Analysis

  • max time kernel
    148s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26/03/2024, 16:31

General

  • Target

    df9b061b8b91e89659ad8592ce4ea7ad.exe

  • Size

    10.6MB

  • MD5

    df9b061b8b91e89659ad8592ce4ea7ad

  • SHA1

    182c7d734f20a4145fff57048f1b0b443d02d5bc

  • SHA256

    be0186fe58064c8c88db16927a48a857699ba9ea162d49192dc2b152637d8aa4

  • SHA512

    7152b581cb9bdaf6af797d27f4e8a23a7403e77bd4aced1a98424d9f9a585ad7d615ed44285b2085e75255c5c7aa288c931564f5442145fd695b7787e9674a51

  • SSDEEP

    49152:URBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB5:

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs 1 IoCs
  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe
    "C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kcjczhaa\
      2⤵
        PID:2844
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gmxiapjv.exe" C:\Windows\SysWOW64\kcjczhaa\
        2⤵
          PID:2908
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create kcjczhaa binPath= "C:\Windows\SysWOW64\kcjczhaa\gmxiapjv.exe /d\"C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2624
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description kcjczhaa "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2588
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start kcjczhaa
          2⤵
          • Launches sc.exe
          PID:2692
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2712
      • C:\Windows\SysWOW64\kcjczhaa\gmxiapjv.exe
        C:\Windows\SysWOW64\kcjczhaa\gmxiapjv.exe /d"C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2444
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:2368

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\gmxiapjv.exe

        Filesize

        6.4MB

        MD5

        1b290650d808b4c3dcc7465229bda8de

        SHA1

        f48018f8489d8f130cb8144af74d13a86c5479ff

        SHA256

        a89522a6e3729073b517218217002bd2b8d3041ae0a7291d9ccc3bc01fab36f7

        SHA512

        08e204361d396ccf3b1dd7e2960439525371a6e33aea630d390873109ae9636e67f9245498f1c2e425de93745801b13d682b2e1e256aa3d5821ca8a3970ab2fa

      • C:\Windows\SysWOW64\kcjczhaa\gmxiapjv.exe

        Filesize

        3.1MB

        MD5

        c4c08b35b5a92121ddfb34bdfd0b54a2

        SHA1

        ffb4bc63d13fba3f05f2616107888cc600dc96db

        SHA256

        523fa42140ca9fd830ba5097a8a09d6f90ae58b6e675104e0d275e9bde42e672

        SHA512

        37ab7c198e2d57df9b9be01e328502c11bffede4e68d63828464b77868762c1fb931b1d55b678a59b6e1d96b9dc5373218c4294c58a5172aacabf4a150a66d73

      • memory/2068-1-0x0000000000290000-0x0000000000390000-memory.dmp

        Filesize

        1024KB

      • memory/2068-3-0x00000000001B0000-0x00000000001C3000-memory.dmp

        Filesize

        76KB

      • memory/2068-4-0x0000000000400000-0x0000000000C0A000-memory.dmp

        Filesize

        8.0MB

      • memory/2068-7-0x0000000000400000-0x0000000000C0A000-memory.dmp

        Filesize

        8.0MB

      • memory/2368-11-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2368-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/2368-15-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2368-19-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2368-20-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2368-21-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2444-10-0x00000000002E0000-0x00000000002F3000-memory.dmp

        Filesize

        76KB

      • memory/2444-9-0x0000000000D80000-0x0000000000E80000-memory.dmp

        Filesize

        1024KB

      • memory/2444-12-0x0000000000400000-0x0000000000C0A000-memory.dmp

        Filesize

        8.0MB

      • memory/2444-17-0x0000000000400000-0x0000000000C0A000-memory.dmp

        Filesize

        8.0MB