Overview

overview

10

Static

static

3

8e94ab9df2...b1.exe

windows7-x64

10

8e94ab9df2...b1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    240s
  • max time network
    271s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17-04-2024 13:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8e94ab9df264de254c2961478a718dd9e960b8701a4aa75015fde99d1f1020b1.exe

  • Size

    331KB

  • MD5

    3424a650d03640ec89fbb499d6674480

  • SHA1

    1ea36d7a77ec67039e67f944280dfdcdf1582991

  • SHA256

    8e94ab9df264de254c2961478a718dd9e960b8701a4aa75015fde99d1f1020b1

  • SHA512

    5f8bed9cf3da89216af3b87d580535a29a67a617b8bee82e448ae2d02f4cf38975058d2a0d02cf3d48411745a8fc19d09eb5936b66d7be1c75d31087142e2411

  • SSDEEP

    6144:/K6gQvvYlQo7wU9TZlSmHgafhoeyz5xYmX/M:C5QvvYlhbCmHgGhoeYxYmE

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8e94ab9df264de254c2961478a718dd9e960b8701a4aa75015fde99d1f1020b1.exe
    "C:\Users\Admin\AppData\Local\Temp\8e94ab9df264de254c2961478a718dd9e960b8701a4aa75015fde99d1f1020b1.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2856
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\acvujgqr\
      2⤵
        PID:2336
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zcvggpqq.exe" C:\Windows\SysWOW64\acvujgqr\
        2⤵
          PID:2672
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create acvujgqr binPath= "C:\Windows\SysWOW64\acvujgqr\zcvggpqq.exe /d\"C:\Users\Admin\AppData\Local\Temp\8e94ab9df264de254c2961478a718dd9e960b8701a4aa75015fde99d1f1020b1.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2776
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description acvujgqr "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2340
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start acvujgqr
          2⤵
          • Launches sc.exe
          PID:768
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2860
        • C:\Users\Admin\rhdsnfdl.exe
          "C:\Users\Admin\rhdsnfdl.exe" /d"C:\Users\Admin\AppData\Local\Temp\8e94ab9df264de254c2961478a718dd9e960b8701a4aa75015fde99d1f1020b1.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2300
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\iukxlkcg.exe" C:\Windows\SysWOW64\acvujgqr\
            3⤵
              PID:1724
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" config acvujgqr binPath= "C:\Windows\SysWOW64\acvujgqr\iukxlkcg.exe /d\"C:\Users\Admin\rhdsnfdl.exe\""
              3⤵
              • Launches sc.exe
              PID:408
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start acvujgqr
              3⤵
              • Launches sc.exe
              PID:1744
            • C:\Windows\SysWOW64\netsh.exe
              "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
              3⤵
              • Modifies Windows Firewall
              PID:2328
        • C:\Windows\SysWOW64\acvujgqr\iukxlkcg.exe
          C:\Windows\SysWOW64\acvujgqr\iukxlkcg.exe /d"C:\Users\Admin\rhdsnfdl.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1832
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe
            2⤵
            • Sets service image path in registry
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            PID:2100

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Create or Modify System Process

        2
        T1543

        Windows Service

        2
        T1543.003

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Privilege Escalation

        Create or Modify System Process

        2
        T1543

        Windows Service

        2
        T1543.003

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Defense Evasion

        Impair Defenses

        1
        T1562

        Disable or Modify System Firewall

        1
        T1562.004

        Modify Registry

        2
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\iukxlkcg.exe
          Filesize

          14.9MB

          MD5

          6aa46550b7452b85b94d90de644101ac

          SHA1

          72429a01577eee269d6c2ddd66edba9ba78341da

          SHA256

          dfc4fc79e9e4c119dccb57cb9d09b75f0415ca38cfb92cb1201c435604e60d0a

          SHA512

          94233703e092c061fafaeb6ed2d067149061471a467a4c46790fdef195249194678cb17a5ed22ba8f43b16e8538f8543825a77c4cf8e8d5bc8d0f1e759aa73f5

          Download Submit
        • \Users\Admin\rhdsnfdl.exe
          Filesize

          10.6MB

          MD5

          5942a449091c9bbe02f7945f6aaf75cd

          SHA1

          b2720ce0a683863cf7a1e5baa8a7e66f5492f04d

          SHA256

          08f4ce81023fc550850e78580585574939fc8ea47eab65b30c8b29800992a9b5

          SHA512

          ad16ccc086d72f34c54dd7ba08987de5a1fe653157f47fcf75a86708b2d9c51ac39303e4bef7c8f5ffec1961a1f0e914b57eac676d1716f3e5ffb0d69962c89a

