Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26/03/2024, 17:41

General

  • Target

    dfbd4be3187891db496fee51595274f1.exe

  • Size

    166KB

  • MD5

    dfbd4be3187891db496fee51595274f1

  • SHA1

    f7aa5bea583950b0e0025905abc8e59ad4ef6e02

  • SHA256

    76782ff9477534ad7cdd3235749e7c508174042c9300c136291b8cdee3338544

  • SHA512

    0e2c6a8553cdcfc1dbc03fbc44d41ce97502a9b1f7280717a43535952b1f206b8cf1925272fffc56ac1dddf10c32ed485ac6efc272422ba3437dd267fbe5edf6

  • SSDEEP

    3072:JxpC1d8ASZDRiJ51sZbQKDXDxob5Asie6KY211YdsVFfDTJQKt:JbDXZs+Dxtpei2HYaVxD7

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs 1 IoCs
  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dfbd4be3187891db496fee51595274f1.exe
    "C:\Users\Admin\AppData\Local\Temp\dfbd4be3187891db496fee51595274f1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1224
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\vjzwfnmt\
      2⤵
        PID:2468
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\uurmpgxp.exe" C:\Windows\SysWOW64\vjzwfnmt\
        2⤵
          PID:2516
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create vjzwfnmt binPath= "C:\Windows\SysWOW64\vjzwfnmt\uurmpgxp.exe /d\"C:\Users\Admin\AppData\Local\Temp\dfbd4be3187891db496fee51595274f1.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2588
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description vjzwfnmt "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2532
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start vjzwfnmt
          2⤵
          • Launches sc.exe
          PID:2464
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2860
      • C:\Windows\SysWOW64\vjzwfnmt\uurmpgxp.exe
        C:\Windows\SysWOW64\vjzwfnmt\uurmpgxp.exe /d"C:\Users\Admin\AppData\Local\Temp\dfbd4be3187891db496fee51595274f1.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2572
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:2448

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\uurmpgxp.exe

        Filesize

        1.4MB

        MD5

        9daafea02806921d1e1e349c2f74ab76

        SHA1

        3580329ddd7ec73dfe6817dcf157b8d8dca25b94

        SHA256

        bab7e35eeb1be6d440da7b2ee85435f716c17a15b84e769a6f32115d8d432c62

        SHA512

        9eda89259d6442add677d43ecc9f606afbf18aefffa5f44b1c837e3736885ed299ec32048327402017e36a7a07d8438121bae1fa591b2f98a07bf3efee0dee0d

      • C:\Windows\SysWOW64\vjzwfnmt\uurmpgxp.exe

        Filesize

        6.1MB

        MD5

        9fb67a9d11d940db577ea05d08f315d0

        SHA1

        4abedf1b21aa4afe7240fcd1c0e2c5908796da92

        SHA256

        7e6d17084aa95217ddd11dbda9db15476bb478781f453451bd384c10c9889c07

        SHA512

        91039a0678d635bacaafac23ace674e7d6fd3d6ea6b3b70e05661e2d3c22246efd14bc8fa1a91a614e5aecc9d20fe98060c0d7c25928786913038275ce8fb587

      • memory/1224-2-0x0000000000230000-0x0000000000243000-memory.dmp

        Filesize

        76KB

      • memory/1224-1-0x0000000002E20000-0x0000000002F20000-memory.dmp

        Filesize

        1024KB

      • memory/1224-4-0x0000000000400000-0x0000000002CB9000-memory.dmp

        Filesize

        40.7MB

      • memory/1224-8-0x0000000000400000-0x0000000002CB9000-memory.dmp

        Filesize

        40.7MB

      • memory/1224-9-0x0000000002E20000-0x0000000002F20000-memory.dmp

        Filesize

        1024KB

      • memory/2448-11-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2448-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/2448-14-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2448-19-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2448-20-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2448-21-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2448-22-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2572-10-0x0000000002DB0000-0x0000000002EB0000-memory.dmp

        Filesize

        1024KB

      • memory/2572-15-0x0000000000400000-0x0000000002CB9000-memory.dmp

        Filesize

        40.7MB

      • memory/2572-17-0x0000000000400000-0x0000000002CB9000-memory.dmp

        Filesize

        40.7MB