Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    298s
  • max time network
    303s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-en
  • resource tags

    arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
  • submitted
    04-02-2024 03:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe

  • Size

    282KB

  • MD5

    bf884222d475c45abe8cd88d39b6f84a

  • SHA1

    3819e4744d82d9dc895c13bdeeabd6c13003fa69

  • SHA256

    e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30

  • SHA512

    3e7c2d42a82269492e21ee18add80da57943d7a310ad6df453e8a838b52150e6acfc885afc377e417c24ebd0d72bf5c19596c701139ef02748f993fad6d1cb82

  • SSDEEP

    3072:2CxBPmvf4gRns9F1xleC9bynC/Q65W0oBQ5LlxG:txmnL8F1+C9WnCyFE

Score
10/10
tofseexmrigevasionminerpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 10 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe
    "C:\Users\Admin\AppData\Local\Temp\e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3884
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qtrokhlk\
      2⤵
        PID:2184
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\tnnfiswi.exe" C:\Windows\SysWOW64\qtrokhlk\
        2⤵
          PID:4648
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create qtrokhlk binPath= "C:\Windows\SysWOW64\qtrokhlk\tnnfiswi.exe /d\"C:\Users\Admin\AppData\Local\Temp\e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:1184
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description qtrokhlk "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:4640
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start qtrokhlk
          2⤵
          • Launches sc.exe
          PID:812
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2536
      • C:\Windows\SysWOW64\qtrokhlk\tnnfiswi.exe
        C:\Windows\SysWOW64\qtrokhlk\tnnfiswi.exe /d"C:\Users\Admin\AppData\Local\Temp\e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3280
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:3772
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe -o fastpool.xyz:10060 -u 9i1RFUgrXnBcmF5CVCog2JFhgdz9yL95r2wxr9rjQHqD6vrduBgBiXYbTYyFARFu3HWNJJGRJaPWoc5uSqEp8Ke5LbCNSr9.250000 -p x -k -a cn/half --cpu-priority 1
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4912

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tnnfiswi.exe
        Filesize

        1.6MB

        MD5

        fbf1884eabaa32af816a117846fef05b

        SHA1

        99404a75f228dfae2acc12011ba251e83066faa6

        SHA256

        79e434c2511a5d264d6de8c8786d26475056848a62573a2ac1c488419258299c

        SHA512

        78803ed8a1a3ebf2a7f02af692c587e8aca55ae2e377ce036dfc273780e4fd5414ed4dbd6516191307ae3a6fcee9c712165a199ac2f0a235a47159466632ba3e

        Download Submit

      • C:\Windows\SysWOW64\qtrokhlk\tnnfiswi.exe
        Filesize

        176KB

        MD5

        b40edae2cd088dceadcf3f1cf82a97fe

        SHA1

        222d68e708de2d04be9d10eb373ae62898d7f532

        SHA256

        7363da458bb61062db461b5a8d5618212d243fdf6f6c25c0eba3887678ba9862

        SHA512

        1fd804a2edb651600a1d0032950aaa83e7210e95cf6ac43e0d0b4ac4634c5f0c55e9c4e8ad517ff7188ac67bc8bf78975721fb6dab27b3714c810add6184d4e8

        Download Submit

      • memory/3280-9-0x0000000002C00000-0x0000000002D00000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/3280-13-0x0000000000400000-0x0000000002ABC000-memory.dmp

        Filesize

        38.7MB

        Download

      • memory/3280-16-0x0000000000400000-0x0000000002ABC000-memory.dmp

        Filesize

        38.7MB

        Download

      • memory/3772-39-0x0000000002DF0000-0x0000000002E00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3772-33-0x0000000002DF0000-0x0000000002E00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3772-10-0x00000000029D0000-0x00000000029E5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/3772-74-0x00000000029D0000-0x00000000029E5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/3772-24-0x0000000004760000-0x000000000496F000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/3772-18-0x00000000029D0000-0x00000000029E5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/3772-19-0x00000000029D0000-0x00000000029E5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/3772-21-0x0000000004760000-0x000000000496F000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/3772-48-0x00000000030C0000-0x00000000030C5000-memory.dmp

        Filesize

        20KB

        Download

      • memory/3772-52-0x0000000009510000-0x000000000991B000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/3772-25-0x0000000002D50000-0x0000000002D56000-memory.dmp

        Filesize

        24KB

        Download

      • memory/3772-56-0x00000000030E0000-0x00000000030E7000-memory.dmp

        Filesize

        28KB

        Download

      • memory/3772-28-0x0000000002DF0000-0x0000000002E00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3772-31-0x0000000002DF0000-0x0000000002E00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3772-32-0x0000000002DF0000-0x0000000002E00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3772-40-0x0000000002DF0000-0x0000000002E00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3772-34-0x0000000002DF0000-0x0000000002E00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3772-35-0x0000000002DF0000-0x0000000002E00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3772-36-0x0000000002DF0000-0x0000000002E00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3772-37-0x0000000002DF0000-0x0000000002E00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3772-55-0x0000000009510000-0x000000000991B000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/3772-38-0x0000000002DF0000-0x0000000002E00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3772-51-0x00000000030C0000-0x00000000030C5000-memory.dmp

        Filesize

        20KB

        Download

      • memory/3772-47-0x0000000002DF0000-0x0000000002E00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3772-46-0x0000000002DF0000-0x0000000002E00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3772-45-0x0000000002DF0000-0x0000000002E00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3772-44-0x0000000002DF0000-0x0000000002E00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3772-43-0x0000000002DF0000-0x0000000002E00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3772-42-0x0000000002DF0000-0x0000000002E00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3772-41-0x0000000002DF0000-0x0000000002E00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-4-0x0000000000400000-0x0000000002ABC000-memory.dmp

        Filesize

        38.7MB

        Download

      • memory/3884-1-0x0000000002B00000-0x0000000002C00000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/3884-7-0x0000000000400000-0x0000000002ABC000-memory.dmp

        Filesize

        38.7MB

        Download

      • memory/3884-3-0x00000000046B0000-0x00000000046C3000-memory.dmp

        Filesize

        76KB

        Download

      • memory/4912-72-0x0000000002C00000-0x0000000002CF1000-memory.dmp

        Filesize

        964KB

        Download

      • memory/4912-70-0x0000000002C00000-0x0000000002CF1000-memory.dmp

        Filesize

        964KB

        Download

      • memory/4912-71-0x0000000002C00000-0x0000000002CF1000-memory.dmp

        Filesize

        964KB

        Download

      • memory/4912-69-0x0000000002C00000-0x0000000002CF1000-memory.dmp

        Filesize

        964KB

        Download

      • memory/4912-73-0x0000000002C00000-0x0000000002CF1000-memory.dmp

        Filesize

        964KB

        Download

      • memory/4912-66-0x0000000002C00000-0x0000000002CF1000-memory.dmp

        Filesize

        964KB

        Download

      • memory/4912-60-0x0000000002C00000-0x0000000002CF1000-memory.dmp

        Filesize

        964KB

        Download

      • memory/4912-67-0x0000000002C00000-0x0000000002CF1000-memory.dmp

        Filesize

        964KB

        Download

      • memory/4912-68-0x0000000002C00000-0x0000000002CF1000-memory.dmp

        Filesize

        964KB

        Download

      • memory/4912-65-0x0000000002C00000-0x0000000002CF1000-memory.dmp

        Filesize

        964KB

        Download