Overview

overview

10

Static

static

3

8960100ed1...6f.exe

windows7-x64

10

8960100ed1...6f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-04-2024 12:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe

  • Size

    228KB

  • MD5

    62abaf2cde2460be94b6fc5d5917cf14

  • SHA1

    ef808492171ea4fcc8b85a6ec553544ebff2dc26

  • SHA256

    8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f

  • SHA512

    fb511c078edb9971c8c7c073441f6ef0d1fededa093d7991f6e54c40e7c9144e67c45dbbdec22b5ff93111846f687fcb22456c4b2c03b7b01b3858eaab1792c7

  • SSDEEP

    3072:7VpLtaCoeUUb4Ji0/7t+/KFQbMdLY8aXIbHQSLkJl4C6FD81OL6OwR2Rsb4Mf7U0:JpLt3/bc/taYtLkqKLOOX7

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe
    "C:\Users\Admin\AppData\Local\Temp\8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4476
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\aolusbur\
      2⤵
        PID:2960
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\amcpdcuy.exe" C:\Windows\SysWOW64\aolusbur\
        2⤵
          PID:1660
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create aolusbur binPath= "C:\Windows\SysWOW64\aolusbur\amcpdcuy.exe /d\"C:\Users\Admin\AppData\Local\Temp\8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:4412
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description aolusbur "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:3132
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start aolusbur
          2⤵
          • Launches sc.exe
          PID:3704
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:3104
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 748
          2⤵
          • Program crash
          PID:1028
      • C:\Windows\SysWOW64\aolusbur\amcpdcuy.exe
        C:\Windows\SysWOW64\aolusbur\amcpdcuy.exe /d"C:\Users\Admin\AppData\Local\Temp\8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4356
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:3892
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 516
          2⤵
          • Program crash
          PID:1036
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4476 -ip 4476
        1⤵
          PID:4160
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4356 -ip 4356
          1⤵
            PID:2880

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\amcpdcuy.exe
            Filesize

            11.1MB

            MD5

            b04482e46621b8cc88e7e1300db382f5

            SHA1

            7ee108aee78ac20ee07356591405020f05096ae4

            SHA256

            b9c607929b66fcd19479b5879c776a68e1f8c1607a9dbbb58ca4603c178232f1

            SHA512

            f0253734e0538bdf181f9b8e1c9d2dbacca3e0db27265eba376718b55725dbcdd0da1474b4b956f83e29b7b533345fd9321a59b9d5dcb58cc6c6b98782fd63ee

            Download Submit

          • memory/3892-43-0x00000000019E0000-0x00000000019F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3892-50-0x00000000019F0000-0x00000000019F5000-memory.dmp

            Filesize

            20KB

            Download

          • memory/3892-59-0x0000000000310000-0x0000000000325000-memory.dmp

            Filesize

            84KB

            Download

          • memory/3892-32-0x00000000019E0000-0x00000000019F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3892-54-0x0000000007100000-0x000000000750B000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/3892-46-0x00000000019E0000-0x00000000019F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3892-11-0x0000000000310000-0x0000000000325000-memory.dmp

            Filesize

            84KB

            Download

          • memory/3892-47-0x00000000019F0000-0x00000000019F5000-memory.dmp

            Filesize

            20KB

            Download

          • memory/3892-15-0x0000000000310000-0x0000000000325000-memory.dmp

            Filesize

            84KB

            Download

          • memory/3892-33-0x00000000019E0000-0x00000000019F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3892-17-0x0000000000310000-0x0000000000325000-memory.dmp

            Filesize

            84KB

            Download

          • memory/3892-18-0x0000000000310000-0x0000000000325000-memory.dmp

            Filesize

            84KB

            Download

          • memory/3892-20-0x0000000002200000-0x000000000240F000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/3892-36-0x00000000019E0000-0x00000000019F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3892-24-0x0000000000F60000-0x0000000000F66000-memory.dmp

            Filesize

            24KB

            Download

          • memory/3892-27-0x00000000019E0000-0x00000000019F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3892-30-0x00000000019E0000-0x00000000019F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3892-31-0x00000000019E0000-0x00000000019F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3892-55-0x00000000025D0000-0x00000000025D7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3892-51-0x0000000007100000-0x000000000750B000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/3892-23-0x0000000002200000-0x000000000240F000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/3892-37-0x00000000019E0000-0x00000000019F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3892-35-0x00000000019E0000-0x00000000019F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3892-34-0x00000000019E0000-0x00000000019F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3892-39-0x00000000019E0000-0x00000000019F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3892-38-0x00000000019E0000-0x00000000019F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3892-40-0x00000000019E0000-0x00000000019F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3892-41-0x00000000019E0000-0x00000000019F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3892-44-0x00000000019E0000-0x00000000019F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3892-42-0x00000000019E0000-0x00000000019F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3892-45-0x00000000019E0000-0x00000000019F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4356-16-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4356-10-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4356-9-0x0000000000C10000-0x0000000000C23000-memory.dmp

            Filesize

            76KB

            Download

          • memory/4356-8-0x0000000000470000-0x0000000000570000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/4476-1-0x00000000006A0000-0x00000000007A0000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/4476-3-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4476-14-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4476-2-0x00000000005E0000-0x00000000005F3000-memory.dmp

            Filesize

            76KB

            Download