Analysis

  • max time kernel
    140s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17-04-2024 13:33

General

  • Target

    7c44a7de2a7c4175c761e08a2de5d2acd42ad3195d7686e5b8d507f99c30adc8.exe

  • Size

    229KB

  • MD5

    ddb3205a92ff18ae17b3f9f93c7b197c

  • SHA1

    b77c666a2d7b1f63ba08316f9a221be6ac1f786a

  • SHA256

    7c44a7de2a7c4175c761e08a2de5d2acd42ad3195d7686e5b8d507f99c30adc8

  • SHA512

    db659ead4fd2ed186f221adf5bb9ab5b686253454eeb307ba247a99d8026c009d72ed11473d4622146c7b6cf59f445ad3b020ac3394d3f61af5bfd385b43c334

  • SSDEEP

    3072:lnUQviqZALXadUs0vEJimn1K29YbqYZgpLneYDR89fJ5j3UxS6MeILYS:lnUzPjflapLnsdT3U2eILY

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs 1 IoCs
  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7c44a7de2a7c4175c761e08a2de5d2acd42ad3195d7686e5b8d507f99c30adc8.exe
    "C:\Users\Admin\AppData\Local\Temp\7c44a7de2a7c4175c761e08a2de5d2acd42ad3195d7686e5b8d507f99c30adc8.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2144
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dbemfjpx\
      2⤵
        PID:1972
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\wzsddmnn.exe" C:\Windows\SysWOW64\dbemfjpx\
        2⤵
          PID:2556
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create dbemfjpx binPath= "C:\Windows\SysWOW64\dbemfjpx\wzsddmnn.exe /d\"C:\Users\Admin\AppData\Local\Temp\7c44a7de2a7c4175c761e08a2de5d2acd42ad3195d7686e5b8d507f99c30adc8.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2568
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description dbemfjpx "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2820
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start dbemfjpx
          2⤵
          • Launches sc.exe
          PID:2700
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2532
      • C:\Windows\SysWOW64\dbemfjpx\wzsddmnn.exe
        C:\Windows\SysWOW64\dbemfjpx\wzsddmnn.exe /d"C:\Users\Admin\AppData\Local\Temp\7c44a7de2a7c4175c761e08a2de5d2acd42ad3195d7686e5b8d507f99c30adc8.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2624
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:108

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\wzsddmnn.exe
        Filesize

        14.2MB

        MD5

        1feec5554a305aee4ee207da3c8f9826

        SHA1

        0778b561c9972e088e92e2cab140130f2a4a00a2

        SHA256

        fe70bb300d78913869d6a14c103b75f109a5490e7d27326c9cc39c1136942a16

        SHA512

        b1970aa7514aaa5bae2d90d135d0ec30563ac86c250ee7e73f0b7bb28b3529c28ce49fe4d8919c521fa71bd02817c966060e60ffec245e632429cd5accd4f9df

      • memory/108-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

      • memory/108-14-0x00000000000D0000-0x00000000000E5000-memory.dmp
        Filesize

        84KB

      • memory/108-11-0x00000000000D0000-0x00000000000E5000-memory.dmp
        Filesize

        84KB

      • memory/108-23-0x00000000000D0000-0x00000000000E5000-memory.dmp
        Filesize

        84KB

      • memory/108-21-0x00000000000D0000-0x00000000000E5000-memory.dmp
        Filesize

        84KB

      • memory/108-20-0x00000000000D0000-0x00000000000E5000-memory.dmp
        Filesize

        84KB

      • memory/108-18-0x00000000000D0000-0x00000000000E5000-memory.dmp
        Filesize

        84KB

      • memory/2144-19-0x0000000000400000-0x000000000043E000-memory.dmp
        Filesize

        248KB

      • memory/2144-2-0x0000000000220000-0x0000000000233000-memory.dmp
        Filesize

        76KB

      • memory/2144-3-0x0000000000400000-0x000000000043E000-memory.dmp
        Filesize

        248KB

      • memory/2144-1-0x00000000005F0000-0x00000000006F0000-memory.dmp
        Filesize

        1024KB

      • memory/2624-9-0x00000000002E0000-0x00000000002F3000-memory.dmp
        Filesize

        76KB

      • memory/2624-8-0x0000000000610000-0x0000000000710000-memory.dmp
        Filesize

        1024KB

      • memory/2624-10-0x0000000000400000-0x000000000043E000-memory.dmp
        Filesize

        248KB

      • memory/2624-16-0x0000000000400000-0x000000000043E000-memory.dmp
        Filesize

        248KB