Overview

overview

10

Static

static

3

5a07cc8e36...5b.exe

windows7-x64

10

5a07cc8e36...5b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    157s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-01-2024 02:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5a07cc8e36f22b398224b6685f28475b.exe

  • Size

    13.2MB

  • MD5

    5a07cc8e36f22b398224b6685f28475b

  • SHA1

    10dba11f9e2080f7bc2fb2da7a768eb9a4bde53f

  • SHA256

    81c24a66dbb0f2f3c18d2d88f300fb0c93915af3f2f908b4659665a344d92a36

  • SHA512

    1a1fa5ff1c2ea6d9caeee53d605d9c905ab2960a2238a7d8c89f45ea1f67cb85f83fcbb956bfbf8859e5fff6fff49b85b55c252c30c307e1a0639484f7878a92

  • SSDEEP

    49152:rGvEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEn:rG

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5a07cc8e36f22b398224b6685f28475b.exe
    "C:\Users\Admin\AppData\Local\Temp\5a07cc8e36f22b398224b6685f28475b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3216
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\oxynlxak\
      2⤵
        PID:3160
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ldrftsic.exe" C:\Windows\SysWOW64\oxynlxak\
        2⤵
          PID:228
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create oxynlxak binPath= "C:\Windows\SysWOW64\oxynlxak\ldrftsic.exe /d\"C:\Users\Admin\AppData\Local\Temp\5a07cc8e36f22b398224b6685f28475b.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:4504
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description oxynlxak "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:4252
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start oxynlxak
          2⤵
          • Launches sc.exe
          PID:3796
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:1836
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 652
          2⤵
          • Program crash
          PID:2260
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3216 -ip 3216
        1⤵
          PID:3528
        • C:\Windows\SysWOW64\oxynlxak\ldrftsic.exe
          C:\Windows\SysWOW64\oxynlxak\ldrftsic.exe /d"C:\Users\Admin\AppData\Local\Temp\5a07cc8e36f22b398224b6685f28475b.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2420
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe
            2⤵
            • Sets service image path in registry
            • Deletes itself
            PID:2736
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 508
            2⤵
            • Program crash
            PID:4260
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2420 -ip 2420
          1⤵
            PID:1572

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\ldrftsic.exe
            Filesize

            10.5MB

            MD5

            a9273cb1e97c8c2b5d9c9133c020ce89

            SHA1

            fd33889518622a43673d1790272b5af341ad9dc0

            SHA256

            5916d6f0a4a2b0da03e93c1577da19e5730d331f11ce69ff1ac03ed8b059d2a6

            SHA512

            7c0dd914369223d59b5d1975532f3b53b08bc47e35f9549b0c05b8e9667382b5c8ddbb5154c408dd11e46e1e434bac0d85459a3f934b2568a79926252571df73

            Download Submit

          • memory/2420-20-0x0000000000400000-0x0000000000C14000-memory.dmp

            Filesize

            8.1MB

            Download

          • memory/2420-13-0x0000000000E40000-0x0000000000F40000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/2420-14-0x0000000000400000-0x0000000000C14000-memory.dmp

            Filesize

            8.1MB

            Download

          • memory/2736-15-0x0000000000390000-0x00000000003A5000-memory.dmp

            Filesize

            84KB

            Download

          • memory/2736-22-0x0000000000390000-0x00000000003A5000-memory.dmp

            Filesize

            84KB

            Download

          • memory/2736-21-0x0000000000390000-0x00000000003A5000-memory.dmp

            Filesize

            84KB

            Download

          • memory/2736-19-0x0000000000390000-0x00000000003A5000-memory.dmp

            Filesize

            84KB

            Download

          • memory/2736-18-0x0000000000390000-0x00000000003A5000-memory.dmp

            Filesize

            84KB

            Download

          • memory/3216-5-0x0000000000400000-0x0000000000C14000-memory.dmp

            Filesize

            8.1MB

            Download

          • memory/3216-9-0x0000000002960000-0x0000000002973000-memory.dmp

            Filesize

            76KB

            Download

          • memory/3216-8-0x0000000000400000-0x0000000000C14000-memory.dmp

            Filesize

            8.1MB

            Download

          • memory/3216-1-0x0000000000CA0000-0x0000000000DA0000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/3216-3-0x0000000000400000-0x0000000000C14000-memory.dmp

            Filesize

            8.1MB

            Download

          • memory/3216-2-0x0000000002960000-0x0000000002973000-memory.dmp

            Filesize

            76KB

            Download