Analysis

  • max time kernel
    152s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/03/2024, 06:26

General

  • Target

    c5326b8ccd0481b6fc7ea4d0261b15d5.exe

  • Size

    10.5MB

  • MD5

    c5326b8ccd0481b6fc7ea4d0261b15d5

  • SHA1

    633991440ac46243f20396e1acaac7f8a5fb8b6c

  • SHA256

    3a0812a11a42c0ad5c6a6fa2b2ae73125561d2de24c2177e3794107de6d34f67

  • SHA512

    3ba5a1cb9ae7d8db7a1b9706e2429a2e541725f2b5d5ac2774f7416d5e965b0af55577ebdf66e3324090ef786c493effd83a147cb5f5bcd63d430efecc86e252

  • SSDEEP

    24576:CjY+lg48SlJPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPX:tHSl

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5326b8ccd0481b6fc7ea4d0261b15d5.exe
    "C:\Users\Admin\AppData\Local\Temp\c5326b8ccd0481b6fc7ea4d0261b15d5.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4984
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\negjluyh\
      2⤵
        PID:4464
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\qublzmuk.exe" C:\Windows\SysWOW64\negjluyh\
        2⤵
          PID:1452
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create negjluyh binPath= "C:\Windows\SysWOW64\negjluyh\qublzmuk.exe /d\"C:\Users\Admin\AppData\Local\Temp\c5326b8ccd0481b6fc7ea4d0261b15d5.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2348
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description negjluyh "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:4708
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start negjluyh
          2⤵
          • Launches sc.exe
          PID:1260
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:516
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 1164
          2⤵
          • Program crash
          PID:3592
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4984 -ip 4984
        1⤵
          PID:2384
        • C:\Windows\SysWOW64\negjluyh\qublzmuk.exe
          C:\Windows\SysWOW64\negjluyh\qublzmuk.exe /d"C:\Users\Admin\AppData\Local\Temp\c5326b8ccd0481b6fc7ea4d0261b15d5.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4124
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe
            2⤵
            • Sets service image path in registry
            • Deletes itself
            PID:2724
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 508
            2⤵
            • Program crash
            PID:4540
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4124 -ip 4124
          1⤵
            PID:3580
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4340 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
            1⤵
              PID:840

            Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\qublzmuk.exe

                    Filesize

                    11.6MB

                    MD5

                    3bb6e8afcaa67f72acf23cd413bbdf95

                    SHA1

                    b91c5b27090753d6e044e197ea4fdf13fe5da873

                    SHA256

                    626fbb5667c3c8de0764fce5f89627178e1b734a6449d82cd745d6ac01c502ab

                    SHA512

                    4bd5e525a8a5376694b321af63e5cf7c31fb6d9404578d42aad4aa24fdcb2daba1c2b7b8a2930719ea61680c5da16b809f242c44fd3fe6d5541cc80989f11f6b

                  • C:\Windows\SysWOW64\negjluyh\qublzmuk.exe

                    Filesize

                    10.1MB

                    MD5

                    6fe069811fc6c0cb31bddfc5254054eb

                    SHA1

                    314bc9a7f39c6f16c5261f6fba99fec506a210c8

                    SHA256

                    669329531e5724dc5cf4ceb3c5363265daa5a336ee8fe10d50e60374c016a539

                    SHA512

                    296554610e5ef252d08dc7145cbdca036e7c8c78406ebf0ae53b8a429efddb4d941b69e53bc907e1d41f7c4f30ac0c6f5d7370ac983b4d66e068b20ce32e1226

                  • memory/2724-18-0x0000000000480000-0x0000000000495000-memory.dmp

                    Filesize

                    84KB

                  • memory/2724-14-0x0000000000480000-0x0000000000495000-memory.dmp

                    Filesize

                    84KB

                  • memory/2724-21-0x0000000000480000-0x0000000000495000-memory.dmp

                    Filesize

                    84KB

                  • memory/2724-19-0x0000000000480000-0x0000000000495000-memory.dmp

                    Filesize

                    84KB

                  • memory/2724-17-0x0000000000480000-0x0000000000495000-memory.dmp

                    Filesize

                    84KB

                  • memory/4124-20-0x0000000000400000-0x00000000008E9000-memory.dmp

                    Filesize

                    4.9MB

                  • memory/4124-12-0x0000000000B30000-0x0000000000C30000-memory.dmp

                    Filesize

                    1024KB

                  • memory/4124-13-0x0000000000400000-0x00000000008E9000-memory.dmp

                    Filesize

                    4.9MB

                  • memory/4984-8-0x0000000000400000-0x00000000008E9000-memory.dmp

                    Filesize

                    4.9MB

                  • memory/4984-11-0x0000000002640000-0x0000000002653000-memory.dmp

                    Filesize

                    76KB

                  • memory/4984-1-0x0000000000AA0000-0x0000000000BA0000-memory.dmp

                    Filesize

                    1024KB

                  • memory/4984-5-0x0000000000400000-0x00000000008E9000-memory.dmp

                    Filesize

                    4.9MB

                  • memory/4984-2-0x0000000002640000-0x0000000002653000-memory.dmp

                    Filesize

                    76KB

                  • memory/4984-3-0x0000000000400000-0x00000000008E9000-memory.dmp

                    Filesize

                    4.9MB