Analysis

  • max time kernel
    158s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/03/2024, 02:38

General

  • Target

    c4c3744a19057ddad87647f25ea466f1.exe

  • Size

    10.8MB

  • MD5

    c4c3744a19057ddad87647f25ea466f1

  • SHA1

    4cbfca8d0dacb3baa2dd25726e3cffbec527da05

  • SHA256

    5dfaa531791a4f57f6da1041b2f53327cbf7e51c9c544642a7ae3fe2f892103d

  • SHA512

    70a264ffd999eef0e77ecfaf2404b9fb8c8e4cce68484966df81e7eb8ccfa9e1b89d920a66f3d5b527e960da1be2317edfeddfd84bdfa260bc46ad99876868a5

  • SSDEEP

    196608:azzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz:

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c4c3744a19057ddad87647f25ea466f1.exe
    "C:\Users\Admin\AppData\Local\Temp\c4c3744a19057ddad87647f25ea466f1.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5088
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zcknioft\
      2⤵
        PID:912
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\fpkfwwpv.exe" C:\Windows\SysWOW64\zcknioft\
        2⤵
          PID:5036
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create zcknioft binPath= "C:\Windows\SysWOW64\zcknioft\fpkfwwpv.exe /d\"C:\Users\Admin\AppData\Local\Temp\c4c3744a19057ddad87647f25ea466f1.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:644
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description zcknioft "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2432
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start zcknioft
          2⤵
          • Launches sc.exe
          PID:2964
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2516
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 1036
          2⤵
          • Program crash
          PID:3284
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3108 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:2648
        • C:\Windows\SysWOW64\zcknioft\fpkfwwpv.exe
          C:\Windows\SysWOW64\zcknioft\fpkfwwpv.exe /d"C:\Users\Admin\AppData\Local\Temp\c4c3744a19057ddad87647f25ea466f1.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:772
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe
            2⤵
            • Sets service image path in registry
            • Deletes itself
            PID:2760
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 512
            2⤵
            • Program crash
            PID:3692
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5088 -ip 5088
          1⤵
            PID:3484
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 772 -ip 772
            1⤵
              PID:1880

            Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\fpkfwwpv.exe

                    Filesize

                    10.1MB

                    MD5

                    92a77c87d0815605089d1011067f7521

                    SHA1

                    1840a603a9bced2e9975c4a83286887ed201f0d2

                    SHA256

                    9a2a232cfae84a3612fd9a7a581ea736294f9321deedc581324a4facd19bd153

                    SHA512

                    da9ea055a69270a83c3674f2eb5ad81dff7fb873958d988e414296025dbe54808a8bcd79d2c6330e893eaefb428741deaec3f1c599942b7627b9e806c35b2cc0

                  • memory/772-15-0x0000000000400000-0x00000000008EB000-memory.dmp

                    Filesize

                    4.9MB

                  • memory/772-14-0x00000000009D0000-0x0000000000AD0000-memory.dmp

                    Filesize

                    1024KB

                  • memory/772-21-0x0000000000400000-0x00000000008EB000-memory.dmp

                    Filesize

                    4.9MB

                  • memory/2760-20-0x00000000008C0000-0x00000000008D5000-memory.dmp

                    Filesize

                    84KB

                  • memory/2760-16-0x00000000008C0000-0x00000000008D5000-memory.dmp

                    Filesize

                    84KB

                  • memory/2760-22-0x00000000008C0000-0x00000000008D5000-memory.dmp

                    Filesize

                    84KB

                  • memory/2760-31-0x00000000008C0000-0x00000000008D5000-memory.dmp

                    Filesize

                    84KB

                  • memory/5088-8-0x0000000002630000-0x0000000002643000-memory.dmp

                    Filesize

                    76KB

                  • memory/5088-2-0x0000000002630000-0x0000000002643000-memory.dmp

                    Filesize

                    76KB

                  • memory/5088-12-0x0000000000400000-0x00000000008EB000-memory.dmp

                    Filesize

                    4.9MB

                  • memory/5088-7-0x0000000000930000-0x0000000000A30000-memory.dmp

                    Filesize

                    1024KB

                  • memory/5088-1-0x0000000000930000-0x0000000000A30000-memory.dmp

                    Filesize

                    1024KB

                  • memory/5088-3-0x0000000000400000-0x00000000008EB000-memory.dmp

                    Filesize

                    4.9MB

                  • memory/5088-5-0x0000000000400000-0x00000000008EB000-memory.dmp

                    Filesize

                    4.9MB