Analysis

  • max time kernel
    151s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/03/2024, 09:22

General

  • Target

    c5827bccfff621de9248e02b015d9522.exe

  • Size

    10.3MB

  • MD5

    c5827bccfff621de9248e02b015d9522

  • SHA1

    e8be59c1d0523f26497bffd90b2c72c4377e9bb6

  • SHA256

    b186eda75a3fd90163c798cb6b11f457f04175e71e09f86c0ec7037c56db55d9

  • SHA512

    4a0caae7f03ce30426395061706c4be51e11f0d53624b0ed115b3861d5264c462ccd1c1e7a6ab30fe4b2140fee898673980f0ab104799c663c1cde9acfc48568

  • SSDEEP

    49152:2cUGb2222222222222222222222222222222222222222222222222222222222P:2cU

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5827bccfff621de9248e02b015d9522.exe
    "C:\Users\Admin\AppData\Local\Temp\c5827bccfff621de9248e02b015d9522.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1424
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\uywktbzo\
      2⤵
        PID:620
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\joytnzwy.exe" C:\Windows\SysWOW64\uywktbzo\
        2⤵
          PID:2888
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create uywktbzo binPath= "C:\Windows\SysWOW64\uywktbzo\joytnzwy.exe /d\"C:\Users\Admin\AppData\Local\Temp\c5827bccfff621de9248e02b015d9522.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:3292
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description uywktbzo "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:4936
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start uywktbzo
          2⤵
          • Launches sc.exe
          PID:2204
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:4952
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 1204
          2⤵
          • Program crash
          PID:4408
      • C:\Windows\SysWOW64\uywktbzo\joytnzwy.exe
        C:\Windows\SysWOW64\uywktbzo\joytnzwy.exe /d"C:\Users\Admin\AppData\Local\Temp\c5827bccfff621de9248e02b015d9522.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4756
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          PID:4996
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 516
          2⤵
          • Program crash
          PID:2564
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1424 -ip 1424
        1⤵
          PID:2528
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4756 -ip 4756
          1⤵
            PID:3972
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3884 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:8
            1⤵
              PID:2852

            Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\joytnzwy.exe

                    Filesize

                    12.1MB

                    MD5

                    507f4098845d5a11326bdab7e7d5da71

                    SHA1

                    a3d85876ad4e48e3212e12d0f1c6299c1eb8addf

                    SHA256

                    3e6b879eceeddc4e2f646fd825541f9057ba90b564f30578ac0045c7ed7d9410

                    SHA512

                    f02459a58a83a92396c8af4da9d7abede712bd3bcd14fe3ff03d572e345bcbf3cd97e2630d1f182b9f16b56433e49c4df39e7b7e4e0971cc522553d0162f287c

                  • C:\Windows\SysWOW64\uywktbzo\joytnzwy.exe

                    Filesize

                    7.7MB

                    MD5

                    93faf2fa03f8cb55c3b2f1fb4d11738d

                    SHA1

                    801cdfaa9ae4c4eb412e1cf31f2cc3ae6b302e44

                    SHA256

                    05f3e5c9248e9cf66516b0d06edbb65d5dee28dffbf5ced96a8ed846d611c9d9

                    SHA512

                    45e2d7203bb989910f84b3284145b0c39de269cbde726bfe4ebd43e4a672639a622f4601dc3ba28f1e18cce3840f9802fe2c24a7478f9465e827b8895305b37a

                  • memory/1424-8-0x00000000001E0000-0x00000000001F3000-memory.dmp

                    Filesize

                    76KB

                  • memory/1424-3-0x0000000000400000-0x0000000000472000-memory.dmp

                    Filesize

                    456KB

                  • memory/1424-2-0x00000000001E0000-0x00000000001F3000-memory.dmp

                    Filesize

                    76KB

                  • memory/1424-7-0x0000000000400000-0x0000000000472000-memory.dmp

                    Filesize

                    456KB

                  • memory/1424-1-0x00000000004B0000-0x00000000005B0000-memory.dmp

                    Filesize

                    1024KB

                  • memory/4756-11-0x0000000000400000-0x0000000000472000-memory.dmp

                    Filesize

                    456KB

                  • memory/4756-10-0x0000000000640000-0x0000000000740000-memory.dmp

                    Filesize

                    1024KB

                  • memory/4756-17-0x0000000000400000-0x0000000000472000-memory.dmp

                    Filesize

                    456KB

                  • memory/4996-12-0x0000000001250000-0x0000000001265000-memory.dmp

                    Filesize

                    84KB

                  • memory/4996-15-0x0000000001250000-0x0000000001265000-memory.dmp

                    Filesize

                    84KB

                  • memory/4996-16-0x0000000001250000-0x0000000001265000-memory.dmp

                    Filesize

                    84KB

                  • memory/4996-18-0x0000000001250000-0x0000000001265000-memory.dmp

                    Filesize

                    84KB