Analysis

  • max time kernel
    141s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    25/03/2024, 18:10

General

  • Target

    dea2ca171f528876b5bb42ac2630b2fb.exe

  • Size

    11.8MB

  • MD5

    dea2ca171f528876b5bb42ac2630b2fb

  • SHA1

    3ad94d0eb736834da2689c6b806906deaf0f2a60

  • SHA256

    ffbe4fc61de6a70ab99966df71a5b4ebf80ae6646020679a8a27e450b9b4240b

  • SHA512

    e76389468c8b90a28e211c4de6a8873ae3c51cdd43feec7ef359ba6fab325004c718ac87e9a6e11850a20abfd5ede120d506f48f83ff5487a07e7f1193ffc585

  • SSDEEP

    98304:vjhd88888888888888888888888888888888888888888888888888888888888Q:v

Malware Config

Extracted

Family

tofsee

C2

176.111.174.19

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs 1 IoCs
  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe
    "C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1884
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qctzrsdf\
      2⤵
        PID:2384
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gsrwvnlw.exe" C:\Windows\SysWOW64\qctzrsdf\
        2⤵
          PID:940
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create qctzrsdf binPath= "C:\Windows\SysWOW64\qctzrsdf\gsrwvnlw.exe /d\"C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2168
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description qctzrsdf "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2664
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start qctzrsdf
          2⤵
          • Launches sc.exe
          PID:2696
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2724
      • C:\Windows\SysWOW64\qctzrsdf\gsrwvnlw.exe
        C:\Windows\SysWOW64\qctzrsdf\gsrwvnlw.exe /d"C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2584
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:1904

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\gsrwvnlw.exe

        Filesize

        13.0MB

        MD5

        d2d2399e50da5ea1a6401e0195f34227

        SHA1

        3a0abf0063a9ad97814024c68cbabcab455409e7

        SHA256

        ef89b802cebf7c78c107df553e57179ad78fe95545f916fd985263affeea3686

        SHA512

        9f0b3f4080cb2eaf89e07dbfae2eb46012f2f80f662ef998be8a22a9a0784d09d763e2c3bd824d4f66a714aaf954f5441542ad39faeb294a21526436f70ffde3

      • memory/1884-1-0x0000000000270000-0x0000000000370000-memory.dmp

        Filesize

        1024KB

      • memory/1884-2-0x00000000001B0000-0x00000000001C3000-memory.dmp

        Filesize

        76KB

      • memory/1884-4-0x0000000000400000-0x000000000045D000-memory.dmp

        Filesize

        372KB

      • memory/1884-7-0x0000000000400000-0x000000000045D000-memory.dmp

        Filesize

        372KB

      • memory/1904-9-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/1904-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/1904-12-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/1904-18-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/1904-19-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/1904-20-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2584-14-0x00000000004F0000-0x00000000005F0000-memory.dmp

        Filesize

        1024KB

      • memory/2584-15-0x0000000000400000-0x000000000045D000-memory.dmp

        Filesize

        372KB