Overview

overview

10

Static

static

3

e78128c207...e8.exe

windows7-x64

10

e78128c207...e8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-04-2024 13:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exe

  • Size

    307KB

  • MD5

    f4eb02f3a2587ba66f1036cae85e4770

  • SHA1

    e8ed42963f946e33ec99af067eeabf0412436b62

  • SHA256

    e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8

  • SHA512

    6cfc6f6a07c5e36d678f9999ca9377549843f81cef9f23e3819c0dcde7d8f68668469c65c9690a6e8139c216f2b79058dc5255f5f8efa1def6bd7be2919e6719

  • SSDEEP

    3072:TTgg3xOPn/SpLwMMrcDPXDzGkP2NakC5p+WrjxxMu63jXdo:gOOf/mLwMMrcDPXDzdvN+WvxajX

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exe
    "C:\Users\Admin\AppData\Local\Temp\e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3412
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xncuqonv\
      2⤵
        PID:4052
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\adwhhqrr.exe" C:\Windows\SysWOW64\xncuqonv\
        2⤵
          PID:4332
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create xncuqonv binPath= "C:\Windows\SysWOW64\xncuqonv\adwhhqrr.exe /d\"C:\Users\Admin\AppData\Local\Temp\e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2336
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description xncuqonv "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:1688
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start xncuqonv
          2⤵
          • Launches sc.exe
          PID:1864
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:3972
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 920
          2⤵
          • Program crash
          PID:8
      • C:\Windows\SysWOW64\xncuqonv\adwhhqrr.exe
        C:\Windows\SysWOW64\xncuqonv\adwhhqrr.exe /d"C:\Users\Admin\AppData\Local\Temp\e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exe"
        1⤵
        • Executes dropped EXE
        PID:3168
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3412 -ip 3412
        1⤵
          PID:1664

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\adwhhqrr.exe
          Filesize

          14.4MB

          MD5

          f66528502e43b273e6d545c91fc19218

          SHA1

          0bc3581d6cca7e96c5162a2c48546ece409004aa

          SHA256

          58a2f9e29491303188f6b365644a47544b334c9d100a467ed1801f868b5c897b

          SHA512

          6f1eaa296534a0b89ff87adb446f064db3eec19c533858605349a5f247e7ee4c0451e41aa90094fe361a6b8dc1b966a7e2792ef91b76ed37e6b6bfb437e67638

          Download Submit
        • memory/3412-1-0x0000000002C60000-0x0000000002D60000-memory.dmp
          Filesize

          1024KB

          Download
        • memory/3412-2-0x0000000002BA0000-0x0000000002BB3000-memory.dmp
          Filesize

          76KB

          Download
        • memory/3412-4-0x0000000000400000-0x0000000002AC2000-memory.dmp
          Filesize

          38.8MB

          Download
        • memory/3412-7-0x0000000000400000-0x0000000002AC2000-memory.dmp
          Filesize

          38.8MB

          Download
        • memory/3412-8-0x0000000002BA0000-0x0000000002BB3000-memory.dmp
          Filesize

          76KB

          Download