Overview

overview

10

Static

static

3

bf1da149d7...08.exe

windows7-x64

10

bf1da149d7...08.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-04-2024 13:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bf1da149d7e5da9a8a4908039856414e838db0a32129dcad45b6c737ec92d408.exe

  • Size

    290KB

  • MD5

    d2bf0c77c70900657d7c919282b90136

  • SHA1

    dc50e45c6aabad5b672af625f5449a0f50a36116

  • SHA256

    bf1da149d7e5da9a8a4908039856414e838db0a32129dcad45b6c737ec92d408

  • SHA512

    aee9a3d7862c25205432c39e61517d2d191a067dc2da79a627c6d228875cf32960d8cbe041d51ed0cf585ffe8b030f30b0e6df49653babb2967c5f4c49febab1

  • SSDEEP

    6144:j7ol2UY55+0U4C/yHwyHkXdfLhBbjLp6:j80+0U4C6GXLBbI

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf1da149d7e5da9a8a4908039856414e838db0a32129dcad45b6c737ec92d408.exe
    "C:\Users\Admin\AppData\Local\Temp\bf1da149d7e5da9a8a4908039856414e838db0a32129dcad45b6c737ec92d408.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:376
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kodamylx\
      2⤵
        PID:1532
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\orkvveff.exe" C:\Windows\SysWOW64\kodamylx\
        2⤵
          PID:4836
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create kodamylx binPath= "C:\Windows\SysWOW64\kodamylx\orkvveff.exe /d\"C:\Users\Admin\AppData\Local\Temp\bf1da149d7e5da9a8a4908039856414e838db0a32129dcad45b6c737ec92d408.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:3940
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description kodamylx "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:4496
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start kodamylx
          2⤵
          • Launches sc.exe
          PID:780
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:4156
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 1400
          2⤵
          • Program crash
          PID:2552
      • C:\Windows\SysWOW64\kodamylx\orkvveff.exe
        C:\Windows\SysWOW64\kodamylx\orkvveff.exe /d"C:\Users\Admin\AppData\Local\Temp\bf1da149d7e5da9a8a4908039856414e838db0a32129dcad45b6c737ec92d408.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4244
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:4976
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 532
          2⤵
          • Program crash
          PID:4520
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 376 -ip 376
        1⤵
          PID:1608
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4244 -ip 4244
          1⤵
            PID:4284

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\orkvveff.exe
            Filesize

            11.2MB

            MD5

            2479280923f72f02513cddcdfae21689

            SHA1

            c0fa9f88f00ce064f76c8d3c221cb82bbb579b62

            SHA256

            21803a345bc6d99bea894ec8e98e46466227323ab2ba1f79b724a16b22b2ba78

            SHA512

            ca1a413620bf009c80a14b729b826415142d6ea8bd47e496f670beaf22e46d26728e0a9afef8b2d520842127867aafbcfe4a7010ac902cc06ef81a18bd326944

            Download Submit

          • memory/376-2-0x0000000002520000-0x0000000002533000-memory.dmp

            Filesize

            76KB

            Download

          • memory/376-4-0x0000000000400000-0x00000000007D1000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/376-7-0x0000000000400000-0x00000000007D1000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/376-8-0x0000000002520000-0x0000000002533000-memory.dmp

            Filesize

            76KB

            Download

          • memory/376-1-0x0000000000A20000-0x0000000000B20000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/4244-18-0x0000000000400000-0x00000000007D1000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/4244-10-0x0000000000AA0000-0x0000000000BA0000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/4244-11-0x0000000000400000-0x00000000007D1000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/4976-33-0x00000000001D0000-0x00000000001E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4976-37-0x00000000001D0000-0x00000000001E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4976-17-0x0000000000110000-0x0000000000125000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4976-15-0x0000000000110000-0x0000000000125000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4976-20-0x0000000000110000-0x0000000000125000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4976-21-0x0000000002140000-0x000000000234F000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/4976-24-0x0000000002140000-0x000000000234F000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/4976-25-0x00000000001C0000-0x00000000001C6000-memory.dmp

            Filesize

            24KB

            Download

          • memory/4976-28-0x00000000001D0000-0x00000000001E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4976-31-0x00000000001D0000-0x00000000001E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4976-32-0x00000000001D0000-0x00000000001E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4976-12-0x0000000000110000-0x0000000000125000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4976-34-0x00000000001D0000-0x00000000001E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4976-35-0x00000000001D0000-0x00000000001E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4976-36-0x00000000001D0000-0x00000000001E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4976-16-0x0000000000110000-0x0000000000125000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4976-38-0x00000000001D0000-0x00000000001E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4976-39-0x00000000001D0000-0x00000000001E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4976-40-0x00000000001D0000-0x00000000001E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4976-41-0x00000000001D0000-0x00000000001E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4976-42-0x00000000001D0000-0x00000000001E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4976-43-0x00000000001D0000-0x00000000001E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4976-44-0x00000000001D0000-0x00000000001E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4976-45-0x00000000001D0000-0x00000000001E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4976-47-0x00000000001D0000-0x00000000001E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4976-48-0x00000000001E0000-0x00000000001E5000-memory.dmp

            Filesize

            20KB

            Download

          • memory/4976-46-0x00000000001D0000-0x00000000001E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4976-51-0x00000000001E0000-0x00000000001E5000-memory.dmp

            Filesize

            20KB

            Download

          • memory/4976-52-0x0000000007080000-0x000000000748B000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/4976-55-0x0000000007080000-0x000000000748B000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/4976-56-0x00000000001F0000-0x00000000001F7000-memory.dmp

            Filesize

            28KB

            Download