Overview

overview

10

Static

static

3

65c0ab98ad...d8.exe

windows7-x64

10

65c0ab98ad...d8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/01/2024, 18:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    65c0ab98adcba2c36a8da6d36a1b12d8.exe

  • Size

    11.7MB

  • MD5

    65c0ab98adcba2c36a8da6d36a1b12d8

  • SHA1

    b68e7f29929883834dc771c5b61732f10503ab7e

  • SHA256

    74bd2e5d66d6ccb15a6ff3ece5ec2f56dafe6fffb201d73c0a9f1d06818542f1

  • SHA512

    6931e99653ce5ebe1375aa050dceaa04c0bde1bb69929a8f8998ec8268c093d7362a76c5ad7557a1ed8cd089a89a44fc0498c8ee7fa5c4da18842cf26772136c

  • SSDEEP

    6144:bnqXDHjKw5RZmN+RrjeO6wWSLL78/nk5agPEWHtIhiiiiiiiiiiiiiiiiiiiiiiz:+XbjKw5bmN+RPWcLI/niag8E

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\65c0ab98adcba2c36a8da6d36a1b12d8.exe
    "C:\Users\Admin\AppData\Local\Temp\65c0ab98adcba2c36a8da6d36a1b12d8.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3076
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nqtwzyye\
      2⤵
        PID:5052
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ntephwqc.exe" C:\Windows\SysWOW64\nqtwzyye\
        2⤵
          PID:3872
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create nqtwzyye binPath= "C:\Windows\SysWOW64\nqtwzyye\ntephwqc.exe /d\"C:\Users\Admin\AppData\Local\Temp\65c0ab98adcba2c36a8da6d36a1b12d8.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:636
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description nqtwzyye "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:1972
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start nqtwzyye
          2⤵
          • Launches sc.exe
          PID:3312
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:4616
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 1224
          2⤵
          • Program crash
          PID:3516
      • C:\Windows\SysWOW64\nqtwzyye\ntephwqc.exe
        C:\Windows\SysWOW64\nqtwzyye\ntephwqc.exe /d"C:\Users\Admin\AppData\Local\Temp\65c0ab98adcba2c36a8da6d36a1b12d8.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2504
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 516
          2⤵
          • Program crash
          PID:4432
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          PID:4552
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3076 -ip 3076
        1⤵
          PID:3048
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2504 -ip 2504
          1⤵
            PID:4548

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\ntephwqc.exe
            Filesize

            7.0MB

            MD5

            d453126a88ed9bde5041e5514e093b96

            SHA1

            e6ff7250e841e6daa5f1b59184378e9482585d25

            SHA256

            7275a94c0519a1425134c22d5ba389920b0faf1b80ced9981a9d3d9aac4411a1

            SHA512

            22615c6641956cf363869b9c504789ad168c434eb8705ce67a2180b276921595dad8c6dd52cb36a98dd4a5b4c80492e5fad362506ec383b2fa4cb15f0e5de820

            Download Submit

          • C:\Windows\SysWOW64\nqtwzyye\ntephwqc.exe
            Filesize

            1.5MB

            MD5

            668f264d5222368eb1a7ece718bc282e

            SHA1

            1e97960fee0497e2cee07252b763fb627add4460

            SHA256

            1a197bf9cfc58be3b3ec2b8e6468b6b56f172ae249dc5fe796e1becb386d7638

            SHA512

            73b1d0623cff435244820f9d870ff0fcc376c2fbb8895b0fa5a076ad4fdb413dec99f80a0a863b8e8ad52380b22813a1f7ad67f1d566a1762eb05425250b1641

            Download Submit

          • memory/2504-14-0x0000000000400000-0x00000000008EA000-memory.dmp

            Filesize

            4.9MB

            Download

          • memory/2504-12-0x0000000000960000-0x0000000000A60000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/3076-8-0x0000000000A50000-0x0000000000A63000-memory.dmp

            Filesize

            76KB

            Download

          • memory/3076-7-0x0000000000400000-0x00000000008EA000-memory.dmp

            Filesize

            4.9MB

            Download

          • memory/3076-1-0x0000000000A70000-0x0000000000B70000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/3076-4-0x0000000000400000-0x00000000008EA000-memory.dmp

            Filesize

            4.9MB

            Download

          • memory/3076-2-0x0000000000A50000-0x0000000000A63000-memory.dmp

            Filesize

            76KB

            Download

          • memory/4552-10-0x00000000010C0000-0x00000000010D5000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4552-16-0x00000000010C0000-0x00000000010D5000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4552-18-0x00000000010C0000-0x00000000010D5000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4552-15-0x00000000010C0000-0x00000000010D5000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4552-19-0x00000000010C0000-0x00000000010D5000-memory.dmp

            Filesize

            84KB

            Download