Analysis
-
max time kernel
167s -
max time network
201s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
09/01/2024, 13:46
General
-
Target
4e75e88a93e9867001c1aed9c7223d5b.exe
-
Size
11.8MB
-
MD5
4e75e88a93e9867001c1aed9c7223d5b
-
SHA1
29851dc5848b185c54fa92ef4d782685a2de7398
-
SHA256
666530df26ece50c7111222095f41eb2735f2888b0467e92bfd101e10b415695
-
SHA512
e8025e903ba9614d01a58bd383ead0fa3603c71dc66617323a9e6ab86143350bbda98da19cc4d1bc497e075e78e87f01f73a883ea1c17abcf8feb07b080dcea8
-
SSDEEP
24576:gm1111111111111111111111111111111111111111111111111111111111111n:
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e75e88a93e9867001c1aed9c7223d5b.exe"C:\Users\Admin\AppData\Local\Temp\4e75e88a93e9867001c1aed9c7223d5b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qvwjqxko\2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nwioytpf.exe" C:\Windows\SysWOW64\qvwjqxko\2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create qvwjqxko binPath= "C:\Windows\SysWOW64\qvwjqxko\nwioytpf.exe /d\"C:\Users\Admin\AppData\Local\Temp\4e75e88a93e9867001c1aed9c7223d5b.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description qvwjqxko "wifi internet conection"2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start qvwjqxko2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\qvwjqxko\nwioytpf.exeC:\Windows\SysWOW64\qvwjqxko\nwioytpf.exe /d"C:\Users\Admin\AppData\Local\Temp\4e75e88a93e9867001c1aed9c7223d5b.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD55d2adaaec3e00d83bf1cc6edf11994c9
SHA1abeab4618e5f3eb0b36edb4187d34bb4ab56e51d
SHA2565a7d1dc17114e436a2f9f1e17f57eb4565c7b4f07645464e56ef2d0b58d9eda4
SHA5120c62af37d6ec0e55643359b7d95ab208688e6aa3648df62c91c9638ed0fdca4bf5e6829f2a04c626171a730bb89f5c1f767a2aeb4847b22a61f687e0519aa9b7
-
Filesize
2.9MB
MD5897c80fad08edfed432e38921696c4b4
SHA1835b3e72fdc1b08a4fe7b7bb45f1df1d40ce7108
SHA25655c4bc79a90ae8ec1f8c765aa86debc05da24f0f12f16cdea53c19df9a39c24a
SHA512cc997345ce2cf8404311eeae86918ce1a31dfd5467fcea3e39d5f782a24d0067773d68a2e1ac0ba195d59d5017afaebcba36eef6befe3fcd9a19d70fc63bd033
-
Filesize
40.4MB
-
Filesize
40.4MB
-
Filesize
1024KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
4KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
40.4MB
-
Filesize
40.4MB
-
Filesize
76KB
-
Filesize
1024KB