Overview

overview

10

Static

static

3

f379c2c732...be.exe

windows7-x64

10

f379c2c732...be.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-04-2024 14:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f379c2c732470dbce8e17423baf7f6fcca63bcb13c4ade33a15df1225e3841be.exe

  • Size

    232KB

  • MD5

    b5f3dc95c09fa3bfdf009a404736f94e

  • SHA1

    03e471e7edf9bbcbe2483ebd1ba05364c93a190a

  • SHA256

    f379c2c732470dbce8e17423baf7f6fcca63bcb13c4ade33a15df1225e3841be

  • SHA512

    f63cba660384d5296e2f8aeeceba1a2d4707311a242cd5f12220008670cb5c2bf686b546fafe03cc6c5363bd62fe4c067a1f9dc73a8388488e13854b631ee546

  • SSDEEP

    6144:j6zxC0r84BWnfZUH7SFcQU+9HFsvKMXOCU:kY0r9BeZUbSiy9HSvKwO

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f379c2c732470dbce8e17423baf7f6fcca63bcb13c4ade33a15df1225e3841be.exe
    "C:\Users\Admin\AppData\Local\Temp\f379c2c732470dbce8e17423baf7f6fcca63bcb13c4ade33a15df1225e3841be.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3484
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\fxglqlrx\
      2⤵
        PID:4760
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xaxqhjdt.exe" C:\Windows\SysWOW64\fxglqlrx\
        2⤵
          PID:4488
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create fxglqlrx binPath= "C:\Windows\SysWOW64\fxglqlrx\xaxqhjdt.exe /d\"C:\Users\Admin\AppData\Local\Temp\f379c2c732470dbce8e17423baf7f6fcca63bcb13c4ade33a15df1225e3841be.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:4904
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description fxglqlrx "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:3888
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start fxglqlrx
          2⤵
          • Launches sc.exe
          PID:4936
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:3948
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 580
          2⤵
          • Program crash
          PID:3512
      • C:\Windows\SysWOW64\fxglqlrx\xaxqhjdt.exe
        C:\Windows\SysWOW64\fxglqlrx\xaxqhjdt.exe /d"C:\Users\Admin\AppData\Local\Temp\f379c2c732470dbce8e17423baf7f6fcca63bcb13c4ade33a15df1225e3841be.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2316
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:4892
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 516
          2⤵
          • Program crash
          PID:3864
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2316 -ip 2316
        1⤵
          PID:4836
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3484 -ip 3484
          1⤵
            PID:3088

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Persistence

          Create or Modify System Process

          2
          T1543

          Windows Service

          2
          T1543.003

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Privilege Escalation

          Create or Modify System Process

          2
          T1543

          Windows Service

          2
          T1543.003

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Defense Evasion

          Impair Defenses

          1
          T1562

          Disable or Modify System Firewall

          1
          T1562.004

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\xaxqhjdt.exe
            Filesize

            10.6MB

            MD5

            800962185477f54d71451d7e446e1057

            SHA1

            d73b51e8d23677860aed95bd81bb7a4a090365a6

            SHA256

            5c881885e1f75614393439fbc133097015bf59c3f2dbbd942071ecf68c59f55f

            SHA512

            9753466ad9a6e5178592e514b7f24674047bacc600075a92facaad957d1083d8f5091cbd3d8d7c6aada2535ab86bd74fdc2e9d7871976ffa165dc93189392306

            Download Submit
          • memory/2316-15-0x0000000000400000-0x000000000043F000-memory.dmp
            Filesize

            252KB

            Download
          • memory/2316-8-0x0000000000690000-0x0000000000790000-memory.dmp
            Filesize

            1024KB

            Download
          • memory/2316-10-0x0000000000400000-0x000000000043F000-memory.dmp
            Filesize

            252KB

            Download
          • memory/2316-9-0x00000000004B0000-0x00000000004C3000-memory.dmp
            Filesize

            76KB

            Download
          • memory/3484-2-0x0000000000690000-0x00000000006A3000-memory.dmp
            Filesize

            76KB

            Download
          • memory/3484-4-0x0000000000400000-0x000000000043F000-memory.dmp
            Filesize

            252KB

            Download
          • memory/3484-1-0x0000000000770000-0x0000000000870000-memory.dmp
            Filesize

            1024KB

            Download
          • memory/3484-16-0x0000000000400000-0x000000000043F000-memory.dmp
            Filesize

            252KB

            Download
          • memory/4892-55-0x00000000087D0000-0x00000000087D7000-memory.dmp
            Filesize

            28KB

            Download
          • memory/4892-45-0x00000000023F0000-0x0000000002400000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4892-17-0x0000000001080000-0x0000000001095000-memory.dmp
            Filesize

            84KB

            Download
          • memory/4892-18-0x0000000001080000-0x0000000001095000-memory.dmp
            Filesize

            84KB

            Download
          • memory/4892-20-0x0000000002C00000-0x0000000002E0F000-memory.dmp
            Filesize

            2.1MB

            Download
          • memory/4892-23-0x0000000002C00000-0x0000000002E0F000-memory.dmp
            Filesize

            2.1MB

            Download
          • memory/4892-24-0x00000000023E0000-0x00000000023E6000-memory.dmp
            Filesize

            24KB

            Download
          • memory/4892-27-0x00000000023F0000-0x0000000002400000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4892-30-0x00000000023F0000-0x0000000002400000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4892-51-0x0000000008280000-0x000000000868B000-memory.dmp
            Filesize

            4.0MB

            Download
          • memory/4892-50-0x00000000031F0000-0x00000000031F5000-memory.dmp
            Filesize

            20KB

            Download
          • memory/4892-11-0x0000000001080000-0x0000000001095000-memory.dmp
            Filesize

            84KB

            Download
          • memory/4892-54-0x0000000008280000-0x000000000868B000-memory.dmp
            Filesize

            4.0MB

            Download
          • memory/4892-47-0x00000000031F0000-0x00000000031F5000-memory.dmp
            Filesize

            20KB

            Download
          • memory/4892-46-0x00000000023F0000-0x0000000002400000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4892-14-0x0000000001080000-0x0000000001095000-memory.dmp
            Filesize

            84KB

            Download
          • memory/4892-44-0x00000000023F0000-0x0000000002400000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4892-43-0x00000000023F0000-0x0000000002400000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4892-42-0x00000000023F0000-0x0000000002400000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4892-41-0x00000000023F0000-0x0000000002400000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4892-40-0x00000000023F0000-0x0000000002400000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4892-39-0x00000000023F0000-0x0000000002400000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4892-38-0x00000000023F0000-0x0000000002400000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4892-37-0x00000000023F0000-0x0000000002400000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4892-36-0x00000000023F0000-0x0000000002400000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4892-35-0x00000000023F0000-0x0000000002400000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4892-34-0x00000000023F0000-0x0000000002400000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4892-33-0x00000000023F0000-0x0000000002400000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4892-32-0x00000000023F0000-0x0000000002400000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4892-31-0x00000000023F0000-0x0000000002400000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4892-59-0x0000000001080000-0x0000000001095000-memory.dmp
            Filesize

            84KB

            Download