Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/03/2024, 16:05

General

  • Target

    de66f26c8cf8906b96c4d20e5f443716.exe

  • Size

    13.2MB

  • MD5

    de66f26c8cf8906b96c4d20e5f443716

  • SHA1

    fb52e8508a6c0fd8bde2adccf511f136f8141ad1

  • SHA256

    64e52297cb5b2028e6d8f9827630a881bf7a3862645a0bef4642e890c291c6f9

  • SHA512

    5211240eb0ac2fd1825dfae1172144378f9fd7ef454bc3070c44ff6143e0cb9132ba7de7d9a2f4d393a190af14dda229f352523b15b0a4f431512ebdda57dbf3

  • SSDEEP

    24576:Hgdy5yNM4444444444444444444444444444444444444444444444444444444M:

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de66f26c8cf8906b96c4d20e5f443716.exe
    "C:\Users\Admin\AppData\Local\Temp\de66f26c8cf8906b96c4d20e5f443716.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3664
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\fjuaxfnd\
      2⤵
        PID:4780
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zrwwdvpt.exe" C:\Windows\SysWOW64\fjuaxfnd\
        2⤵
          PID:3888
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create fjuaxfnd binPath= "C:\Windows\SysWOW64\fjuaxfnd\zrwwdvpt.exe /d\"C:\Users\Admin\AppData\Local\Temp\de66f26c8cf8906b96c4d20e5f443716.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:3016
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description fjuaxfnd "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:1264
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start fjuaxfnd
          2⤵
          • Launches sc.exe
          PID:4620
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:1468
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 1028
          2⤵
          • Program crash
          PID:3372
      • C:\Windows\SysWOW64\fjuaxfnd\zrwwdvpt.exe
        C:\Windows\SysWOW64\fjuaxfnd\zrwwdvpt.exe /d"C:\Users\Admin\AppData\Local\Temp\de66f26c8cf8906b96c4d20e5f443716.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:552
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          PID:4572
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 520
          2⤵
          • Program crash
          PID:4488
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3664 -ip 3664
        1⤵
          PID:4052
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 552 -ip 552
          1⤵
            PID:4612
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4172 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
            1⤵
              PID:1276

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\zrwwdvpt.exe

              Filesize

              2.4MB

              MD5

              f4fe795d214e87a4ef45c1101849ffc6

              SHA1

              db3b17947453bc4e0d8140d39a8927b4908511de

              SHA256

              03f072c233ee62f1ce907d0e79970eca502e7094dfdfc86d32238bc012635a1c

              SHA512

              a1f7450e039f9bae60962897ade9fd98ffd033dc50d13bd28f48f804fa0ca560c1c67ae45f7805c50b446be9af18d3c250e8ba29fe6ef7c1bf657b0e354cfd92

            • C:\Windows\SysWOW64\fjuaxfnd\zrwwdvpt.exe

              Filesize

              621KB

              MD5

              4dab2695168085b462f35c6f3822ddf8

              SHA1

              62400adb7708b992372fa49a9da5fa0c68aeb515

              SHA256

              f127b71525fe166654fa55461de935755e05467c8d9fb959d49a6ebee8aebdd0

              SHA512

              454decfa5582d2b57ad6969e99d54ad7d4395cf3b7038074b378c4a3ebe67412762abe4b7720b4f7c98968bf23738e1dc6039e95af431d35eb13457d3d7c661e

            • memory/552-18-0x0000000000400000-0x0000000000456000-memory.dmp

              Filesize

              344KB

            • memory/552-12-0x0000000000400000-0x0000000000456000-memory.dmp

              Filesize

              344KB

            • memory/552-11-0x00000000005A0000-0x00000000006A0000-memory.dmp

              Filesize

              1024KB

            • memory/3664-9-0x0000000000400000-0x0000000000456000-memory.dmp

              Filesize

              344KB

            • memory/3664-1-0x0000000000620000-0x0000000000720000-memory.dmp

              Filesize

              1024KB

            • memory/3664-10-0x0000000000600000-0x0000000000613000-memory.dmp

              Filesize

              76KB

            • memory/3664-5-0x0000000000400000-0x0000000000456000-memory.dmp

              Filesize

              344KB

            • memory/3664-3-0x0000000000400000-0x0000000000456000-memory.dmp

              Filesize

              344KB

            • memory/3664-2-0x0000000000600000-0x0000000000613000-memory.dmp

              Filesize

              76KB

            • memory/4572-13-0x00000000004E0000-0x00000000004F5000-memory.dmp

              Filesize

              84KB

            • memory/4572-17-0x00000000004E0000-0x00000000004F5000-memory.dmp

              Filesize

              84KB

            • memory/4572-19-0x00000000004E0000-0x00000000004F5000-memory.dmp

              Filesize

              84KB

            • memory/4572-20-0x00000000004E0000-0x00000000004F5000-memory.dmp

              Filesize

              84KB