Analysis

  • max time kernel
    143s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26/03/2024, 10:20

General

  • Target

    deed33d8537ad5384cd927b88df28494.exe

  • Size

    12.1MB

  • MD5

    deed33d8537ad5384cd927b88df28494

  • SHA1

    49586c8d73492b95d4cc2eb77db1c43b664cb534

  • SHA256

    6eaff3a3059d64fba8aaf22757cd51de82addb4f84f24f87aa3292a95d0825ca

  • SHA512

    26be2d580be0f355f6c6f2a2bb0d8b913d178bda678a36480ddae95ca85ffa64a2fd8e1a8017c07ef5ba03ea8a1d0d4b6d2134d508d6f740e93db8c551ccbcea

  • SSDEEP

    49152:zyqI2kmso555555555555555555555555555555555555555555555555555555T:zyqI2

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs 1 IoCs
  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\deed33d8537ad5384cd927b88df28494.exe
    "C:\Users\Admin\AppData\Local\Temp\deed33d8537ad5384cd927b88df28494.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1436
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ymqshkno\
      2⤵
        PID:3056
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hbbsdmdf.exe" C:\Windows\SysWOW64\ymqshkno\
        2⤵
          PID:2516
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create ymqshkno binPath= "C:\Windows\SysWOW64\ymqshkno\hbbsdmdf.exe /d\"C:\Users\Admin\AppData\Local\Temp\deed33d8537ad5384cd927b88df28494.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2624
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description ymqshkno "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2552
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start ymqshkno
          2⤵
          • Launches sc.exe
          PID:2756
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2444
      • C:\Windows\SysWOW64\ymqshkno\hbbsdmdf.exe
        C:\Windows\SysWOW64\ymqshkno\hbbsdmdf.exe /d"C:\Users\Admin\AppData\Local\Temp\deed33d8537ad5384cd927b88df28494.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2428
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:2992

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\hbbsdmdf.exe

        Filesize

        11.4MB

        MD5

        99942c7c9d05ab4ceb75ca3880952cc3

        SHA1

        5bbe60343821535132ec1c0382f34299459c2ded

        SHA256

        efc7a37e4f2a33a07b9f2bcc223ca6942c9e5ea6dac5fe0d724b0a474c853edc

        SHA512

        e53013dd7d2abc899a71e8fc620b6675be2685873607182868c2806cc753eb355e850190ffe0c81e6293987a96d3eb68d0f5a26c7f7ef7f29f60957052e00a60

      • C:\Windows\SysWOW64\ymqshkno\hbbsdmdf.exe

        Filesize

        4.3MB

        MD5

        d3518cfce049a078c5d7d454f45f18ff

        SHA1

        c9a2a92a0d093fbe96fa331ad6f0187de278fadc

        SHA256

        a994d077bddd69c283ac3df4688089118696dc22f994dc368a59e610651695fa

        SHA512

        36cd6fe78146d0a11c0192413c0b358de2080ffd28aa602f339fb153bacc9cbbcf8428d0cd5ffac353a995715899b7c40dc5b0d9e17c91663a8206b2d2f6a86e

      • memory/1436-1-0x00000000005A0000-0x00000000006A0000-memory.dmp

        Filesize

        1024KB

      • memory/1436-4-0x0000000000400000-0x000000000046E000-memory.dmp

        Filesize

        440KB

      • memory/1436-3-0x0000000000220000-0x0000000000233000-memory.dmp

        Filesize

        76KB

      • memory/1436-6-0x0000000000400000-0x000000000046E000-memory.dmp

        Filesize

        440KB

      • memory/2428-9-0x00000000004E0000-0x00000000005E0000-memory.dmp

        Filesize

        1024KB

      • memory/2428-10-0x0000000000400000-0x000000000046E000-memory.dmp

        Filesize

        440KB

      • memory/2428-15-0x0000000000400000-0x000000000046E000-memory.dmp

        Filesize

        440KB

      • memory/2992-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/2992-11-0x0000000000100000-0x0000000000115000-memory.dmp

        Filesize

        84KB

      • memory/2992-14-0x0000000000100000-0x0000000000115000-memory.dmp

        Filesize

        84KB

      • memory/2992-18-0x0000000000100000-0x0000000000115000-memory.dmp

        Filesize

        84KB

      • memory/2992-19-0x0000000000100000-0x0000000000115000-memory.dmp

        Filesize

        84KB

      • memory/2992-20-0x0000000000100000-0x0000000000115000-memory.dmp

        Filesize

        84KB