Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25/03/2024, 15:05

General

  • Target

    de4b82a7ffeafcc4720ea974858808fd.exe

  • Size

    12.5MB

  • MD5

    de4b82a7ffeafcc4720ea974858808fd

  • SHA1

    5fe3e02097b77dc5696e5c70c73c86beeec1653d

  • SHA256

    ef25242cd655ccffe910bec6a1625773d929fb0bc657a8af0a72442af126c7b1

  • SHA512

    474fd7aa6edfa92e13656c1bfd835f0f9b9905c2ae0c0d6766ade1c08b6449e90d95ae921c3fd2ce2ba7dc6ecc5c0a08507f86ea3be6c5847d5db8fc58b2265d

  • SSDEEP

    24576:TjCj10HSqGgeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee/:T/D

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs 1 IoCs
  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de4b82a7ffeafcc4720ea974858808fd.exe
    "C:\Users\Admin\AppData\Local\Temp\de4b82a7ffeafcc4720ea974858808fd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\osywdkhm\
      2⤵
        PID:1692
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lpwacfvh.exe" C:\Windows\SysWOW64\osywdkhm\
        2⤵
          PID:2252
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create osywdkhm binPath= "C:\Windows\SysWOW64\osywdkhm\lpwacfvh.exe /d\"C:\Users\Admin\AppData\Local\Temp\de4b82a7ffeafcc4720ea974858808fd.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2496
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description osywdkhm "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2512
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start osywdkhm
          2⤵
          • Launches sc.exe
          PID:2620
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2644
      • C:\Windows\SysWOW64\osywdkhm\lpwacfvh.exe
        C:\Windows\SysWOW64\osywdkhm\lpwacfvh.exe /d"C:\Users\Admin\AppData\Local\Temp\de4b82a7ffeafcc4720ea974858808fd.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2052
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:2540

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\lpwacfvh.exe

        Filesize

        4.2MB

        MD5

        edf29686701f2c850340d956b4f7b241

        SHA1

        c82e4490add55ccde7a12229d0c61e9cb77c9eaa

        SHA256

        54044a0551c1f5810cdd6dd371855890d0478bbe4f652d54c1452d33781b3647

        SHA512

        7c7d6436d3f69861bb2697314951498aa685e132601fd21c100f105ceda527b19abb552da4e55b02de788d3aab802061c3d8c36e4cfa5a644aaef8a9be0dbcd5

      • C:\Windows\SysWOW64\osywdkhm\lpwacfvh.exe

        Filesize

        14.8MB

        MD5

        dfdfcbc34afa9d39dbe423373d6f83aa

        SHA1

        b7dcea60759e86e7e3f41508643099a98d4bec41

        SHA256

        2c724ed03fdfe4c9617d57b3d49875fac92c4c22c8c14da39bfcb06e7045795e

        SHA512

        00315a14d7e3326097abe6e9b2ada52ad3cd1a518584891f41825480f23a50b71d103f616b4a7535a9bd8abfa5cde01106e470d9a642dd1c6d1fbc930c65caa6

      • memory/2052-17-0x0000000000400000-0x000000000046E000-memory.dmp

        Filesize

        440KB

      • memory/2052-10-0x0000000000530000-0x0000000000630000-memory.dmp

        Filesize

        1024KB

      • memory/2052-11-0x0000000000400000-0x000000000046E000-memory.dmp

        Filesize

        440KB

      • memory/2540-15-0x00000000000C0000-0x00000000000D5000-memory.dmp

        Filesize

        84KB

      • memory/2540-22-0x00000000000C0000-0x00000000000D5000-memory.dmp

        Filesize

        84KB

      • memory/2540-21-0x00000000000C0000-0x00000000000D5000-memory.dmp

        Filesize

        84KB

      • memory/2540-20-0x00000000000C0000-0x00000000000D5000-memory.dmp

        Filesize

        84KB

      • memory/2540-12-0x00000000000C0000-0x00000000000D5000-memory.dmp

        Filesize

        84KB

      • memory/2540-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/3020-2-0x0000000000220000-0x0000000000233000-memory.dmp

        Filesize

        76KB

      • memory/3020-1-0x00000000005E0000-0x00000000006E0000-memory.dmp

        Filesize

        1024KB

      • memory/3020-3-0x0000000000400000-0x000000000046E000-memory.dmp

        Filesize

        440KB

      • memory/3020-7-0x0000000000220000-0x0000000000233000-memory.dmp

        Filesize

        76KB

      • memory/3020-6-0x0000000000400000-0x000000000046E000-memory.dmp

        Filesize

        440KB