Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/03/2024, 09:37

General

  • Target

    c589e57813712cdca2f4e39ab028c665.exe

  • Size

    12.6MB

  • MD5

    c589e57813712cdca2f4e39ab028c665

  • SHA1

    8fdaac9837d59ae86e15ea0ce17afb5b1ddbf447

  • SHA256

    7c74a5c28e75dc5c494548b2f305d0bd34ac51c4fbe72e32a24df04397fb4cbd

  • SHA512

    2d582894b12996acdff1560a032fc2ee34d313be92eec23ec2517ef9af9da07b45bbaf8e4dd0817eb0c13947e8141ad45fcfe6f83bdec5bf859503e3d04268da

  • SSDEEP

    49152:vj55555555555555555555555555555555555555555555555555555555555553:

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c589e57813712cdca2f4e39ab028c665.exe
    "C:\Users\Admin\AppData\Local\Temp\c589e57813712cdca2f4e39ab028c665.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:836
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hrenqitv\
      2⤵
        PID:3992
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xwiejtdq.exe" C:\Windows\SysWOW64\hrenqitv\
        2⤵
          PID:4128
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create hrenqitv binPath= "C:\Windows\SysWOW64\hrenqitv\xwiejtdq.exe /d\"C:\Users\Admin\AppData\Local\Temp\c589e57813712cdca2f4e39ab028c665.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2092
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description hrenqitv "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2748
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start hrenqitv
          2⤵
          • Launches sc.exe
          PID:2988
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2296
      • C:\Windows\SysWOW64\hrenqitv\xwiejtdq.exe
        C:\Windows\SysWOW64\hrenqitv\xwiejtdq.exe /d"C:\Users\Admin\AppData\Local\Temp\c589e57813712cdca2f4e39ab028c665.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3720
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          PID:4492

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\xwiejtdq.exe

              Filesize

              12.8MB

              MD5

              103fa56bbbf7f69b1f554acb22b00a56

              SHA1

              ba9968ad9178a12fcc8233a36b9dc3b28b4ff38a

              SHA256

              72afe1dce02f63aff5116011cd9f3d3123dee9aef3d870f84e0acb187fef8de4

              SHA512

              6ddcf83dda09e0358097261a81a94f1460a2b3b914ea2d43ee688e1dc16e3e1686b18fef4a8b025054934af093af062734bda2a9dab3cbd5acdb1f6dcc55418f

            • memory/836-14-0x0000000000400000-0x000000000041E000-memory.dmp

              Filesize

              120KB

            • memory/836-3-0x00000000006D0000-0x00000000006D1000-memory.dmp

              Filesize

              4KB

            • memory/836-1-0x00000000006C0000-0x00000000006C1000-memory.dmp

              Filesize

              4KB

            • memory/836-2-0x0000000000400000-0x000000000041E000-memory.dmp

              Filesize

              120KB

            • memory/836-0-0x0000000000400000-0x000000000041E000-memory.dmp

              Filesize

              120KB

            • memory/3720-7-0x0000000000400000-0x000000000041E000-memory.dmp

              Filesize

              120KB

            • memory/3720-9-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

              Filesize

              4KB

            • memory/3720-11-0x0000000000400000-0x000000000041E000-memory.dmp

              Filesize

              120KB

            • memory/4492-10-0x0000000000130000-0x0000000000145000-memory.dmp

              Filesize

              84KB

            • memory/4492-15-0x0000000000130000-0x0000000000145000-memory.dmp

              Filesize

              84KB

            • memory/4492-16-0x0000000000130000-0x0000000000145000-memory.dmp

              Filesize

              84KB

            • memory/4492-17-0x0000000000130000-0x0000000000145000-memory.dmp

              Filesize

              84KB

            • memory/4492-18-0x0000000000130000-0x0000000000145000-memory.dmp

              Filesize

              84KB