Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/03/2024, 09:12

General

  • Target

    decd65be2a38b9f4ebb3f2b71fc31660.exe

  • Size

    12.3MB

  • MD5

    decd65be2a38b9f4ebb3f2b71fc31660

  • SHA1

    9bbff19bf1aae502de6fcdd86d3029c3525a7c7e

  • SHA256

    773a44dcd8fd25f6e2d323ff3c44c8496881a3a9e4eb447894cc88cbd197dd17

  • SHA512

    f30e2711d23b12b32eb9ca87bc5af165f1f701a80ef0262b6dfe17b9fa6fcd11b733fb1894cd4c6a051a0f8aaa1f5d3cb1a8cbd77cba18421ab2d414e2bc2107

  • SSDEEP

    24576:jjDuKnh7YzbKBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBT:jnh

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\decd65be2a38b9f4ebb3f2b71fc31660.exe
    "C:\Users\Admin\AppData\Local\Temp\decd65be2a38b9f4ebb3f2b71fc31660.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5304
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\koyfhwpx\
      2⤵
        PID:2740
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pygexzcc.exe" C:\Windows\SysWOW64\koyfhwpx\
        2⤵
          PID:876
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create koyfhwpx binPath= "C:\Windows\SysWOW64\koyfhwpx\pygexzcc.exe /d\"C:\Users\Admin\AppData\Local\Temp\decd65be2a38b9f4ebb3f2b71fc31660.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:4648
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description koyfhwpx "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:1508
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start koyfhwpx
          2⤵
          • Launches sc.exe
          PID:868
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:4112
      • C:\Windows\SysWOW64\koyfhwpx\pygexzcc.exe
        C:\Windows\SysWOW64\koyfhwpx\pygexzcc.exe /d"C:\Users\Admin\AppData\Local\Temp\decd65be2a38b9f4ebb3f2b71fc31660.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:860
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          PID:4756

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\pygexzcc.exe

        Filesize

        13.9MB

        MD5

        05ef9769c64b9e886e5278e450587dd4

        SHA1

        c8dd39cf2725f1f4e778f1a3f40bbc54c12a072f

        SHA256

        aa04b3d9d58fd65c35da8d55a4ef05bf0fc33b1f349826fcae0c7c6b4ad0415a

        SHA512

        f7888b592715c1293195ae5a60d4206055cc1c96731f39d7e27b6ecc2609f9fd8884f5c890c6609cdfedde4fa32d04e9cc7b8e2885a1af3f617b7c3d81666279

      • C:\Windows\SysWOW64\koyfhwpx\pygexzcc.exe

        Filesize

        12.5MB

        MD5

        25e14c510e0afae55ef152ba3845741d

        SHA1

        5d3d28b2aeb5c8b5f64de554e19da41b236bf012

        SHA256

        855fb53fc0f0d4c2f24a116119cb346b11eda014d801024b298ea657d4115a4a

        SHA512

        93b59eec986ced5b509c696ac8230400939e9dc2937305ae5b3424e5dabd50dfac95522c2736712090c6ce3a8a11e53b9ee9c5be1e6bc0178bfa1e7d4d1cbd29

      • memory/860-9-0x0000000000D30000-0x0000000000D43000-memory.dmp

        Filesize

        76KB

      • memory/860-18-0x0000000000400000-0x000000000046E000-memory.dmp

        Filesize

        440KB

      • memory/860-10-0x0000000000400000-0x000000000046E000-memory.dmp

        Filesize

        440KB

      • memory/860-8-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

      • memory/4756-11-0x0000000000290000-0x00000000002A5000-memory.dmp

        Filesize

        84KB

      • memory/4756-14-0x0000000000290000-0x00000000002A5000-memory.dmp

        Filesize

        84KB

      • memory/4756-16-0x0000000000290000-0x00000000002A5000-memory.dmp

        Filesize

        84KB

      • memory/4756-17-0x0000000000290000-0x00000000002A5000-memory.dmp

        Filesize

        84KB

      • memory/4756-25-0x0000000000290000-0x00000000002A5000-memory.dmp

        Filesize

        84KB

      • memory/5304-4-0x0000000000400000-0x000000000046E000-memory.dmp

        Filesize

        440KB

      • memory/5304-1-0x00000000004B0000-0x00000000005B0000-memory.dmp

        Filesize

        1024KB

      • memory/5304-15-0x0000000000400000-0x000000000046E000-memory.dmp

        Filesize

        440KB

      • memory/5304-2-0x00000000021B0000-0x00000000021C3000-memory.dmp

        Filesize

        76KB

      • memory/5304-23-0x00000000004B0000-0x00000000005B0000-memory.dmp

        Filesize

        1024KB