Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/03/2024, 11:14

General

  • Target

    df071cea2b017b1429caef1d49d93dfd.exe

  • Size

    13.7MB

  • MD5

    df071cea2b017b1429caef1d49d93dfd

  • SHA1

    8abc0827c2469a356ca8a561330c59db7657c832

  • SHA256

    9567c4b9f9804cac7979f1be0a96f746cf1c80d69b04542e1c05bf6be20b6736

  • SHA512

    84df3a72cfea74bc54ba76b26c97c36f012e17cb545e3c0b665bbc72f73c8e5d1a8230e80f820a0484c0d96469a69ec9de198890e2e772c322bf71559a1d7f5c

  • SSDEEP

    98304:ijhd88888888888888888888888888888888888888888888888888888888888k:i

Malware Config

Extracted

Family

tofsee

C2

176.111.174.19

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe
    "C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:116
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ccuxfuvz\
      2⤵
        PID:5020
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\qdoxyjul.exe" C:\Windows\SysWOW64\ccuxfuvz\
        2⤵
          PID:2276
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create ccuxfuvz binPath= "C:\Windows\SysWOW64\ccuxfuvz\qdoxyjul.exe /d\"C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:316
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description ccuxfuvz "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:832
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start ccuxfuvz
          2⤵
          • Launches sc.exe
          PID:4108
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:3408
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 1044
          2⤵
          • Program crash
          PID:1264
      • C:\Windows\SysWOW64\ccuxfuvz\qdoxyjul.exe
        C:\Windows\SysWOW64\ccuxfuvz\qdoxyjul.exe /d"C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2444
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          PID:2704
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 512
          2⤵
          • Program crash
          PID:2032
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 116 -ip 116
        1⤵
          PID:5024
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2444 -ip 2444
          1⤵
            PID:1996
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
            1⤵
              PID:4440

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\qdoxyjul.exe

              Filesize

              2.4MB

              MD5

              b7a9cf09e97cab214eccdae52c5882b3

              SHA1

              4a3f27b370de1a19093f37e74545938fffa509ec

              SHA256

              82d708ed4afce49096220a30594cba6cb85d76171967e0b81702c14c41ea6f21

              SHA512

              c398421f3710d6cb2ee77e1ce7208109cc7a321ca4e71b57559400c9901ac4b55673235e0820ef9cff93dfdbfddd6f918ec5202e35883cfb465c7768e0d2197d

            • C:\Windows\SysWOW64\ccuxfuvz\qdoxyjul.exe

              Filesize

              1.7MB

              MD5

              3e136af1e4f6624defcef84c96314ac3

              SHA1

              77ea27389ff1dc5dbfb702220f4c6d100186d01a

              SHA256

              1a4ffe3f7e54c7fd80a412ba5ff288f3f6e6869c0b78d89a8e6827125838eb9f

              SHA512

              635cdcd63353c4c3eab7171c51a693a53929783ea5f32dc1ed99c329faa7020f5edb4dc30d5904f084df006e5e6f8a42ee560899111a4a4de438bc755a4b2743

            • memory/116-1-0x0000000000670000-0x0000000000770000-memory.dmp

              Filesize

              1024KB

            • memory/116-2-0x0000000002080000-0x0000000002093000-memory.dmp

              Filesize

              76KB

            • memory/116-3-0x0000000000400000-0x000000000045D000-memory.dmp

              Filesize

              372KB

            • memory/116-5-0x0000000000400000-0x000000000045D000-memory.dmp

              Filesize

              372KB

            • memory/116-8-0x0000000000400000-0x000000000045D000-memory.dmp

              Filesize

              372KB

            • memory/116-9-0x0000000002080000-0x0000000002093000-memory.dmp

              Filesize

              76KB

            • memory/2444-11-0x00000000006C0000-0x00000000007C0000-memory.dmp

              Filesize

              1024KB

            • memory/2444-12-0x0000000000400000-0x000000000045D000-memory.dmp

              Filesize

              372KB

            • memory/2444-18-0x0000000000400000-0x000000000045D000-memory.dmp

              Filesize

              372KB

            • memory/2704-13-0x0000000000530000-0x0000000000545000-memory.dmp

              Filesize

              84KB

            • memory/2704-16-0x0000000000530000-0x0000000000545000-memory.dmp

              Filesize

              84KB

            • memory/2704-17-0x0000000000530000-0x0000000000545000-memory.dmp

              Filesize

              84KB

            • memory/2704-19-0x0000000000530000-0x0000000000545000-memory.dmp

              Filesize

              84KB

            • memory/2704-20-0x0000000000530000-0x0000000000545000-memory.dmp

              Filesize

              84KB