Analysis

  • max time kernel
    142s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    26/03/2024, 10:26

General

  • Target

    def068a1136728af31342c71582b1a85.exe

  • Size

    13.1MB

  • MD5

    def068a1136728af31342c71582b1a85

  • SHA1

    d61c7e1a928c76403ae590f8380150d0dfe572b9

  • SHA256

    bad8cfc47d63460e56554bdffe7e3cd7f8d8f4acd077c1846812ddab9a13b3d6

  • SHA512

    2d1d7404ef3f6f5d2bbf4d60505701b2a041d8f9e5f0460cdb84c1e278a4cd705b83ad1dab5e2914d04542b32dbfafe1f73a290a76324b2e4d6fa1a662624264

  • SSDEEP

    6144:ynqXDHjKw5RZmN+RrjeO6wWSLL78/nk5agPEWHtIhiiiiiiiiiiiiiiiiiiiiiiH:vXbjKw5bmN+RPWcLI/niag8E

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs 1 IoCs
  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe
    "C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qfyvcure\
      2⤵
        PID:2552
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xdozrgam.exe" C:\Windows\SysWOW64\qfyvcure\
        2⤵
          PID:2608
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create qfyvcure binPath= "C:\Windows\SysWOW64\qfyvcure\xdozrgam.exe /d\"C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2544
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description qfyvcure "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2528
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start qfyvcure
          2⤵
          • Launches sc.exe
          PID:2724
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2460
      • C:\Windows\SysWOW64\qfyvcure\xdozrgam.exe
        C:\Windows\SysWOW64\qfyvcure\xdozrgam.exe /d"C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1740
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:2832

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\xdozrgam.exe

        Filesize

        7.6MB

        MD5

        7678ea08e076aa08cc6893bc848bc670

        SHA1

        916332d8ae03a3767e2b747ee3207d74c2bbb3db

        SHA256

        9a015915f6ba263519015410adc721cce3d9b4ee780b6dca0c620b9b3ce56257

        SHA512

        64d2584db85797d6fae13b88342e63decbe3fd495ae1e1efd0f05aa2bcb15196783b728273e9c897e1d1b0fff84910354a8fc7737e636751f036d9e05c3a75df

      • C:\Windows\SysWOW64\qfyvcure\xdozrgam.exe

        Filesize

        8.8MB

        MD5

        aac1a881e3a112a21807c59a24e82df1

        SHA1

        105a213f66b798345023f8b6ac2fab186c9146f9

        SHA256

        5de551a5fcab5287e8cc0aa024c4491ba994bd71eb26661ca834ba533d8f6274

        SHA512

        eb4b6daba94a61fce19d0706febc15092e706dc6ad98338e58970d072673aa6e3879331bb8da5ea1025e31b3f6afbce0cfe2390e7c53d0f485962a6e9e160c2c

      • memory/1740-10-0x00000000009D0000-0x0000000000AD0000-memory.dmp

        Filesize

        1024KB

      • memory/1740-11-0x0000000000400000-0x00000000008EA000-memory.dmp

        Filesize

        4.9MB

      • memory/1740-17-0x0000000000400000-0x00000000008EA000-memory.dmp

        Filesize

        4.9MB

      • memory/2832-15-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2832-21-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2832-20-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2832-19-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2832-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/2832-12-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2868-8-0x0000000000970000-0x0000000000A70000-memory.dmp

        Filesize

        1024KB

      • memory/2868-1-0x0000000000970000-0x0000000000A70000-memory.dmp

        Filesize

        1024KB

      • memory/2868-4-0x0000000000400000-0x00000000008EA000-memory.dmp

        Filesize

        4.9MB

      • memory/2868-7-0x0000000000400000-0x00000000008EA000-memory.dmp

        Filesize

        4.9MB

      • memory/2868-3-0x00000000002B0000-0x00000000002C3000-memory.dmp

        Filesize

        76KB