Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/03/2024, 15:43

General

  • Target

    de5da42d2a492730c54beb78daf4a683.exe

  • Size

    11.3MB

  • MD5

    de5da42d2a492730c54beb78daf4a683

  • SHA1

    5831d3343907e0720285f1c155bdfde80d6ffbf1

  • SHA256

    d9491f47925462566a31712bc2ff372b2038c1e0c06765c6acc6df1eb1db3d79

  • SHA512

    24feaf2db924b0c9f69ee2bd152c12250d40b4d81759a5c8f6182e8db077d7403e5e5d28738d17457f44ccdcd236a9c0ed24a0c0b70d1a044f3dcb93352e9c07

  • SSDEEP

    24576:VMbR/TEq/Z/3RIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIr:VcE8

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de5da42d2a492730c54beb78daf4a683.exe
    "C:\Users\Admin\AppData\Local\Temp\de5da42d2a492730c54beb78daf4a683.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\phwayht\
      2⤵
        PID:3200
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ovhudqrl.exe" C:\Windows\SysWOW64\phwayht\
        2⤵
          PID:2936
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create phwayht binPath= "C:\Windows\SysWOW64\phwayht\ovhudqrl.exe /d\"C:\Users\Admin\AppData\Local\Temp\de5da42d2a492730c54beb78daf4a683.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:4980
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description phwayht "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:5040
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start phwayht
          2⤵
          • Launches sc.exe
          PID:2524
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:668
      • C:\Windows\SysWOW64\phwayht\ovhudqrl.exe
        C:\Windows\SysWOW64\phwayht\ovhudqrl.exe /d"C:\Users\Admin\AppData\Local\Temp\de5da42d2a492730c54beb78daf4a683.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:940
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          PID:1788

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\ovhudqrl.exe

        Filesize

        7.2MB

        MD5

        3193f369a36885cf807111ed87130805

        SHA1

        32c23e5a1dc24db309414870aa4231ee105876b9

        SHA256

        286c6a9c4959c5484b569a1984babd0dac16c4311763485e083be4db20bb1020

        SHA512

        b0e8a38efc3ba242400cf967ef2623e6b85c19fb275e056117918fbbea0815dac07b6c6372e168af390e57d382780ceab99c46854bb1d2becd29b121a01654dd

      • C:\Windows\SysWOW64\phwayht\ovhudqrl.exe

        Filesize

        13.1MB

        MD5

        5db7aedb7eeed0ee036b466cd228410c

        SHA1

        44093d3dc0008e7d258e3bea104862fb317b39ec

        SHA256

        19054a75dfc49e1f75dee8faf6572c76e5307b561a3da89d7ddd5913200013d8

        SHA512

        643c46f74973d3c27a5a0aa27a1524d1c08f57d204c3aa6a74d09eeb40f039592fc96c7de438d93e0b04ad55ba0d7d5e000df6080c3303b8b256a59284de5fc7

      • memory/940-16-0x0000000000400000-0x00000000023AD000-memory.dmp

        Filesize

        31.7MB

      • memory/940-10-0x0000000002620000-0x0000000002720000-memory.dmp

        Filesize

        1024KB

      • memory/940-14-0x0000000000400000-0x00000000023AD000-memory.dmp

        Filesize

        31.7MB

      • memory/1620-4-0x0000000000400000-0x00000000023AD000-memory.dmp

        Filesize

        31.7MB

      • memory/1620-2-0x00000000001C0000-0x00000000001D3000-memory.dmp

        Filesize

        76KB

      • memory/1620-8-0x00000000001C0000-0x00000000001D3000-memory.dmp

        Filesize

        76KB

      • memory/1620-6-0x0000000000400000-0x00000000023AD000-memory.dmp

        Filesize

        31.7MB

      • memory/1620-1-0x00000000026D0000-0x00000000027D0000-memory.dmp

        Filesize

        1024KB

      • memory/1788-11-0x0000000000EB0000-0x0000000000EC5000-memory.dmp

        Filesize

        84KB

      • memory/1788-15-0x0000000000EB0000-0x0000000000EC5000-memory.dmp

        Filesize

        84KB

      • memory/1788-17-0x0000000000EB0000-0x0000000000EC5000-memory.dmp

        Filesize

        84KB

      • memory/1788-18-0x0000000000EB0000-0x0000000000EC5000-memory.dmp

        Filesize

        84KB

      • memory/1788-19-0x0000000000EB0000-0x0000000000EC5000-memory.dmp

        Filesize

        84KB