Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26/03/2024, 08:50

General

  • Target

    dec340af99d11d4bda18bafe03b2172f.exe

  • Size

    14.9MB

  • MD5

    dec340af99d11d4bda18bafe03b2172f

  • SHA1

    08712f078b5470ee9a7398c8662af4269b749da3

  • SHA256

    7d34075aebc551801edcf950ad816a5f277522f2d6b53679e7bd2921d89e0c4f

  • SHA512

    4125d79a9a9f1288e8fdaf5477c47f0c6ef8c522ae639842b334847a7ed1668126ee0ff8eae59dac20808e6b64959027bb6bb811d10f2cfb43c551374bf07a1d

  • SSDEEP

    49152:2yqI2kmso555555555555555555555555555555555555555555555555555555t:2yqI2

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs 1 IoCs
  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe
    "C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2656
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\swmbeksk\
      2⤵
        PID:2932
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xrritctv.exe" C:\Windows\SysWOW64\swmbeksk\
        2⤵
          PID:2632
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create swmbeksk binPath= "C:\Windows\SysWOW64\swmbeksk\xrritctv.exe /d\"C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2692
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description swmbeksk "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2652
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start swmbeksk
          2⤵
          • Launches sc.exe
          PID:2448
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2748
      • C:\Windows\SysWOW64\swmbeksk\xrritctv.exe
        C:\Windows\SysWOW64\swmbeksk\xrritctv.exe /d"C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2576
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:2432

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\xrritctv.exe

        Filesize

        3.4MB

        MD5

        6f578b58b5a64d772aa55856ef4fbdcf

        SHA1

        8f2e254596172239f2d806600880a5c6942fea51

        SHA256

        b9c699a14f19135b75b3075503866d17081365801768bb823e1ffe201c9ba0fb

        SHA512

        a3150eaff9bfce0ceb308bfc178ee17467c21d02f1db80909d8181381c2aaa1fe1bc5b3843d6dc0901bb6947a0804d1c3d08c288f4edef674dbf80927a7348af

      • C:\Windows\SysWOW64\swmbeksk\xrritctv.exe

        Filesize

        1.1MB

        MD5

        c4e23be772e5e12730db06e72ba7e9f0

        SHA1

        40350b79ae346a8367d645ef18227c6495f4d21b

        SHA256

        76ba89131581366b996fd420062ae86332b554316df38d93229d3dc000df2365

        SHA512

        69e501bd798adc992f8ba03a7d8e1221bfce343da7c9af242f39dbfe6d00ddd81d308002371be830b312d1d67413372901736c2e1d9fba114fc0bdfdb3221070

      • memory/2432-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/2432-22-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2432-21-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2432-20-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2432-15-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2432-11-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2576-10-0x0000000000610000-0x0000000000710000-memory.dmp

        Filesize

        1024KB

      • memory/2576-13-0x0000000000400000-0x000000000046E000-memory.dmp

        Filesize

        440KB

      • memory/2576-17-0x0000000000400000-0x000000000046E000-memory.dmp

        Filesize

        440KB

      • memory/2656-1-0x0000000000620000-0x0000000000720000-memory.dmp

        Filesize

        1024KB

      • memory/2656-7-0x0000000000220000-0x0000000000233000-memory.dmp

        Filesize

        76KB

      • memory/2656-6-0x0000000000400000-0x000000000046E000-memory.dmp

        Filesize

        440KB

      • memory/2656-3-0x0000000000400000-0x000000000046E000-memory.dmp

        Filesize

        440KB

      • memory/2656-2-0x0000000000220000-0x0000000000233000-memory.dmp

        Filesize

        76KB