Overview

overview

10

Static

static

3

598c4c5cc7...3a.exe

windows7-x64

10

598c4c5cc7...3a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-01-2024 22:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    598c4c5cc7d092aa5582b8a34777e53a.exe

  • Size

    10.2MB

  • MD5

    598c4c5cc7d092aa5582b8a34777e53a

  • SHA1

    492cb28919b5ccdbac6f690061ead4e289bc1238

  • SHA256

    c78cbeb30a5a688753dbc1bace6590378310bb7589a40b5cfcdca98bba463496

  • SHA512

    39d0d8fbb640044567266a56e90ec7afc22f0c917d7900706c7743145ad19098a15f8012c24c3329f0ffeb289363b38cda577f035ce32f90aaa70b7db8b7efde

  • SSDEEP

    24576:10PvTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT:1

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\598c4c5cc7d092aa5582b8a34777e53a.exe
    "C:\Users\Admin\AppData\Local\Temp\598c4c5cc7d092aa5582b8a34777e53a.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5048
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\vqmlmafj\
      2⤵
        PID:2196
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\cgnrtwmy.exe" C:\Windows\SysWOW64\vqmlmafj\
        2⤵
          PID:4384
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create vqmlmafj binPath= "C:\Windows\SysWOW64\vqmlmafj\cgnrtwmy.exe /d\"C:\Users\Admin\AppData\Local\Temp\598c4c5cc7d092aa5582b8a34777e53a.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:5056
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description vqmlmafj "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:3324
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start vqmlmafj
          2⤵
          • Launches sc.exe
          PID:376
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2160
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 1180
          2⤵
          • Program crash
          PID:3536
      • C:\Windows\SysWOW64\vqmlmafj\cgnrtwmy.exe
        C:\Windows\SysWOW64\vqmlmafj\cgnrtwmy.exe /d"C:\Users\Admin\AppData\Local\Temp\598c4c5cc7d092aa5582b8a34777e53a.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4816
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          PID:4420
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 520
          2⤵
          • Program crash
          PID:2600
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5048 -ip 5048
        1⤵
          PID:4424
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4816 -ip 4816
          1⤵
            PID:672

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\cgnrtwmy.exe
            Filesize

            4.6MB

            MD5

            0b1c48210258d9e916889149224aba61

            SHA1

            65afb2cc6df7544d4eb3913edf216701a5415036

            SHA256

            c876be60b1672ce705c22384245ffe1a51b34a51fe56fa309776a9462701dbab

            SHA512

            1d4425966549ccd84496936db353ef5fc09f399bce8374a469031dca5b251c233fc2d4827120c4918759195b7bc463108d99ff15edc4cd2b978b0641675d6913

            Download Submit

          • C:\Windows\SysWOW64\vqmlmafj\cgnrtwmy.exe
            Filesize

            1KB

            MD5

            b04459318dcbd58657897aa4da45555d

            SHA1

            dcff52760c7dc3e17259ad148682bac18f8a0845

            SHA256

            add557e201744551aef99e03425d0cf50b919c08f9645dfc8924a7795ea1bd64

            SHA512

            bc4c331bf2a160a8296245a90edf2f1e565b9bd4ec4191a6736276383d91bbc50a742e43f62789c761df5324c82c333f217f4ab2cd4327fe2b7f6b4d2f880db1

            Download Submit

          • memory/4420-14-0x0000000000570000-0x0000000000585000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4420-11-0x0000000000570000-0x0000000000585000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4420-16-0x0000000000570000-0x0000000000585000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4420-17-0x0000000000570000-0x0000000000585000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4420-19-0x0000000000570000-0x0000000000585000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4816-10-0x0000000002D90000-0x0000000002E90000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/4816-15-0x0000000000400000-0x0000000002C6D000-memory.dmp

            Filesize

            40.4MB

            Download

          • memory/4816-18-0x0000000000400000-0x0000000002C6D000-memory.dmp

            Filesize

            40.4MB

            Download

          • memory/5048-4-0x0000000000400000-0x0000000002C6D000-memory.dmp

            Filesize

            40.4MB

            Download

          • memory/5048-2-0x0000000002F10000-0x0000000002F23000-memory.dmp

            Filesize

            76KB

            Download

          • memory/5048-8-0x0000000000400000-0x0000000002C6D000-memory.dmp

            Filesize

            40.4MB

            Download

          • memory/5048-9-0x0000000002F10000-0x0000000002F23000-memory.dmp

            Filesize

            76KB

            Download

          • memory/5048-1-0x0000000002F70000-0x0000000003070000-memory.dmp

            Filesize

            1024KB

            Download