Overview

overview

10

Static

static

3

750095c588...06.exe

windows7-x64

10

750095c588...06.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2024 16:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    750095c58829a6d8c2637a5533561606.exe

  • Size

    13.4MB

  • MD5

    750095c58829a6d8c2637a5533561606

  • SHA1

    85bba5814cf21b4427925ac0978751639c57ebc2

  • SHA256

    702854337926972a29d67bfde8673fc202b696f2dfccf7fd21227632e4280737

  • SHA512

    e91a9ec8f678071335b2ed0880cdc2375975dff6186633f03ac7a6584c415aac8da4ea1aead227cd5c74b030137c00ce4fa0ff70db80bba3df74d839c56b439a

  • SSDEEP

    49152:Kj55555555555555555555555555555555555555555555555555555555555557:

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\750095c58829a6d8c2637a5533561606.exe
    "C:\Users\Admin\AppData\Local\Temp\750095c58829a6d8c2637a5533561606.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1160
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\fayhiok\
      2⤵
        PID:2860
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zqjmtgsr.exe" C:\Windows\SysWOW64\fayhiok\
        2⤵
          PID:2940
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create fayhiok binPath= "C:\Windows\SysWOW64\fayhiok\zqjmtgsr.exe /d\"C:\Users\Admin\AppData\Local\Temp\750095c58829a6d8c2637a5533561606.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2708
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description fayhiok "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:1708
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start fayhiok
          2⤵
          • Launches sc.exe
          PID:2792
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2852
      • C:\Windows\SysWOW64\fayhiok\zqjmtgsr.exe
        C:\Windows\SysWOW64\fayhiok\zqjmtgsr.exe /d"C:\Users\Admin\AppData\Local\Temp\750095c58829a6d8c2637a5533561606.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2512
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:2660

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\zqjmtgsr.exe
        Filesize

        5.0MB

        MD5

        aa6372baa1f336b0d3e0f3e2d655f16f

        SHA1

        d2201e8968c92b710cc592ff7d84499477326210

        SHA256

        01cdfa89e21dc43204c0c4518d2b49077fa59aa11ba8259dd7c95f2f0473cf8d

        SHA512

        049fab8f000e2ed44694a5b44cf6a312ac73d217d6e62637e93c3d0050384b3205bf0688dcba07f954524acd24d7b235e2060140ade2d27b5ee2f34ffdc2b513

        Download Submit
      • C:\Windows\SysWOW64\fayhiok\zqjmtgsr.exe
        Filesize

        13.8MB

        MD5

        6c9558d9a04706858a301e3c1549e272

        SHA1

        99c4174b33b24674c236740ba5b011b6fec7e26c

        SHA256

        25818f3e05b95bd3671d4c726dcd77fe8b2ccd2da80e3e652ad3a5d20d7ae528

        SHA512

        a1796da17e0655e174c6c4dcf1cb3d268aba08871aa3eeeb259696b8611ec11e8e079d6399ea50d12e394c4281d96ee7783ef6f0c46c96fb5d27cdbe7b08d1b9

        Download Submit
      • memory/1160-1-0x0000000000400000-0x000000000041E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/1160-2-0x0000000000220000-0x0000000000221000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1160-3-0x0000000000230000-0x0000000000231000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1160-6-0x0000000000400000-0x000000000041E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/1160-0-0x0000000000400000-0x000000000041E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/2512-9-0x0000000000220000-0x0000000000221000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2512-8-0x0000000000400000-0x000000000041E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/2512-17-0x0000000000400000-0x000000000041E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/2660-11-0x0000000000080000-0x0000000000095000-memory.dmp
        Filesize

        84KB

        Download
      • memory/2660-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2660-14-0x0000000000080000-0x0000000000095000-memory.dmp
        Filesize

        84KB

        Download
      • memory/2660-19-0x0000000000080000-0x0000000000095000-memory.dmp
        Filesize

        84KB

        Download
      • memory/2660-20-0x0000000000080000-0x0000000000095000-memory.dmp
        Filesize

        84KB

        Download
      • memory/2660-21-0x0000000000080000-0x0000000000095000-memory.dmp
        Filesize

        84KB

        Download