Analysis

  • max time kernel
    149s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/03/2024, 05:37

General

  • Target

    c51ba681e2a91256b750c02a07e71214.exe

  • Size

    12.0MB

  • MD5

    c51ba681e2a91256b750c02a07e71214

  • SHA1

    e95e7d2ac0be130cd7bd10548130ed4e356c6f82

  • SHA256

    162517397a17d464746d2457475be8ab091e8378303c7cdaf745bc238434c34a

  • SHA512

    0960e67571090307e1768ab552cb8daedd5d31058a5d181d910c725d9ae022ccd4ad77dcb79b3481a9f059778e1049246f7559adf9cb0d5c277bd358b5356311

  • SSDEEP

    6144:V6uxTBt/Du+VqSPZlb3qahCecVeShkKo/HovAqeQmt6+:pxNt/D7cSPZZeeShkKo4ANz/

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c51ba681e2a91256b750c02a07e71214.exe
    "C:\Users\Admin\AppData\Local\Temp\c51ba681e2a91256b750c02a07e71214.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4860
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kagofhvb\
      2⤵
        PID:4372
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zvnltcfx.exe" C:\Windows\SysWOW64\kagofhvb\
        2⤵
          PID:4904
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create kagofhvb binPath= "C:\Windows\SysWOW64\kagofhvb\zvnltcfx.exe /d\"C:\Users\Admin\AppData\Local\Temp\c51ba681e2a91256b750c02a07e71214.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:4140
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description kagofhvb "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:404
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start kagofhvb
          2⤵
          • Launches sc.exe
          PID:1996
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:3636
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1268
          2⤵
          • Program crash
          PID:4800
      • C:\Windows\SysWOW64\kagofhvb\zvnltcfx.exe
        C:\Windows\SysWOW64\kagofhvb\zvnltcfx.exe /d"C:\Users\Admin\AppData\Local\Temp\c51ba681e2a91256b750c02a07e71214.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2536
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          PID:3448
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 512
          2⤵
          • Program crash
          PID:4696
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4860 -ip 4860
        1⤵
          PID:4420
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2536 -ip 2536
          1⤵
            PID:3920

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\zvnltcfx.exe

                  Filesize

                  11.3MB

                  MD5

                  ca364612c10bdf26ba93719870454809

                  SHA1

                  f89c0517430c420f5d3c649d93bd8cb80a66c189

                  SHA256

                  3c6d57e1b167abfac9572c921c788a0d51f503fee93ed3232ba58707ad03a9a7

                  SHA512

                  d4b502dccf4a890e487b42631166894a0b04e178a278ca457e3119213f8ff47e85c3ac477abab5a590f4791681eb96dddbbf42c6eeaddbd505b3e1d9218addc4

                • memory/2536-10-0x00000000009F0000-0x0000000000AF0000-memory.dmp

                  Filesize

                  1024KB

                • memory/2536-11-0x0000000000400000-0x00000000008EA000-memory.dmp

                  Filesize

                  4.9MB

                • memory/2536-17-0x0000000000400000-0x00000000008EA000-memory.dmp

                  Filesize

                  4.9MB

                • memory/3448-12-0x00000000010C0000-0x00000000010D5000-memory.dmp

                  Filesize

                  84KB

                • memory/3448-15-0x00000000010C0000-0x00000000010D5000-memory.dmp

                  Filesize

                  84KB

                • memory/3448-16-0x00000000010C0000-0x00000000010D5000-memory.dmp

                  Filesize

                  84KB

                • memory/3448-18-0x00000000010C0000-0x00000000010D5000-memory.dmp

                  Filesize

                  84KB

                • memory/3448-19-0x00000000010C0000-0x00000000010D5000-memory.dmp

                  Filesize

                  84KB

                • memory/4860-4-0x0000000000400000-0x00000000008EA000-memory.dmp

                  Filesize

                  4.9MB

                • memory/4860-2-0x0000000002630000-0x0000000002643000-memory.dmp

                  Filesize

                  76KB

                • memory/4860-7-0x0000000000400000-0x00000000008EA000-memory.dmp

                  Filesize

                  4.9MB

                • memory/4860-8-0x0000000002630000-0x0000000002643000-memory.dmp

                  Filesize

                  76KB

                • memory/4860-1-0x0000000000B00000-0x0000000000C00000-memory.dmp

                  Filesize

                  1024KB