf8319fd8dfbad5.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\mjubvoaj\
      2⤵
        PID:4376
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lxeydjwe.exe" C:\Windows\SysWOW64\mjubvoaj\
        2⤵
          PID:3252
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create mjubvoaj binPath= "C:\Windows\SysWOW64\mjubvoaj\lxeydjwe.exe /d\"C:\Users\Admin\AppData\Local\Temp\3757421ea9ac7501daf8319fd8dfbad5.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:1620
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description mjubvoaj "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:3240
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start mjubvoaj
          2⤵
          • Launches sc.exe
          PID:3480
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:4440
      • C:\Windows\SysWOW64\mjubvoaj\lxeydjwe.exe
        C:\Windows\SysWOW64\mjubvoaj\lxeydjwe.exe /d"C:\Users\Admin\AppData\Local\Temp\3757421ea9ac7501daf8319fd8dfbad5.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2224
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          PID:4532

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\lxeydjwe.exe
              Filesize

              4.0MB

              MD5

              e031120850376c7f236e5e8ca5ebc886

              SHA1

              5eaca7ee9d7ce31d1ba206c2c1b278725f11fd78

              SHA256

              2fc6c97f5cb7a11c6eaf92c8d7a7aaf4a3e3f91eab632d3b5538ac8754390d33

              SHA512

              39b48475934de6e1de9ab6a7dc563c2e23a5ae1d8937161e7049b4752c9e41718c087ddf4883ea9674934862f9f2495b51f8fb32b408a581c1f3c4f99d9dd1b6

              Download Submit

            • C:\Windows\SysWOW64\mjubvoaj\lxeydjwe.exe
              Filesize

              978KB

              MD5

              e6cf5d632de7b642a7bf453753fc699d

              SHA1

              23de268c1274e2c880c59daaa46464b2ea70044b

              SHA256

              cdd020e42dc636186a9d34217287b602abf9b28f05f8923dfc2ee4806a411cc1

              SHA512

              b189bf5b5bc96094bf181ea5c98796558f97298ff94805c113cd98a02670a7f76bb4f883297e1a3a0bd1d649e8ebd3d08ae410a1b37930fb2bce3475a62daced

              Download Submit

            • memory/1704-9-0x00000000001C0000-0x00000000001D3000-memory.dmp

              Filesize

              76KB

              Download

            • memory/1704-4-0x0000000000400000-0x00000000023AC000-memory.dmp

              Filesize

              31.7MB

              Download

            • memory/1704-2-0x00000000001C0000-0x00000000001D3000-memory.dmp

              Filesize

              76KB

              Download

            • memory/1704-7-0x0000000000400000-0x00000000023AC000-memory.dmp

              Filesize

              31.7MB

              Download

            • memory/1704-1-0x00000000026A0000-0x00000000027A0000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2224-10-0x00000000024A0000-0x00000000025A0000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2224-16-0x0000000000400000-0x00000000023AC000-memory.dmp

              Filesize

              31.7MB

              Download

            • memory/2224-13-0x0000000000400000-0x00000000023AC000-memory.dmp

              Filesize

              31.7MB

              Download

            • memory/4532-11-0x0000000001260000-0x0000000001275000-memory.dmp

              Filesize

              84KB

              Download

            • memory/4532-15-0x0000000001260000-0x0000000001275000-memory.dmp

              Filesize

              84KB

              Download

            • memory/4532-18-0x0000000001260000-0x0000000001275000-memory.dmp

              Filesize

              84KB

              Download

            • memory/4532-17-0x0000000001260000-0x0000000001275000-memory.dmp

              Filesize

              84KB

              Download

            • memory/4532-19-0x0000000001260000-0x0000000001275000-memory.dmp

              Filesize

              84KB

              Download