Analysis

  • max time kernel
    141s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13/03/2024, 06:26

General

  • Target

    c5326b8ccd0481b6fc7ea4d0261b15d5.exe

  • Size

    10.5MB

  • MD5

    c5326b8ccd0481b6fc7ea4d0261b15d5

  • SHA1

    633991440ac46243f20396e1acaac7f8a5fb8b6c

  • SHA256

    3a0812a11a42c0ad5c6a6fa2b2ae73125561d2de24c2177e3794107de6d34f67

  • SHA512

    3ba5a1cb9ae7d8db7a1b9706e2429a2e541725f2b5d5ac2774f7416d5e965b0af55577ebdf66e3324090ef786c493effd83a147cb5f5bcd63d430efecc86e252

  • SSDEEP

    24576:CjY+lg48SlJPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPX:tHSl

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs 1 IoCs
  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5326b8ccd0481b6fc7ea4d0261b15d5.exe
    "C:\Users\Admin\AppData\Local\Temp\c5326b8ccd0481b6fc7ea4d0261b15d5.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rtsnwfhh\
      2⤵
        PID:2668
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\fczxjujx.exe" C:\Windows\SysWOW64\rtsnwfhh\
        2⤵
          PID:2148
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create rtsnwfhh binPath= "C:\Windows\SysWOW64\rtsnwfhh\fczxjujx.exe /d\"C:\Users\Admin\AppData\Local\Temp\c5326b8ccd0481b6fc7ea4d0261b15d5.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2612
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description rtsnwfhh "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2508
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start rtsnwfhh
          2⤵
          • Launches sc.exe
          PID:2660
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2692
      • C:\Windows\SysWOW64\rtsnwfhh\fczxjujx.exe
        C:\Windows\SysWOW64\rtsnwfhh\fczxjujx.exe /d"C:\Users\Admin\AppData\Local\Temp\c5326b8ccd0481b6fc7ea4d0261b15d5.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1604
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:2460

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\fczxjujx.exe

              Filesize

              4.4MB

              MD5

              b89e9f1dfa7ce11aeff8d1f2faa41f9a

              SHA1

              f9498ea707d7189b08bf685ede05a101bcf7413d

              SHA256

              64671356c869cff08a7be79d7b3e10a9729b2646e344c30d3e529ef5f670dcdb

              SHA512

              68d0c74cba0ba5901b938aa5e57e7713b7679585fcc41359f7e4424714dc5ca8cf6b47eff22bb799e583b012e8586d62ca8da004bd3e28ccdee47521e27e5f86

            • C:\Windows\SysWOW64\rtsnwfhh\fczxjujx.exe

              Filesize

              4.1MB

              MD5

              e2d9c34f2a8c08b6ff142edc6a13e245

              SHA1

              eb6ea090516e019fc8b279b61bbe55b5fbd72970

              SHA256

              25dd10f4e6f793072e7c3032503728a1c467adcc0975bb9f03bcfd39d3fdbcdf

              SHA512

              1757ce9d5cdbfcb1d5aa9eac9428a80536c9e58b7be46462e514d7a5421e13104b7e8aa282e7e3f73032ffc8dab51b160d05a10a1fe6024585094d618f7f3a67

            • memory/1604-11-0x0000000000A20000-0x0000000000B20000-memory.dmp

              Filesize

              1024KB

            • memory/1604-17-0x0000000000400000-0x00000000008E9000-memory.dmp

              Filesize

              4.9MB

            • memory/1604-12-0x0000000000400000-0x00000000008E9000-memory.dmp

              Filesize

              4.9MB

            • memory/1948-7-0x0000000000400000-0x00000000008E9000-memory.dmp

              Filesize

              4.9MB

            • memory/1948-8-0x0000000000A50000-0x0000000000B50000-memory.dmp

              Filesize

              1024KB

            • memory/1948-9-0x0000000000220000-0x0000000000233000-memory.dmp

              Filesize

              76KB

            • memory/1948-1-0x0000000000A50000-0x0000000000B50000-memory.dmp

              Filesize

              1024KB

            • memory/1948-2-0x0000000000220000-0x0000000000233000-memory.dmp

              Filesize

              76KB

            • memory/1948-4-0x0000000000400000-0x00000000008E9000-memory.dmp

              Filesize

              4.9MB

            • memory/2460-13-0x00000000000C0000-0x00000000000D5000-memory.dmp

              Filesize

              84KB

            • memory/2460-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

            • memory/2460-16-0x00000000000C0000-0x00000000000D5000-memory.dmp

              Filesize

              84KB

            • memory/2460-20-0x00000000000C0000-0x00000000000D5000-memory.dmp

              Filesize

              84KB

            • memory/2460-21-0x00000000000C0000-0x00000000000D5000-memory.dmp

              Filesize

              84KB

            • memory/2460-22-0x00000000000C0000-0x00000000000D5000-memory.dmp

              Filesize

              84KB

            • memory/2460-23-0x00000000000C0000-0x00000000000D5000-memory.dmp

              Filesize

              84KB