Overview

overview

10

Static

static

3

b984128113...ad.exe

windows7-x64

10

b984128113...ad.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-04-2024 13:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b984128113ff555edf24f086dcec400c697413f9095c8510da1058a98a2cc4ad.exe

  • Size

    302KB

  • MD5

    9f9e5f55dc8cb3809e24b14fb8f9c27d

  • SHA1

    cfed2d1d3e44d8ad3d0cade2ca83f105949aa952

  • SHA256

    b984128113ff555edf24f086dcec400c697413f9095c8510da1058a98a2cc4ad

  • SHA512

    5e8acc5af13c952fd1f02f88d2acf5314bd98216d51f340f1e0163551c27c44267391bd82ef8d72a214ee3d28803f7c08ec2ca2a84f0c599bbe17e9d955d56b6

  • SSDEEP

    6144:VdUtDjcT/lUmHvYBLDTOGc/sh4m18vMm48IRi7:rq3w/6mHvYBSGosym1gMv8

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b984128113ff555edf24f086dcec400c697413f9095c8510da1058a98a2cc4ad.exe
    "C:\Users\Admin\AppData\Local\Temp\b984128113ff555edf24f086dcec400c697413f9095c8510da1058a98a2cc4ad.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3544
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gufjqafe\
      2⤵
        PID:3988
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\crjqvtyq.exe" C:\Windows\SysWOW64\gufjqafe\
        2⤵
          PID:1848
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create gufjqafe binPath= "C:\Windows\SysWOW64\gufjqafe\crjqvtyq.exe /d\"C:\Users\Admin\AppData\Local\Temp\b984128113ff555edf24f086dcec400c697413f9095c8510da1058a98a2cc4ad.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2564
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description gufjqafe "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:1700
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start gufjqafe
          2⤵
          • Launches sc.exe
          PID:4524
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2044
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 1036
          2⤵
          • Program crash
          PID:376
      • C:\Windows\SysWOW64\gufjqafe\crjqvtyq.exe
        C:\Windows\SysWOW64\gufjqafe\crjqvtyq.exe /d"C:\Users\Admin\AppData\Local\Temp\b984128113ff555edf24f086dcec400c697413f9095c8510da1058a98a2cc4ad.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4144
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:2784
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 560
          2⤵
          • Program crash
          PID:3792
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4144 -ip 4144
        1⤵
          PID:3664
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3544 -ip 3544
          1⤵
            PID:5108

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Persistence

          Create or Modify System Process

          2
          T1543

          Windows Service

          2
          T1543.003

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Privilege Escalation

          Create or Modify System Process

          2
          T1543

          Windows Service

          2
          T1543.003

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Defense Evasion

          Impair Defenses

          1
          T1562

          Disable or Modify System Firewall

          1
          T1562.004

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\crjqvtyq.exe
            Filesize

            14.7MB

            MD5

            9e7d2be45b0fb21f4963cd909ff44cbb

            SHA1

            4f473a321cdfe30324c90ee99d25553d39a3ab0e

            SHA256

            3da13b74a58eaadc321ab2918bb6b108d3b3dcd0be3e267defe3ed73bd7b49bd

            SHA512

            a2c2cfd357ac3c81a243149deb4b4970d244d92f86531fae88b2db4509e41bd40f560d255e6310be93f8041c091a672b76c712259931aa94a4b080d19a1c7b06

            Download Submit
          • memory/2784-43-0x00000000023A0000-0x00000000023B0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2784-55-0x00000000023E0000-0x00000000023E7000-memory.dmp
            Filesize

            28KB

            Download
          • memory/2784-59-0x0000000000DE0000-0x0000000000DF5000-memory.dmp
            Filesize

            84KB

            Download
          • memory/2784-34-0x00000000023A0000-0x00000000023B0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2784-54-0x0000000008240000-0x000000000864B000-memory.dmp
            Filesize

            4.0MB

            Download
          • memory/2784-8-0x0000000000DE0000-0x0000000000DF5000-memory.dmp
            Filesize

            84KB

            Download
          • memory/2784-38-0x00000000023A0000-0x00000000023B0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2784-14-0x0000000000DE0000-0x0000000000DF5000-memory.dmp
            Filesize

            84KB

            Download
          • memory/2784-33-0x00000000023A0000-0x00000000023B0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2784-17-0x0000000000DE0000-0x0000000000DF5000-memory.dmp
            Filesize

            84KB

            Download
          • memory/2784-18-0x0000000000DE0000-0x0000000000DF5000-memory.dmp
            Filesize

            84KB

            Download
          • memory/2784-20-0x0000000002C00000-0x0000000002E0F000-memory.dmp
            Filesize

            2.1MB

            Download
          • memory/2784-23-0x0000000002C00000-0x0000000002E0F000-memory.dmp
            Filesize

            2.1MB

            Download
          • memory/2784-24-0x00000000011F0000-0x00000000011F6000-memory.dmp
            Filesize

            24KB

            Download
          • memory/2784-27-0x00000000023A0000-0x00000000023B0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2784-30-0x00000000023A0000-0x00000000023B0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2784-32-0x00000000023A0000-0x00000000023B0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2784-31-0x00000000023A0000-0x00000000023B0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2784-37-0x00000000023A0000-0x00000000023B0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2784-39-0x00000000023A0000-0x00000000023B0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2784-47-0x00000000023D0000-0x00000000023D5000-memory.dmp
            Filesize

            20KB

            Download
          • memory/2784-36-0x00000000023A0000-0x00000000023B0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2784-46-0x00000000023A0000-0x00000000023B0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2784-45-0x00000000023A0000-0x00000000023B0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2784-44-0x00000000023A0000-0x00000000023B0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2784-35-0x00000000023A0000-0x00000000023B0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2784-40-0x00000000023A0000-0x00000000023B0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2784-42-0x00000000023A0000-0x00000000023B0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2784-51-0x0000000008240000-0x000000000864B000-memory.dmp
            Filesize

            4.0MB

            Download
          • memory/2784-50-0x00000000023D0000-0x00000000023D5000-memory.dmp
            Filesize

            20KB

            Download
          • memory/2784-41-0x00000000023A0000-0x00000000023B0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/3544-1-0x0000000000960000-0x0000000000A60000-memory.dmp
            Filesize

            1024KB

            Download
          • memory/3544-4-0x0000000000400000-0x00000000008FD000-memory.dmp
            Filesize

            5.0MB

            Download
          • memory/3544-16-0x0000000000400000-0x00000000008FD000-memory.dmp
            Filesize

            5.0MB

            Download
          • memory/3544-2-0x0000000000A80000-0x0000000000A93000-memory.dmp
            Filesize

            76KB

            Download
          • memory/4144-13-0x0000000000400000-0x00000000008FD000-memory.dmp
            Filesize

            5.0MB

            Download
          • memory/4144-9-0x0000000000A90000-0x0000000000B90000-memory.dmp
            Filesize

            1024KB

            Download
          • memory/4144-10-0x0000000000A60000-0x0000000000A73000-memory.dmp
            Filesize

            76KB

            Download