Analysis

  • max time kernel
    164s
  • max time network
    171s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26/03/2024, 10:51

General

  • Target

    defc1cba4b8990663ca51d25a32af585.exe

  • Size

    10.4MB

  • MD5

    defc1cba4b8990663ca51d25a32af585

  • SHA1

    1a8a9c95794480980c208ceecdb4cedc4a09b058

  • SHA256

    5ab3671466c3136f8b9cd603f45ce7a038c9b8ed2ea58a713c5fff6a0928f729

  • SHA512

    0402ca1c999925d96c892252a1d9dd4276f258fb30a622b347e45da1acaa994be0f6893db5383d86bc10f12b8b7c5af7372a71826f946a05d9270b5bb3986f76

  • SSDEEP

    24576:0erU5sWbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb7:0sW

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs 1 IoCs
  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe
    "C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gbcvsuxt\
      2⤵
        PID:1872
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\foesthwc.exe" C:\Windows\SysWOW64\gbcvsuxt\
        2⤵
          PID:1504
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create gbcvsuxt binPath= "C:\Windows\SysWOW64\gbcvsuxt\foesthwc.exe /d\"C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2624
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description gbcvsuxt "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2612
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start gbcvsuxt
          2⤵
          • Launches sc.exe
          PID:2528
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2580
      • C:\Windows\SysWOW64\gbcvsuxt\foesthwc.exe
        C:\Windows\SysWOW64\gbcvsuxt\foesthwc.exe /d"C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2416
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:2384

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\foesthwc.exe

        Filesize

        11.4MB

        MD5

        3516364e331c80b4d17a6bf8247077e9

        SHA1

        0f6e417d2629c168a3d54f23f2f757ee294da5e7

        SHA256

        223abf8eac1b1bd1db3bdee22635ad841df31d1dd405744dcc54ee906c9c8e32

        SHA512

        7232cfb3c05f7ed3314e8f6e32ecf97cf03ab8a5521cd54f9249fe7018fddeb88803477662c24adc4f0c162272c336ec76c219eeb16a53e213c48227948f8cfb

      • memory/1748-1-0x00000000005D0000-0x00000000006D0000-memory.dmp

        Filesize

        1024KB

      • memory/1748-2-0x0000000000220000-0x0000000000233000-memory.dmp

        Filesize

        76KB

      • memory/1748-3-0x0000000000400000-0x000000000046D000-memory.dmp

        Filesize

        436KB

      • memory/1748-6-0x0000000000400000-0x000000000046D000-memory.dmp

        Filesize

        436KB

      • memory/1748-7-0x0000000000220000-0x0000000000233000-memory.dmp

        Filesize

        76KB

      • memory/2384-12-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2384-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/2384-15-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2384-20-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2384-21-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2384-22-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2416-11-0x0000000000400000-0x000000000046D000-memory.dmp

        Filesize

        436KB

      • memory/2416-10-0x0000000000640000-0x0000000000740000-memory.dmp

        Filesize

        1024KB

      • memory/2416-16-0x0000000000400000-0x000000000046D000-memory.dmp

        Filesize

        436KB