Analysis

  • max time kernel
    140s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13/03/2024, 02:38

General

  • Target

    c4c3744a19057ddad87647f25ea466f1.exe

  • Size

    10.8MB

  • MD5

    c4c3744a19057ddad87647f25ea466f1

  • SHA1

    4cbfca8d0dacb3baa2dd25726e3cffbec527da05

  • SHA256

    5dfaa531791a4f57f6da1041b2f53327cbf7e51c9c544642a7ae3fe2f892103d

  • SHA512

    70a264ffd999eef0e77ecfaf2404b9fb8c8e4cce68484966df81e7eb8ccfa9e1b89d920a66f3d5b527e960da1be2317edfeddfd84bdfa260bc46ad99876868a5

  • SSDEEP

    196608:azzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz:

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs 1 IoCs
  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c4c3744a19057ddad87647f25ea466f1.exe
    "C:\Users\Admin\AppData\Local\Temp\c4c3744a19057ddad87647f25ea466f1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\vakhjjw\
      2⤵
        PID:2924
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zagpawks.exe" C:\Windows\SysWOW64\vakhjjw\
        2⤵
          PID:2944
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create vakhjjw binPath= "C:\Windows\SysWOW64\vakhjjw\zagpawks.exe /d\"C:\Users\Admin\AppData\Local\Temp\c4c3744a19057ddad87647f25ea466f1.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2632
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description vakhjjw "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2568
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start vakhjjw
          2⤵
          • Launches sc.exe
          PID:2088
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2388
      • C:\Windows\SysWOW64\vakhjjw\zagpawks.exe
        C:\Windows\SysWOW64\vakhjjw\zagpawks.exe /d"C:\Users\Admin\AppData\Local\Temp\c4c3744a19057ddad87647f25ea466f1.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2396
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:2428

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\zagpawks.exe

              Filesize

              8.1MB

              MD5

              2d6da61dd89b8ca1670b680d5b0bb57d

              SHA1

              57e8ffe8c173b4f97f7c32f382a86e615da5c1df

              SHA256

              1e37bf4e0081f29daa7c8c4aa2526f5d5920fff52eca0e42ea6354540e1f0779

              SHA512

              39dbed5cf6bfb1d5dd77bbcf0fe74adacfe050c63c5d64caef2e1d844f0d8b9fca2cc67352004a313d9a36ca7e58848e488471b6c55ad88e70df36a9a4f7e1b2

            • C:\Windows\SysWOW64\vakhjjw\zagpawks.exe

              Filesize

              4.0MB

              MD5

              65fc6b6f6988c1a9da2dd0daa5cb0518

              SHA1

              3ecffe66b24f97417783f4ad98357b5248706c1d

              SHA256

              503697155747cc69ca4a28b5bb951b36eab3684e5c2c909b70658cb8efb5fd69

              SHA512

              1f543932012e1adcf39a4fb3d7ad5c8eb75f4cc6fc96f4015d6964292bcb1eb0c357df93b0e008a4c67bea8671df5c59690e26e816d0b49e9aa3de42d3536e9b

            • memory/1936-2-0x0000000000220000-0x0000000000233000-memory.dmp

              Filesize

              76KB

            • memory/1936-1-0x0000000000A20000-0x0000000000B20000-memory.dmp

              Filesize

              1024KB

            • memory/1936-4-0x0000000000400000-0x00000000008EB000-memory.dmp

              Filesize

              4.9MB

            • memory/1936-7-0x0000000000400000-0x00000000008EB000-memory.dmp

              Filesize

              4.9MB

            • memory/2396-9-0x0000000000290000-0x0000000000390000-memory.dmp

              Filesize

              1024KB

            • memory/2396-10-0x0000000000400000-0x00000000008EB000-memory.dmp

              Filesize

              4.9MB

            • memory/2396-15-0x0000000000400000-0x00000000008EB000-memory.dmp

              Filesize

              4.9MB

            • memory/2428-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

            • memory/2428-11-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

            • memory/2428-14-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

            • memory/2428-19-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

            • memory/2428-20-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

            • memory/2428-21-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB