Analysis

  • max time kernel
    147s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25/03/2024, 15:43

General

  • Target

    de5da42d2a492730c54beb78daf4a683.exe

  • Size

    11.3MB

  • MD5

    de5da42d2a492730c54beb78daf4a683

  • SHA1

    5831d3343907e0720285f1c155bdfde80d6ffbf1

  • SHA256

    d9491f47925462566a31712bc2ff372b2038c1e0c06765c6acc6df1eb1db3d79

  • SHA512

    24feaf2db924b0c9f69ee2bd152c12250d40b4d81759a5c8f6182e8db077d7403e5e5d28738d17457f44ccdcd236a9c0ed24a0c0b70d1a044f3dcb93352e9c07

  • SSDEEP

    24576:VMbR/TEq/Z/3RIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIr:VcE8

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs 1 IoCs
  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de5da42d2a492730c54beb78daf4a683.exe
    "C:\Users\Admin\AppData\Local\Temp\de5da42d2a492730c54beb78daf4a683.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\aqfghorx\
      2⤵
        PID:3056
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\bvrxiskq.exe" C:\Windows\SysWOW64\aqfghorx\
        2⤵
          PID:2356
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create aqfghorx binPath= "C:\Windows\SysWOW64\aqfghorx\bvrxiskq.exe /d\"C:\Users\Admin\AppData\Local\Temp\de5da42d2a492730c54beb78daf4a683.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2032
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description aqfghorx "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2568
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start aqfghorx
          2⤵
          • Launches sc.exe
          PID:2732
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2300
      • C:\Windows\SysWOW64\aqfghorx\bvrxiskq.exe
        C:\Windows\SysWOW64\aqfghorx\bvrxiskq.exe /d"C:\Users\Admin\AppData\Local\Temp\de5da42d2a492730c54beb78daf4a683.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2592
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:2744

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\bvrxiskq.exe

        Filesize

        11.3MB

        MD5

        2c4b9af5af82837125f462b8a11541b0

        SHA1

        e60ffc065d744f725f7de7f842a88e4dad400802

        SHA256

        ac064ffdf74d0ead32fb54e70a9552624f93edd12f30c9bd5aceaf550a292fc5

        SHA512

        b6ead5bfdac0a4e6472cbfc22aafdd300e2646821618584beab6e69ff93d81fbb9e3e6e3f25068c23127797b923e95fde815174368e1d32c4f1426fbbcaec14c

      • C:\Windows\SysWOW64\aqfghorx\bvrxiskq.exe

        Filesize

        10.2MB

        MD5

        3a8ea167a4dbba41f464312a1b2c5fb5

        SHA1

        d9544826f82d0c7a5647fe209bf9c0988888bff8

        SHA256

        92ccf111bdff9f8944b304da9677819393a8743fec175976e229483d066e11e4

        SHA512

        f57e5945b8da60a4726af7a4f014907a527c193a1c4746b9ef62fcd0ff7855a7707b1da9a10aed333032a180d21722edb2aeaa31556a490ca64add30491fdb68

      • memory/2592-16-0x0000000000400000-0x00000000023AD000-memory.dmp

        Filesize

        31.7MB

      • memory/2592-10-0x0000000000020000-0x0000000000033000-memory.dmp

        Filesize

        76KB

      • memory/2592-9-0x0000000002470000-0x0000000002570000-memory.dmp

        Filesize

        1024KB

      • memory/2592-11-0x0000000000400000-0x00000000023AD000-memory.dmp

        Filesize

        31.7MB

      • memory/2744-20-0x00000000000E0000-0x00000000000F5000-memory.dmp

        Filesize

        84KB

      • memory/2744-22-0x00000000000E0000-0x00000000000F5000-memory.dmp

        Filesize

        84KB

      • memory/2744-21-0x00000000000E0000-0x00000000000F5000-memory.dmp

        Filesize

        84KB

      • memory/2744-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/2744-12-0x00000000000E0000-0x00000000000F5000-memory.dmp

        Filesize

        84KB

      • memory/2744-15-0x00000000000E0000-0x00000000000F5000-memory.dmp

        Filesize

        84KB

      • memory/2940-8-0x0000000000400000-0x00000000023AD000-memory.dmp

        Filesize

        31.7MB

      • memory/2940-2-0x0000000000020000-0x0000000000033000-memory.dmp

        Filesize

        76KB

      • memory/2940-4-0x0000000000400000-0x00000000023AD000-memory.dmp

        Filesize

        31.7MB

      • memory/2940-1-0x0000000002480000-0x0000000002580000-memory.dmp

        Filesize

        1024KB