Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    26/03/2024, 10:14

General

  • Target

    deea754781cd06c966bf7cf7564da0ce.exe

  • Size

    11.4MB

  • MD5

    deea754781cd06c966bf7cf7564da0ce

  • SHA1

    e603d54e7c3e5d400bcbbce4a19af65ce0a60e8a

  • SHA256

    60fad18a773458d36f919b0f65b412521e6c976e4e8c1194380a8e2e31951ff0

  • SHA512

    4d54139e6cf459e88311fb72db6e17275b1294a48fd19b17e7f2fe478418ca8cefdd89b226c3c3bd7f150885020af41395aca9a391d56713c8f366fbfafdbccb

  • SSDEEP

    49152:n8CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCy:

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs 1 IoCs
  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\deea754781cd06c966bf7cf7564da0ce.exe
    "C:\Users\Admin\AppData\Local\Temp\deea754781cd06c966bf7cf7564da0ce.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jujmxihy\
      2⤵
        PID:2188
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\neexnmnb.exe" C:\Windows\SysWOW64\jujmxihy\
        2⤵
          PID:2540
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create jujmxihy binPath= "C:\Windows\SysWOW64\jujmxihy\neexnmnb.exe /d\"C:\Users\Admin\AppData\Local\Temp\deea754781cd06c966bf7cf7564da0ce.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2304
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description jujmxihy "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2704
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start jujmxihy
          2⤵
          • Launches sc.exe
          PID:2600
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:3008
      • C:\Windows\SysWOW64\jujmxihy\neexnmnb.exe
        C:\Windows\SysWOW64\jujmxihy\neexnmnb.exe /d"C:\Users\Admin\AppData\Local\Temp\deea754781cd06c966bf7cf7564da0ce.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2804
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:2616

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\neexnmnb.exe

        Filesize

        10.2MB

        MD5

        e45cdca35941f9c8dcd58f8eaf301a4f

        SHA1

        f2f95d3abda4f97ba1828462477112019dfe0010

        SHA256

        98d3a7437e16ed1dc95fb1203c598942b87f9b0b56da9ab634f3cb4735c4c22d

        SHA512

        225568e3c4ff6ba052c83995789ad3c7547587c2a833f9cd11c19aaa5a02b5e1661baf7851f6d54342e6c066e1b0e530e523044b583d6f4ce1cd6b7025f598ff

      • C:\Windows\SysWOW64\jujmxihy\neexnmnb.exe

        Filesize

        263KB

        MD5

        6d526b38b67de8c046b7e5c05cb30417

        SHA1

        de44b4bd522d89ed128d7eaa9d0b0159dd7674b6

        SHA256

        12fe82afd35c9e35ddf9d574e6b72455168ad1d4538eb418036dccf0ffef2fb4

        SHA512

        44dc6dd61e27da9718b7ff9972aa220644e340b1c2060ba53442e48e2d2c4b88804a44001544f6a4569387c3156f017cd955e84b859a4450b2f342466f79939d

      • memory/2356-2-0x0000000002D50000-0x0000000002E50000-memory.dmp

        Filesize

        1024KB

      • memory/2356-3-0x0000000000220000-0x0000000000233000-memory.dmp

        Filesize

        76KB

      • memory/2356-4-0x0000000000400000-0x0000000002C6F000-memory.dmp

        Filesize

        40.4MB

      • memory/2356-8-0x0000000000400000-0x0000000002C6F000-memory.dmp

        Filesize

        40.4MB

      • memory/2616-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/2616-9-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2616-12-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2616-16-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2616-19-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2616-20-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2616-21-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2804-14-0x0000000002D00000-0x0000000002E00000-memory.dmp

        Filesize

        1024KB

      • memory/2804-18-0x0000000000400000-0x0000000002C6F000-memory.dmp

        Filesize

        40.4MB