Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13/03/2024, 09:22

General

  • Target

    c5827bccfff621de9248e02b015d9522.exe

  • Size

    10.3MB

  • MD5

    c5827bccfff621de9248e02b015d9522

  • SHA1

    e8be59c1d0523f26497bffd90b2c72c4377e9bb6

  • SHA256

    b186eda75a3fd90163c798cb6b11f457f04175e71e09f86c0ec7037c56db55d9

  • SHA512

    4a0caae7f03ce30426395061706c4be51e11f0d53624b0ed115b3861d5264c462ccd1c1e7a6ab30fe4b2140fee898673980f0ab104799c663c1cde9acfc48568

  • SSDEEP

    49152:2cUGb2222222222222222222222222222222222222222222222222222222222P:2cU

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs 1 IoCs
  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5827bccfff621de9248e02b015d9522.exe
    "C:\Users\Admin\AppData\Local\Temp\c5827bccfff621de9248e02b015d9522.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1576
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qlfyqalg\
      2⤵
        PID:3068
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lhzzwlky.exe" C:\Windows\SysWOW64\qlfyqalg\
        2⤵
          PID:2564
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create qlfyqalg binPath= "C:\Windows\SysWOW64\qlfyqalg\lhzzwlky.exe /d\"C:\Users\Admin\AppData\Local\Temp\c5827bccfff621de9248e02b015d9522.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2676
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description qlfyqalg "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2280
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start qlfyqalg
          2⤵
          • Launches sc.exe
          PID:2776
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2964
      • C:\Windows\SysWOW64\qlfyqalg\lhzzwlky.exe
        C:\Windows\SysWOW64\qlfyqalg\lhzzwlky.exe /d"C:\Users\Admin\AppData\Local\Temp\c5827bccfff621de9248e02b015d9522.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1632
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:2968

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\lhzzwlky.exe

              Filesize

              12.9MB

              MD5

              72a63c1cbe195c713d3957d356c03edb

              SHA1

              a95c07cf8b0c0cf649066d320cbda96aa94bf46c

              SHA256

              3a8f1a5ad787ef06cd5845ef75e9eaa5a03cfd5be41ba05b7326676d3537d507

              SHA512

              3379466c64e7a1a18c2e7568e744fb453cf27821bf4dbc138b675a4071f3555da11fea9ce41ed20f9caa9577bb4bf67c7fc22c277f7b59adefbcbaba35fa7ab0

            • C:\Windows\SysWOW64\qlfyqalg\lhzzwlky.exe

              Filesize

              8.5MB

              MD5

              968fd1c23c8c4e0c4a65a056d1b2af61

              SHA1

              e3703adfc04a7321095d0b101d7068f2eab15bbf

              SHA256

              706b95ef453c73664d01762bd2768c4703069f245c1815635736f476eb3b840f

              SHA512

              9e3e2f3ebb8fdbbfe191fa9f858e9028ae2de88b92759d4b25912d4c48799d8081f3dacc740c326936cd80a66ff37c1f238ab476175fc9031a2551411fd34415

            • memory/1576-1-0x0000000000270000-0x0000000000370000-memory.dmp

              Filesize

              1024KB

            • memory/1576-2-0x0000000000020000-0x0000000000033000-memory.dmp

              Filesize

              76KB

            • memory/1576-3-0x0000000000400000-0x0000000000472000-memory.dmp

              Filesize

              456KB

            • memory/1576-6-0x0000000000400000-0x0000000000472000-memory.dmp

              Filesize

              456KB

            • memory/1576-7-0x0000000000020000-0x0000000000033000-memory.dmp

              Filesize

              76KB

            • memory/1632-13-0x0000000000400000-0x0000000000472000-memory.dmp

              Filesize

              456KB

            • memory/1632-10-0x0000000000540000-0x0000000000640000-memory.dmp

              Filesize

              1024KB

            • memory/1632-17-0x0000000000400000-0x0000000000472000-memory.dmp

              Filesize

              456KB

            • memory/2968-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

            • memory/2968-11-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

            • memory/2968-15-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

            • memory/2968-19-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

            • memory/2968-20-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

            • memory/2968-21-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

            • memory/2968-22-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB