Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26/03/2024, 08:39

General

  • Target

    debe4a88a9ba02f69a42ff9d1d3db1aa.exe

  • Size

    14.0MB

  • MD5

    debe4a88a9ba02f69a42ff9d1d3db1aa

  • SHA1

    75c854472d822031d61d90a995b68b91e3aee286

  • SHA256

    40ed19717bc806f511f30549b4be0b5968677539034246531127419781a09933

  • SHA512

    e741bffdecf5cb0098ea850bd45cd48ee1df9085153b4873ecaf30f5cba2b7bbb53957973d706ee9640453e24ca2f4782fde1fae36a01ae7e8e1c3e645da6d51

  • SSDEEP

    49152:SGvEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE:SG

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs 1 IoCs
  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe
    "C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\sbtotvfm\
      2⤵
        PID:1512
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\dekteaow.exe" C:\Windows\SysWOW64\sbtotvfm\
        2⤵
          PID:2944
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create sbtotvfm binPath= "C:\Windows\SysWOW64\sbtotvfm\dekteaow.exe /d\"C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2992
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description sbtotvfm "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2636
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start sbtotvfm
          2⤵
          • Launches sc.exe
          PID:2624
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:3016
      • C:\Windows\SysWOW64\sbtotvfm\dekteaow.exe
        C:\Windows\SysWOW64\sbtotvfm\dekteaow.exe /d"C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1480
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:2472

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\dekteaow.exe

        Filesize

        4.7MB

        MD5

        b1fdb2dd9ef09a20b0f695504a168893

        SHA1

        78dea53fd84327923d0fb4d57aa89d42638a84b9

        SHA256

        d0f96b662dced1470433e433bcbb63b9313017831314cb670a8533c32546d1e1

        SHA512

        8fb8fa16d6038e80d9e58c45512e48d9a43762540f7d32fdb63af4cd54409e531f2717f1c6fe46c2c4efe53840efe1785ad14d04badb4412e8a8049d7e3640dc

      • C:\Windows\SysWOW64\sbtotvfm\dekteaow.exe

        Filesize

        7.2MB

        MD5

        58e0db332061fdb9495aa0babd36077b

        SHA1

        752f6b164166c11cefdd152f26d8dd4e6af6c9c8

        SHA256

        0a50742a3c4300fbfa6f40db69fac17ee3be33886cef21344ae85a34e164d65d

        SHA512

        25908eddf3ff650a679088ec79e2b89ccc2b81f79a4c35d99a7bd8098701bf7d3511fb1f490178167929c036148f7fcd2fb273b5eee36e497007eea5a35ec766

      • memory/1196-1-0x0000000000DE0000-0x0000000000EE0000-memory.dmp

        Filesize

        1024KB

      • memory/1196-4-0x0000000000400000-0x0000000000C14000-memory.dmp

        Filesize

        8.1MB

      • memory/1196-7-0x0000000000400000-0x0000000000C14000-memory.dmp

        Filesize

        8.1MB

      • memory/1196-2-0x0000000000220000-0x0000000000233000-memory.dmp

        Filesize

        76KB

      • memory/1480-19-0x0000000000400000-0x0000000000C14000-memory.dmp

        Filesize

        8.1MB

      • memory/1480-9-0x0000000000DC0000-0x0000000000EC0000-memory.dmp

        Filesize

        1024KB

      • memory/1480-11-0x0000000000400000-0x0000000000C14000-memory.dmp

        Filesize

        8.1MB

      • memory/2472-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/2472-14-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2472-17-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2472-18-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2472-10-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2472-20-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2472-21-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB