Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25/03/2024, 15:41

General

  • Target

    de5c837465df687a5d4a83159dbd1b0a.exe

  • Size

    10.8MB

  • MD5

    de5c837465df687a5d4a83159dbd1b0a

  • SHA1

    8775b6ff434ba7e9480679c6ffe9af8997acb69b

  • SHA256

    4ddf6ff4aa156f8aca0d1925ff6ed53094f8d7d0a13db8da74340e8fa6ce9287

  • SHA512

    71b909c163be371d226b93800069dbdd13c6baba4e01501f4d946ae07f5e0ff2487c2e1093685b636fba2238d6124b5bbf9d66bc029f5e29f0dd61cb123d93f8

  • SSDEEP

    24576:0gdy5yNM4444444444444444444444444444444444444444444444444444444g:

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs 1 IoCs
  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de5c837465df687a5d4a83159dbd1b0a.exe
    "C:\Users\Admin\AppData\Local\Temp\de5c837465df687a5d4a83159dbd1b0a.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\efxakgjx\
      2⤵
        PID:2980
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\kxtjrytd.exe" C:\Windows\SysWOW64\efxakgjx\
        2⤵
          PID:2652
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create efxakgjx binPath= "C:\Windows\SysWOW64\efxakgjx\kxtjrytd.exe /d\"C:\Users\Admin\AppData\Local\Temp\de5c837465df687a5d4a83159dbd1b0a.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2528
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description efxakgjx "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2556
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start efxakgjx
          2⤵
          • Launches sc.exe
          PID:2584
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2028
      • C:\Windows\SysWOW64\efxakgjx\kxtjrytd.exe
        C:\Windows\SysWOW64\efxakgjx\kxtjrytd.exe /d"C:\Users\Admin\AppData\Local\Temp\de5c837465df687a5d4a83159dbd1b0a.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2728
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:2920

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\kxtjrytd.exe

        Filesize

        3.5MB

        MD5

        1ea8fd085d230956e3fcad562afd4c75

        SHA1

        d441c12f88126cb57ab6177516e3fc10d6476847

        SHA256

        b237ff95b3a412bff5097088c7cb82852f147c55153445fd0dcaa238f26ce982

        SHA512

        fd2cc2788f18e488150fcda2282068df5c9491f5b86bf1e472f0d9d79d37b3e42837c189b64b3026cd20b389948e96bbb9201ffcd27f5bc407d9b8a03ee4830d

      • C:\Windows\SysWOW64\efxakgjx\kxtjrytd.exe

        Filesize

        1.9MB

        MD5

        31412cca4e073c841d3b31162350e1ae

        SHA1

        9bcd28ff2782f947cac6582aa7824a661c588515

        SHA256

        3d318ba869086e8959b9675c9cdb679e93852ad8284c6cfd23575a61d2d2bc9d

        SHA512

        ae51480b0c38e1ae1f22c956339248e16f43b273b5f0604f703052c75550a761a70267b1ef6a96b97e4c37c80fb9f802133710e083f50d52c1a5ca45c745e943

      • memory/1704-1-0x0000000000230000-0x0000000000330000-memory.dmp

        Filesize

        1024KB

      • memory/1704-2-0x00000000003A0000-0x00000000003B3000-memory.dmp

        Filesize

        76KB

      • memory/1704-3-0x0000000000400000-0x0000000000456000-memory.dmp

        Filesize

        344KB

      • memory/1704-9-0x00000000003A0000-0x00000000003B3000-memory.dmp

        Filesize

        76KB

      • memory/1704-7-0x0000000000400000-0x0000000000456000-memory.dmp

        Filesize

        344KB

      • memory/2728-11-0x0000000000400000-0x0000000000456000-memory.dmp

        Filesize

        344KB

      • memory/2728-10-0x00000000005B0000-0x00000000006B0000-memory.dmp

        Filesize

        1024KB

      • memory/2728-17-0x0000000000400000-0x0000000000456000-memory.dmp

        Filesize

        344KB

      • memory/2920-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/2920-15-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2920-12-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2920-20-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2920-21-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2920-22-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB