Overview

overview

10

Static

static

3

b79e3ee1a6...81.exe

windows7-x64

10

b79e3ee1a6...81.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06/03/2024, 14:21

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b79e3ee1a65ad2cb3d8e6056ccd6f881.exe

  • Size

    12.7MB

  • MD5

    b79e3ee1a65ad2cb3d8e6056ccd6f881

  • SHA1

    1876b78c93ad6a591bfca8f53cd34484a43eca3b

  • SHA256

    4c60bfe82bee8e9fba230f67fdd0d3f1866b1b108b0075d4ceb997f53a6b3a24

  • SHA512

    a71a2653b1a1a443377ec1671867bb03461127c841ebba4f1b49434601a0b65627f0f61de47cc019390618347fa79977a87b88290f96cecb994932d13c0d4f2e

  • SSDEEP

    49152:FzCf1zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzH:M

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b79e3ee1a65ad2cb3d8e6056ccd6f881.exe
    "C:\Users\Admin\AppData\Local\Temp\b79e3ee1a65ad2cb3d8e6056ccd6f881.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ktjeamgx\
      2⤵
        PID:2500
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gcusajme.exe" C:\Windows\SysWOW64\ktjeamgx\
        2⤵
          PID:2612
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create ktjeamgx binPath= "C:\Windows\SysWOW64\ktjeamgx\gcusajme.exe /d\"C:\Users\Admin\AppData\Local\Temp\b79e3ee1a65ad2cb3d8e6056ccd6f881.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2564
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description ktjeamgx "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2540
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start ktjeamgx
          2⤵
          • Launches sc.exe
          PID:2696
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2432
      • C:\Windows\SysWOW64\ktjeamgx\gcusajme.exe
        C:\Windows\SysWOW64\ktjeamgx\gcusajme.exe /d"C:\Users\Admin\AppData\Local\Temp\b79e3ee1a65ad2cb3d8e6056ccd6f881.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2456
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:2360

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\gcusajme.exe
              Filesize

              12.3MB

              MD5

              2b606fad0e06e8457b53bd380ef03b96

              SHA1

              0eff62eff33016596993115ddc89191b4674a6aa

              SHA256

              63eb6f395998b3c30f60b47a69779acd7ef2ff0a30781afe241784aeefb141b7

              SHA512

              524aa6e805b61df3752bb7de0c585b32446352007fcb9b423b83f7f9029d887826c7b7663d339fbf20be56c2619771371c2ca0de560df97e765a738da2908eb0

              Download Submit

            • C:\Windows\SysWOW64\ktjeamgx\gcusajme.exe
              Filesize

              6.7MB

              MD5

              cd7f89c0ac03621d4fe98464f7785d2a

              SHA1

              3784ecc4e9f98188ece190b2d11a2be2c9b39a80

              SHA256

              082a1835dbcb3427e67857999111db898ef687ede2755d45b96991c057825b07

              SHA512

              a685b309c297a54d4de1bef967a48ff67abf7b4eaf7c6603e02ed811e4342cb92e3f77a4e50e4aafd025c8c846dcfbe4d43596fb32a27b17f76d26067fa9db4e

              Download Submit

            • memory/2172-1-0x0000000000990000-0x0000000000A90000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2172-2-0x0000000000220000-0x0000000000233000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2172-4-0x0000000000400000-0x00000000008E9000-memory.dmp

              Filesize

              4.9MB

              Download

            • memory/2172-6-0x0000000000400000-0x00000000008E9000-memory.dmp

              Filesize

              4.9MB

              Download

            • memory/2360-11-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

              Download

            • memory/2360-14-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

              Download

            • memory/2360-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2360-19-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

              Download

            • memory/2360-20-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

              Download

            • memory/2360-21-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

              Download

            • memory/2456-9-0x0000000000A00000-0x0000000000B00000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2456-10-0x0000000000400000-0x00000000008E9000-memory.dmp

              Filesize

              4.9MB

              Download

            • memory/2456-17-0x0000000000400000-0x00000000008E9000-memory.dmp

              Filesize

              4.9MB

              Download