Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26/03/2024, 09:12

General

  • Target

    decd65be2a38b9f4ebb3f2b71fc31660.exe

  • Size

    12.3MB

  • MD5

    decd65be2a38b9f4ebb3f2b71fc31660

  • SHA1

    9bbff19bf1aae502de6fcdd86d3029c3525a7c7e

  • SHA256

    773a44dcd8fd25f6e2d323ff3c44c8496881a3a9e4eb447894cc88cbd197dd17

  • SHA512

    f30e2711d23b12b32eb9ca87bc5af165f1f701a80ef0262b6dfe17b9fa6fcd11b733fb1894cd4c6a051a0f8aaa1f5d3cb1a8cbd77cba18421ab2d414e2bc2107

  • SSDEEP

    24576:jjDuKnh7YzbKBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBT:jnh

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs 1 IoCs
  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\decd65be2a38b9f4ebb3f2b71fc31660.exe
    "C:\Users\Admin\AppData\Local\Temp\decd65be2a38b9f4ebb3f2b71fc31660.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xvizvopl\
      2⤵
        PID:2380
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\bwgjxiiq.exe" C:\Windows\SysWOW64\xvizvopl\
        2⤵
          PID:2316
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create xvizvopl binPath= "C:\Windows\SysWOW64\xvizvopl\bwgjxiiq.exe /d\"C:\Users\Admin\AppData\Local\Temp\decd65be2a38b9f4ebb3f2b71fc31660.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:3004
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description xvizvopl "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2620
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start xvizvopl
          2⤵
          • Launches sc.exe
          PID:2564
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2660
      • C:\Windows\SysWOW64\xvizvopl\bwgjxiiq.exe
        C:\Windows\SysWOW64\xvizvopl\bwgjxiiq.exe /d"C:\Users\Admin\AppData\Local\Temp\decd65be2a38b9f4ebb3f2b71fc31660.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2420
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:2648

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\bwgjxiiq.exe

        Filesize

        12.4MB

        MD5

        62b3b10d4b214b8022c65bf37e6e4939

        SHA1

        a8c98773cc6f0e073c20b0da87699bb19268c338

        SHA256

        e0da54ecc0a54942fa0eaa043390ed29fdd73f92bae3fad438dc89d6ab44ac4e

        SHA512

        c82a92d2b342de0e6b08cb5478d26552c023919546ee026f64a0b76cc229dd46b1b1da3b9bcfe1c6b2864325cdada0cf9e1f9b25f1596999e5c02bafb02a3674

      • C:\Windows\SysWOW64\xvizvopl\bwgjxiiq.exe

        Filesize

        8.5MB

        MD5

        13ca74b4e4d22fcc6ccfa5f3d0ed9bc1

        SHA1

        f7326660a6446de947946eda712d1e93f58729de

        SHA256

        e4f49608e3e23c2d8f93373a9899c97b519f436f16f52f6130c627aecd2bfafb

        SHA512

        3b5819508edbfa3c5803967ac939df3e484a589c3a9b09ba49b31d6b0d05df70732b4793fe29f4ec756f991062bfab8dc29c8c95c6185725c2c682ba1abb48ff

      • memory/2420-9-0x0000000000290000-0x0000000000390000-memory.dmp

        Filesize

        1024KB

      • memory/2420-16-0x0000000000400000-0x000000000046E000-memory.dmp

        Filesize

        440KB

      • memory/2420-10-0x0000000000400000-0x000000000046E000-memory.dmp

        Filesize

        440KB

      • memory/2648-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/2648-11-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2648-14-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2648-18-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2648-19-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2648-20-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2648-21-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2684-8-0x0000000000400000-0x000000000046E000-memory.dmp

        Filesize

        440KB

      • memory/2684-1-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

      • memory/2684-4-0x0000000000400000-0x000000000046E000-memory.dmp

        Filesize

        440KB

      • memory/2684-3-0x0000000000220000-0x0000000000233000-memory.dmp

        Filesize

        76KB