          Download Submit
        • memory/1832-40-0x0000000000400000-0x000000000045C000-memory.dmp
          Filesize

          368KB

          Download
        • memory/1832-34-0x0000000000400000-0x000000000045C000-memory.dmp
          Filesize

          368KB

          Download
        • memory/1832-33-0x0000000000580000-0x0000000000680000-memory.dmp
          Filesize

          1024KB

          Download
        • memory/2100-64-0x0000000000160000-0x0000000000170000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2100-57-0x0000000000160000-0x0000000000170000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2100-84-0x0000000000080000-0x0000000000095000-memory.dmp
          Filesize

          84KB

          Download
        • memory/2100-80-0x0000000000200000-0x0000000000207000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2100-79-0x0000000005630000-0x0000000005A3B000-memory.dmp
          Filesize

          4.0MB

          Download
        • memory/2100-76-0x0000000005630000-0x0000000005A3B000-memory.dmp
          Filesize

          4.0MB

          Download
        • memory/2100-75-0x00000000001F0000-0x00000000001F5000-memory.dmp
          Filesize

          20KB

          Download
        • memory/2100-72-0x00000000001F0000-0x00000000001F5000-memory.dmp
          Filesize

          20KB

          Download
        • memory/2100-71-0x0000000000160000-0x0000000000170000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2100-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2100-35-0x0000000000080000-0x0000000000095000-memory.dmp
          Filesize

          84KB

          Download
        • memory/2100-38-0x0000000000080000-0x0000000000095000-memory.dmp
          Filesize

          84KB

          Download
        • memory/2100-70-0x0000000000160000-0x0000000000170000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2100-42-0x0000000000080000-0x0000000000095000-memory.dmp
          Filesize

          84KB

          Download
        • memory/2100-43-0x0000000000080000-0x0000000000095000-memory.dmp
          Filesize

          84KB

          Download
        • memory/2100-45-0x0000000001850000-0x0000000001A5F000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/2100-48-0x0000000001850000-0x0000000001A5F000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/2100-49-0x0000000000110000-0x0000000000116000-memory.dmp
          Filesize

          24KB

          Download
        • memory/2100-52-0x0000000000160000-0x0000000000170000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2100-55-0x0000000000160000-0x0000000000170000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2100-56-0x0000000000160000-0x0000000000170000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2100-69-0x0000000000160000-0x0000000000170000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2100-58-0x0000000000160000-0x0000000000170000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2100-59-0x0000000000160000-0x0000000000170000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2100-60-0x0000000000160000-0x0000000000170000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2100-61-0x0000000000160000-0x0000000000170000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2100-62-0x0000000000160000-0x0000000000170000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2100-63-0x0000000000160000-0x0000000000170000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2100-68-0x0000000000160000-0x0000000000170000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2100-65-0x0000000000160000-0x0000000000170000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2100-66-0x0000000000160000-0x0000000000170000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2100-67-0x0000000000160000-0x0000000000170000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2300-30-0x00000000005D0000-0x00000000006D0000-memory.dmp
          Filesize

          1024KB

          Download
        • memory/2300-29-0x0000000000400000-0x000000000045C000-memory.dmp
          Filesize

          368KB

          Download
        • memory/2300-27-0x0000000000400000-0x000000000045C000-memory.dmp
          Filesize

          368KB

          Download
        • memory/2300-25-0x00000000005D0000-0x00000000006D0000-memory.dmp
          Filesize

          1024KB

          Download
        • memory/2856-1-0x00000000005C0000-0x00000000006C0000-memory.dmp
          Filesize

          1024KB

          Download
        • memory/2856-22-0x0000000000400000-0x000000000045C000-memory.dmp
          Filesize

          368KB

          Download
        • memory/2856-4-0x0000000000400000-0x000000000045C000-memory.dmp
          Filesize

          368KB

          Download
        • memory/2856-3-0x0000000000220000-0x0000000000233000-memory.dmp
          Filesize

          76KB

          Download
        • memory/2856-7-0x00000000005C0000-0x00000000006C0000-memory.dmp
          Filesize

          1024KB

          Download
        • memory/2856-11-0x0000000000400000-0x000000000045C000-memory.dmp
          Filesize

          368KB

          Download