Analysis

  • max time kernel
    147s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13/03/2024, 04:37

General

  • Target

    c4fefd261e956faeb02c99c55eef2ad5.exe

  • Size

    13.8MB

  • MD5

    c4fefd261e956faeb02c99c55eef2ad5

  • SHA1

    70b198489a3c7dd98818ec61f94e5054e064988b

  • SHA256

    a998fde5f82f852df97cef9e0d2ed596f46eeb509a37c0603c92f5629098fac8

  • SHA512

    b683e14d3fce4b326550fbebab62a81bf8f20a7b95093d000070fd1500fc22cce73d48bbb340a6b87f87af4694273230f7175babe66931e1e4090b288b87e0d6

  • SSDEEP

    6144:/QyhgHfohrlzTzRRm9H+L0MOxhwOZsXPpmnqk+sRQU6tntntntntntntntntntnX:CHfohl3m9H+eTwhpIvJ

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs 1 IoCs
  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c4fefd261e956faeb02c99c55eef2ad5.exe
    "C:\Users\Admin\AppData\Local\Temp\c4fefd261e956faeb02c99c55eef2ad5.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kmvssopd\
      2⤵
        PID:2376
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\quxtfolh.exe" C:\Windows\SysWOW64\kmvssopd\
        2⤵
          PID:2020
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create kmvssopd binPath= "C:\Windows\SysWOW64\kmvssopd\quxtfolh.exe /d\"C:\Users\Admin\AppData\Local\Temp\c4fefd261e956faeb02c99c55eef2ad5.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2628
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description kmvssopd "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2624
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start kmvssopd
          2⤵
          • Launches sc.exe
          PID:2784
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2692
      • C:\Windows\SysWOW64\kmvssopd\quxtfolh.exe
        C:\Windows\SysWOW64\kmvssopd\quxtfolh.exe /d"C:\Users\Admin\AppData\Local\Temp\c4fefd261e956faeb02c99c55eef2ad5.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2552
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:2448

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\quxtfolh.exe

              Filesize

              10.8MB

              MD5

              c8baae233f440b597df98730722480e8

              SHA1

              082d1de78cbdb34744939736b4039161ee5ee75c

              SHA256

              83a29fdb662bb14ffc9d39f3eb423dfed03f52cb15fdeeebda1c1028111d1934

              SHA512

              b4435e1d6133b1ed01e6764d4eebd2c4228d4d80cd463e04144020760d17e3da6084aafcdf2131764a000de86b40ea9420336a5555e0e57a1050e5d28e0dd711

            • memory/2448-13-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

            • memory/2448-9-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

            • memory/2448-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

            • memory/2448-19-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

            • memory/2448-20-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

            • memory/2448-21-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

            • memory/2552-8-0x0000000003340000-0x0000000003440000-memory.dmp

              Filesize

              1024KB

            • memory/2552-15-0x0000000000400000-0x000000000324F000-memory.dmp

              Filesize

              46.3MB

            • memory/2552-17-0x0000000000400000-0x000000000324F000-memory.dmp

              Filesize

              46.3MB

            • memory/2988-4-0x0000000000400000-0x000000000324F000-memory.dmp

              Filesize

              46.3MB

            • memory/2988-3-0x0000000000220000-0x0000000000233000-memory.dmp

              Filesize

              76KB

            • memory/2988-2-0x0000000003350000-0x0000000003450000-memory.dmp

              Filesize

              1024KB

            • memory/2988-12-0x0000000000400000-0x000000000324F000-memory.dmp

              Filesize

              46.3MB