Overview

overview

10

Static

static

3

8e94ab9df2...b1.exe

windows7-x64

10

8e94ab9df2...b1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17-04-2024 13:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8e94ab9df264de254c2961478a718dd9e960b8701a4aa75015fde99d1f1020b1.exe

  • Size

    331KB

  • MD5

    3424a650d03640ec89fbb499d6674480

  • SHA1

    1ea36d7a77ec67039e67f944280dfdcdf1582991

  • SHA256

    8e94ab9df264de254c2961478a718dd9e960b8701a4aa75015fde99d1f1020b1

  • SHA512

    5f8bed9cf3da89216af3b87d580535a29a67a617b8bee82e448ae2d02f4cf38975058d2a0d02cf3d48411745a8fc19d09eb5936b66d7be1c75d31087142e2411

  • SSDEEP

    6144:/K6gQvvYlQo7wU9TZlSmHgafhoeyz5xYmX/M:C5QvvYlhbCmHgGhoeYxYmE

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8e94ab9df264de254c2961478a718dd9e960b8701a4aa75015fde99d1f1020b1.exe
    "C:\Users\Admin\AppData\Local\Temp\8e94ab9df264de254c2961478a718dd9e960b8701a4aa75015fde99d1f1020b1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1280
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\fdbscfib\
      2⤵
        PID:2940
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pewdigld.exe" C:\Windows\SysWOW64\fdbscfib\
        2⤵
          PID:2508
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create fdbscfib binPath= "C:\Windows\SysWOW64\fdbscfib\pewdigld.exe /d\"C:\Users\Admin\AppData\Local\Temp\8e94ab9df264de254c2961478a718dd9e960b8701a4aa75015fde99d1f1020b1.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2620
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description fdbscfib "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2064
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start fdbscfib
          2⤵
          • Launches sc.exe
          PID:2624
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2424
      • C:\Windows\SysWOW64\fdbscfib\pewdigld.exe
        C:\Windows\SysWOW64\fdbscfib\pewdigld.exe /d"C:\Users\Admin\AppData\Local\Temp\8e94ab9df264de254c2961478a718dd9e960b8701a4aa75015fde99d1f1020b1.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2644
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:2404

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Create or Modify System Process

      2
      T1543

      Windows Service

      2
      T1543.003

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Create or Modify System Process

      2
      T1543

      Windows Service

      2
      T1543.003

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Impair Defenses

      2
      T1562

      Disable or Modify Tools

      1
      T1562.001

      Disable or Modify System Firewall

      1
      T1562.004

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\pewdigld.exe
        Filesize

        12.2MB

        MD5

        ab0b2e8197787df08aeb02e39855b4a9

        SHA1

        73f6d5b52b6100e078d2d8256385f5214b649df1

        SHA256

        755f4f91e0109c288988617432da527e02a421688f35f14b0c861dbac92f2a90

        SHA512

        75c5349cfab740cdc1def6108310927b52f66363ea0f81ab011041736668941dc2e725f11ad09e3dc2db9418bbcd4796a31deb801e97b2c653a82e26603e197c

        Download Submit
      • memory/1280-1-0x00000000005B0000-0x00000000006B0000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1280-2-0x0000000000220000-0x0000000000233000-memory.dmp
        Filesize

        76KB

        Download
      • memory/1280-3-0x0000000000400000-0x000000000045C000-memory.dmp
        Filesize

        368KB

        Download
      • memory/1280-8-0x00000000005B0000-0x00000000006B0000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1280-9-0x0000000000220000-0x0000000000233000-memory.dmp
        Filesize

        76KB

        Download
      • memory/1280-7-0x0000000000400000-0x000000000045C000-memory.dmp
        Filesize

        368KB

        Download
      • memory/2404-32-0x00000000001E0000-0x00000000001F0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2404-38-0x00000000001E0000-0x00000000001F0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2404-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2404-16-0x00000000000C0000-0x00000000000D5000-memory.dmp
        Filesize

        84KB

        Download
      • memory/2404-13-0x00000000000C0000-0x00000000000D5000-memory.dmp
        Filesize

        84KB

        Download
      • memory/2404-20-0x00000000000C0000-0x00000000000D5000-memory.dmp
        Filesize

        84KB

        Download
      • memory/2404-21-0x00000000000C0000-0x00000000000D5000-memory.dmp
        Filesize

        84KB

        Download
      • memory/2404-60-0x0000000000340000-0x0000000000347000-memory.dmp
        Filesize

        28KB

        Download
      • memory/2404-22-0x00000000000C0000-0x00000000000D5000-memory.dmp
        Filesize

        84KB

        Download
      • memory/2404-24-0x00000000000C0000-0x00000000000D5000-memory.dmp
        Filesize

        84KB

        Download
      • memory/2404-25-0x0000000001C60000-0x0000000001E6F000-memory.dmp
        Filesize

        2.1MB

        Download
      • memory/2404-28-0x0000000001C60000-0x0000000001E6F000-memory.dmp
        Filesize

        2.1MB

        Download
      • memory/2404-29-0x00000000000E0000-0x00000000000E6000-memory.dmp
        Filesize

        24KB

        Download
      • memory/2404-59-0x0000000005720000-0x0000000005B2B000-memory.dmp
        Filesize

        4.0MB

        Download
      • memory/2404-35-0x00000000001E0000-0x00000000001F0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2404-36-0x00000000001E0000-0x00000000001F0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2404-37-0x00000000001E0000-0x00000000001F0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2404-56-0x0000000005720000-0x0000000005B2B000-memory.dmp
        Filesize

        4.0MB

        Download
      • memory/2404-39-0x00000000001E0000-0x00000000001F0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2404-40-0x00000000001E0000-0x00000000001F0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2404-41-0x00000000001E0000-0x00000000001F0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2404-42-0x00000000001E0000-0x00000000001F0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2404-43-0x00000000001E0000-0x00000000001F0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2404-44-0x00000000001E0000-0x00000000001F0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2404-45-0x00000000001E0000-0x00000000001F0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2404-46-0x00000000001E0000-0x00000000001F0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2404-47-0x00000000001E0000-0x00000000001F0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2404-48-0x00000000001E0000-0x00000000001F0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2404-49-0x00000000001E0000-0x00000000001F0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2404-50-0x00000000001E0000-0x00000000001F0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2404-51-0x00000000001E0000-0x00000000001F0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2404-52-0x0000000000230000-0x0000000000235000-memory.dmp
        Filesize

        20KB

        Download
      • memory/2404-55-0x0000000000230000-0x0000000000235000-memory.dmp
        Filesize

        20KB

        Download
      • memory/2644-12-0x0000000000400000-0x000000000045C000-memory.dmp
        Filesize

        368KB

        Download
      • memory/2644-11-0x0000000000580000-0x0000000000680000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2644-17-0x0000000000400000-0x000000000045C000-memory.dmp
        Filesize

        368KB

        Download