Overview

overview

10

Static

static

3

bc822ed934...f5.exe

windows7-x64

10

bc822ed934...f5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17-04-2024 14:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc822ed934731c6843e138a7b5a0f643b6852ee233b0fb861040bd95111d09f5.exe

  • Size

    239KB

  • MD5

    a520a1746783fd618b1f805ce48b313f

  • SHA1

    d66c729c5d5b49c0e02f8f692425a6d4743f58cf

  • SHA256

    bc822ed934731c6843e138a7b5a0f643b6852ee233b0fb861040bd95111d09f5

  • SHA512

    04e948f7e1df4856d65e30abfcca3a9ff7417f3e572df32b98d268bd982f87d97fc0a4a955ebe6e75de13d1d0e22132269e4c74124927385010feb00bd34066e

  • SSDEEP

    6144:IfULzEiwjQjbSnDuWi+Ygh5pUTQYJkge:hXEiwjhn4gh5Wtkv

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc822ed934731c6843e138a7b5a0f643b6852ee233b0fb861040bd95111d09f5.exe
    "C:\Users\Admin\AppData\Local\Temp\bc822ed934731c6843e138a7b5a0f643b6852ee233b0fb861040bd95111d09f5.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2200
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nnvmhzda\
      2⤵
        PID:2504
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\mykpmsrf.exe" C:\Windows\SysWOW64\nnvmhzda\
        2⤵
          PID:1096
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create nnvmhzda binPath= "C:\Windows\SysWOW64\nnvmhzda\mykpmsrf.exe /d\"C:\Users\Admin\AppData\Local\Temp\bc822ed934731c6843e138a7b5a0f643b6852ee233b0fb861040bd95111d09f5.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2564
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description nnvmhzda "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2732
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start nnvmhzda
          2⤵
          • Launches sc.exe
          PID:2428
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2680
      • C:\Windows\SysWOW64\nnvmhzda\mykpmsrf.exe
        C:\Windows\SysWOW64\nnvmhzda\mykpmsrf.exe /d"C:\Users\Admin\AppData\Local\Temp\bc822ed934731c6843e138a7b5a0f643b6852ee233b0fb861040bd95111d09f5.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2584
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:2920

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\mykpmsrf.exe
        Filesize

        10.8MB

        MD5

        67692b4f22254d408d8c811a52cb5b20

        SHA1

        ccd59e88326313bb408ca4c9b9206282ecc6d0c1

        SHA256

        2d9fc37af7382914461e585e1ee891e61f4d9a9a1b5e7f35582a38b29e411b2d

        SHA512

        d182f328e12ecb76e408a606b8b6b1a3975505a05a6db39a94458458ae4ecf754b27dfe9a140f5d173ed12c7bb9c63219df987b0a292b54cb247b6d1ed349545

        Download Submit
      • memory/2200-4-0x0000000000400000-0x000000000085D000-memory.dmp
        Filesize

        4.4MB

        Download
      • memory/2200-3-0x0000000000220000-0x0000000000233000-memory.dmp
        Filesize

        76KB

        Download
      • memory/2200-20-0x0000000000400000-0x000000000085D000-memory.dmp
        Filesize

        4.4MB

        Download
      • memory/2200-1-0x0000000000930000-0x0000000000A30000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2584-30-0x0000000000400000-0x000000000085D000-memory.dmp
        Filesize

        4.4MB

        Download
      • memory/2584-21-0x0000000000950000-0x0000000000A50000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2584-22-0x0000000000400000-0x000000000085D000-memory.dmp
        Filesize

        4.4MB

        Download
      • memory/2584-23-0x0000000000400000-0x000000000085D000-memory.dmp
        Filesize

        4.4MB

        Download
      • memory/2920-48-0x0000000000130000-0x0000000000140000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2920-55-0x0000000000130000-0x0000000000140000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2920-32-0x00000000000C0000-0x00000000000D5000-memory.dmp
        Filesize

        84KB

        Download
      • memory/2920-24-0x00000000000C0000-0x00000000000D5000-memory.dmp
        Filesize

        84KB

        Download
      • memory/2920-33-0x00000000000C0000-0x00000000000D5000-memory.dmp
        Filesize

        84KB

        Download
      • memory/2920-35-0x00000000018B0000-0x0000000001ABF000-memory.dmp
        Filesize

        2.1MB

        Download
      • memory/2920-38-0x00000000018B0000-0x0000000001ABF000-memory.dmp
        Filesize

        2.1MB

        Download
      • memory/2920-39-0x00000000000E0000-0x00000000000E6000-memory.dmp
        Filesize

        24KB

        Download
      • memory/2920-42-0x0000000000130000-0x0000000000140000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2920-45-0x0000000000130000-0x0000000000140000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2920-46-0x0000000000130000-0x0000000000140000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2920-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2920-47-0x0000000000130000-0x0000000000140000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2920-50-0x0000000000130000-0x0000000000140000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2920-56-0x0000000000130000-0x0000000000140000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2920-27-0x00000000000C0000-0x00000000000D5000-memory.dmp
        Filesize

        84KB

        Download
      • memory/2920-54-0x0000000000130000-0x0000000000140000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2920-53-0x0000000000130000-0x0000000000140000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2920-52-0x0000000000130000-0x0000000000140000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2920-51-0x0000000000130000-0x0000000000140000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2920-57-0x0000000000130000-0x0000000000140000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2920-49-0x0000000000130000-0x0000000000140000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2920-59-0x0000000000130000-0x0000000000140000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2920-58-0x0000000000130000-0x0000000000140000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2920-60-0x0000000000130000-0x0000000000140000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2920-61-0x0000000000130000-0x0000000000140000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2920-62-0x00000000001F0000-0x00000000001F5000-memory.dmp
        Filesize

        20KB

        Download
      • memory/2920-65-0x00000000001F0000-0x00000000001F5000-memory.dmp
        Filesize

        20KB

        Download
      • memory/2920-66-0x00000000054F0000-0x00000000058FB000-memory.dmp
        Filesize

        4.0MB

        Download
      • memory/2920-69-0x00000000054F0000-0x00000000058FB000-memory.dmp
        Filesize

        4.0MB

        Download
      • memory/2920-70-0x0000000000200000-0x0000000000207000-memory.dmp
        Filesize

        28KB

        Download
      • memory/2920-74-0x00000000000C0000-0x00000000000D5000-memory.dmp
        Filesize

        84KB

        Download