Analysis

  • max time kernel
    143s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13/03/2024, 05:19

General

  • Target

    c512b0dccb9f92204e6fb655c6b51333.exe

  • Size

    10.1MB

  • MD5

    c512b0dccb9f92204e6fb655c6b51333

  • SHA1

    dd085d130c33c357e829863630a4377be11c76da

  • SHA256

    c78d053710f55ecd76867851e5ef0a5fc387ff22e146aeeb6055b928a74322e1

  • SHA512

    c3c55b079d61a5efa9f3c3960763063024a4d7a500a9ffbd8bd8273e78de42f836d4e86b9d1ce8c8e1031c001e9905b7b49ef614420f55d1d8c810969a79f351

  • SSDEEP

    12288:nljL7ioRGJyDJSuiAZzlsO+++++++++++++++++++++++++++++++++++++++++W:p7hR5QAZi

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs 1 IoCs
  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c512b0dccb9f92204e6fb655c6b51333.exe
    "C:\Users\Admin\AppData\Local\Temp\c512b0dccb9f92204e6fb655c6b51333.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qizouxri\
      2⤵
        PID:2556
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\arrkazao.exe" C:\Windows\SysWOW64\qizouxri\
        2⤵
          PID:2924
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create qizouxri binPath= "C:\Windows\SysWOW64\qizouxri\arrkazao.exe /d\"C:\Users\Admin\AppData\Local\Temp\c512b0dccb9f92204e6fb655c6b51333.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2604
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description qizouxri "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2716
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start qizouxri
          2⤵
          • Launches sc.exe
          PID:2516
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2652
      • C:\Windows\SysWOW64\qizouxri\arrkazao.exe
        C:\Windows\SysWOW64\qizouxri\arrkazao.exe /d"C:\Users\Admin\AppData\Local\Temp\c512b0dccb9f92204e6fb655c6b51333.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2492
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:2388

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\arrkazao.exe

              Filesize

              12.0MB

              MD5

              996bc7448c2dda53a5ec19c81a3cc96b

              SHA1

              6dbc82e5c4280c73d0197dba329f5db83a50d23f

              SHA256

              dd8a07e3e7dc4673200687e6c875e578ccd87bc0ae73f0be297aec12ab2ce58f

              SHA512

              957751f150aba471cc514c66b831a6f02e7f546b478a0e596852ed26600196d68a9ec7bf4055d7662c00dcca6e3c747e85699fbd3fb2768060c08ad25a1e6fbe

            • C:\Windows\SysWOW64\qizouxri\arrkazao.exe

              Filesize

              2.4MB

              MD5

              6e28c320c645eab8c988560e177ea073

              SHA1

              f4dc87138579cda783ff61fe46c5464d936ea96e

              SHA256

              a49d19964c002c532281e061309de7c94254c1bc4c0a574ff8407630621e946f

              SHA512

              73a8d15f10c27505a30cf19069e589482a9a4da0b36055b87560e3087f60682951b2f235d0801929cc537ae832c301ddd185e4d3401a48773ce4e304504af5e6

            • memory/2320-1-0x0000000003380000-0x0000000003480000-memory.dmp

              Filesize

              1024KB

            • memory/2320-2-0x0000000000250000-0x0000000000263000-memory.dmp

              Filesize

              76KB

            • memory/2320-4-0x0000000000400000-0x0000000003250000-memory.dmp

              Filesize

              46.3MB

            • memory/2320-6-0x0000000000400000-0x0000000003250000-memory.dmp

              Filesize

              46.3MB

            • memory/2320-7-0x0000000003380000-0x0000000003480000-memory.dmp

              Filesize

              1024KB

            • memory/2320-8-0x0000000000250000-0x0000000000263000-memory.dmp

              Filesize

              76KB

            • memory/2388-19-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

            • memory/2388-12-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

            • memory/2388-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

            • memory/2388-15-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

            • memory/2388-21-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

            • memory/2388-22-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

            • memory/2388-24-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

            • memory/2492-11-0x00000000036B0000-0x00000000037B0000-memory.dmp

              Filesize

              1024KB

            • memory/2492-17-0x0000000000400000-0x0000000003250000-memory.dmp

              Filesize

              46.3MB

            • memory/2492-20-0x0000000000400000-0x0000000003250000-memory.dmp

              Filesize

              46.3MB

            • memory/2492-23-0x0000000000400000-0x0000000003250000-memory.dmp

              Filesize

              46.3MB