Analysis

  • max time kernel
    149s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    13/03/2024, 04:53

General

  • Target

    c50606fc4ff46ed15174748afa93aea0.exe

  • Size

    14.6MB

  • MD5

    c50606fc4ff46ed15174748afa93aea0

  • SHA1

    5ef3f3a758a2a539598fb94165d198fa3b22b7f6

  • SHA256

    86a41d419fb7833463a06e7e6774617b8db86c1d41259def41e61a396370b164

  • SHA512

    47f9863f1311bfd9f73032082e97f6970c0a721a4e483fb9a3a08be1a62e9cecff04a045be34e72a3d02bfa265a163a7a35d13fff3251e45ae05cb5502bdee9b

  • SSDEEP

    24576:HNrrSkMiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiK:Rek

Malware Config

Extracted

Family

tofsee

C2

176.111.174.19

defeatwax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs 1 IoCs
  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c50606fc4ff46ed15174748afa93aea0.exe
    "C:\Users\Admin\AppData\Local\Temp\c50606fc4ff46ed15174748afa93aea0.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2784
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\chhtpbfz\
      2⤵
        PID:2976
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nytpoouh.exe" C:\Windows\SysWOW64\chhtpbfz\
        2⤵
          PID:2616
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create chhtpbfz binPath= "C:\Windows\SysWOW64\chhtpbfz\nytpoouh.exe /d\"C:\Users\Admin\AppData\Local\Temp\c50606fc4ff46ed15174748afa93aea0.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2116
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description chhtpbfz "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2632
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start chhtpbfz
          2⤵
          • Launches sc.exe
          PID:2584
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2384
      • C:\Windows\SysWOW64\chhtpbfz\nytpoouh.exe
        C:\Windows\SysWOW64\chhtpbfz\nytpoouh.exe /d"C:\Users\Admin\AppData\Local\Temp\c50606fc4ff46ed15174748afa93aea0.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2748
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:1868

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\nytpoouh.exe

              Filesize

              8.9MB

              MD5

              057261a7c06dfc488944a4ed55968ba0

              SHA1

              0f19baa309297cf1082b0bc588b9b7789278c105

              SHA256

              940315fa0a29616e84158d6abad9ccb362f5661a0bc8597edef0d52c7cf3b16c

              SHA512

              30233e41190779140fc2e57bea520b57b76efaffba85cb768950bda4f7c5571b4dd9f9fc3bf3e5215fe5dec44b5978660f72dce5dd4c8e5055b504ee76a06539

            • C:\Windows\SysWOW64\chhtpbfz\nytpoouh.exe

              Filesize

              3.7MB

              MD5

              95691e2643d6e9d07f52d7618373ae34

              SHA1

              5f23f1dbb39852363213ddd382bf0f74a97b4293

              SHA256

              e9022e29771bbe7e8234d77265ce0f0e31ee8a5ed2a4d5eb835401c4ac2fa6f0

              SHA512

              00ccb2e28b13177ca8604a3320941e808935c71baa590d9daf0950a9016de80724fc4ab897eb7bd30bff4e43558e5e0b86e0c512a748a153e02df90e72eee50a

            • memory/1868-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

            • memory/1868-19-0x00000000000D0000-0x00000000000E5000-memory.dmp

              Filesize

              84KB

            • memory/1868-22-0x00000000000D0000-0x00000000000E5000-memory.dmp

              Filesize

              84KB

            • memory/1868-21-0x00000000000D0000-0x00000000000E5000-memory.dmp

              Filesize

              84KB

            • memory/1868-20-0x00000000000D0000-0x00000000000E5000-memory.dmp

              Filesize

              84KB

            • memory/1868-13-0x00000000000D0000-0x00000000000E5000-memory.dmp

              Filesize

              84KB

            • memory/1868-10-0x00000000000D0000-0x00000000000E5000-memory.dmp

              Filesize

              84KB

            • memory/2748-15-0x0000000000A70000-0x0000000000B70000-memory.dmp

              Filesize

              1024KB

            • memory/2748-18-0x0000000000400000-0x000000000099D000-memory.dmp

              Filesize

              5.6MB

            • memory/2784-1-0x0000000000230000-0x0000000000330000-memory.dmp

              Filesize

              1024KB

            • memory/2784-4-0x0000000000400000-0x000000000099D000-memory.dmp

              Filesize

              5.6MB

            • memory/2784-9-0x00000000003A0000-0x00000000003B3000-memory.dmp

              Filesize

              76KB

            • memory/2784-8-0x0000000000400000-0x000000000099D000-memory.dmp

              Filesize

              5.6MB

            • memory/2784-2-0x00000000003A0000-0x00000000003B3000-memory.dmp

              Filesize

              76KB