Analysis

  • max time kernel
    145s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13/03/2024, 10:51

General

  • Target

    c5b025bdaf3514eec1039bdfd3136719.exe

  • Size

    12.3MB

  • MD5

    c5b025bdaf3514eec1039bdfd3136719

  • SHA1

    fde907f50ba9d3688ac89bbfbdb439882da654cf

  • SHA256

    6eb81b659b7fdf4fd090a09e86d122dbcda216e56c5cb73677b4c01f81d7a1ea

  • SHA512

    c3d6a2dc0be83a5d0b1546ce2a34d7f409190d924b5e282e9543ae4213bf95d22ff12f72a834aee8f24955d12aca29fda3d9e16a5aff777498d81e920bb87607

  • SSDEEP

    49152:YRBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBf:

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs 1 IoCs
  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5b025bdaf3514eec1039bdfd3136719.exe
    "C:\Users\Admin\AppData\Local\Temp\c5b025bdaf3514eec1039bdfd3136719.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ekhlgwea\
      2⤵
        PID:2496
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ztvyrqq.exe" C:\Windows\SysWOW64\ekhlgwea\
        2⤵
          PID:2152
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create ekhlgwea binPath= "C:\Windows\SysWOW64\ekhlgwea\ztvyrqq.exe /d\"C:\Users\Admin\AppData\Local\Temp\c5b025bdaf3514eec1039bdfd3136719.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2552
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description ekhlgwea "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2672
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start ekhlgwea
          2⤵
          • Launches sc.exe
          PID:2788
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2664
      • C:\Windows\SysWOW64\ekhlgwea\ztvyrqq.exe
        C:\Windows\SysWOW64\ekhlgwea\ztvyrqq.exe /d"C:\Users\Admin\AppData\Local\Temp\c5b025bdaf3514eec1039bdfd3136719.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2332
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:2888

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\ztvyrqq.exe

              Filesize

              12.8MB

              MD5

              643f08d0de07d980905a88ab1b5b8b1b

              SHA1

              53596d386d782e90c92d5b130725b5d4cd10b561

              SHA256

              53d72ef94657cfc2d46e7b40fba3d89e31dc2d1b38c87e0f7e1dc0e52c8e73ba

              SHA512

              6b3603d8c428e0509cb2c05c307b3f527d80b90a0eebd3d645ab83f647d24441257eeddddc3a3527a1f7788a9a435d63987f9be5ddb5a4c45a72db9bac464f1e

            • C:\Windows\SysWOW64\ekhlgwea\ztvyrqq.exe

              Filesize

              2.2MB

              MD5

              ace17f42b5c5152af3ce5cd3670397da

              SHA1

              531230d4bb6e2b97aee460e94fa0911ac0f6a450

              SHA256

              dd1390de80f20a7d1523f38c148af49b41c14a73b52b8e4485cf5948d04b26c6

              SHA512

              eb0b4c5240d536903da3b84b4c7ac53d7be942a451dc80edf2f18472ef9547654949ea12a59ededf8556b57bf7c9536bc2b5eed7558480ec522bb3948c276c91

            • memory/2236-1-0x0000000001050000-0x0000000001150000-memory.dmp

              Filesize

              1024KB

            • memory/2236-2-0x00000000003B0000-0x00000000003C3000-memory.dmp

              Filesize

              76KB

            • memory/2236-4-0x0000000000400000-0x0000000000C0A000-memory.dmp

              Filesize

              8.0MB

            • memory/2236-7-0x0000000000400000-0x0000000000C0A000-memory.dmp

              Filesize

              8.0MB

            • memory/2332-9-0x0000000000270000-0x0000000000370000-memory.dmp

              Filesize

              1024KB

            • memory/2332-15-0x0000000000400000-0x0000000000C0A000-memory.dmp

              Filesize

              8.0MB

            • memory/2332-17-0x0000000000400000-0x0000000000C0A000-memory.dmp

              Filesize

              8.0MB

            • memory/2888-10-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

            • memory/2888-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

            • memory/2888-13-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

            • memory/2888-19-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

            • memory/2888-20-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB

            • memory/2888-21-0x0000000000080000-0x0000000000095000-memory.dmp

              Filesize

              84KB