Overview

overview

10

Static

static

3

35f519000a...31.exe

windows7-x64

10

35f519000a...31.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-05-2024 13:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    35f519000ad078d242c0bce097c59b31.exe

  • Size

    326KB

  • MD5

    35f519000ad078d242c0bce097c59b31

  • SHA1

    41a3c859c36a4240a51e6ce17ab269e8d2728eb0

  • SHA256

    1dc79692db8709e88fee042c5555f8432dc4638442887d8150b8b7c67f5f3eb2

  • SHA512

    260f2efe4757c518f96269ba3a3fd5b5c603fa6a52d9c0d976222158609911004ce48df4e75298c11de67ea29d91969f217986e4c0f1b83bb2f5d2a43a772997

  • SSDEEP

    3072:KLTZ5XJKQsp6NU4tqwCyc40r+oeHpmCR54kDSWegJSVE+Er20L4fdoiKuIov5QId:KbCt44p40rqHPbDb86r2LiNovrb/a

Score
10/10
tofseeevasionexecutionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\35f519000ad078d242c0bce097c59b31.exe
    "C:\Users\Admin\AppData\Local\Temp\35f519000ad078d242c0bce097c59b31.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:772
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dzgakkxr\
      2⤵
        PID:1832
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xgmxvkc.exe" C:\Windows\SysWOW64\dzgakkxr\
        2⤵
          PID:3300
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create dzgakkxr binPath= "C:\Windows\SysWOW64\dzgakkxr\xgmxvkc.exe /d\"C:\Users\Admin\AppData\Local\Temp\35f519000ad078d242c0bce097c59b31.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:3924
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description dzgakkxr "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:1824
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start dzgakkxr
          2⤵
          • Launches sc.exe
          PID:456
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:3140
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 1040
          2⤵
          • Program crash
          PID:5000
      • C:\Windows\SysWOW64\dzgakkxr\xgmxvkc.exe
        C:\Windows\SysWOW64\dzgakkxr\xgmxvkc.exe /d"C:\Users\Admin\AppData\Local\Temp\35f519000ad078d242c0bce097c59b31.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4700
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:760
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 520
          2⤵
          • Program crash
          PID:952
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4700 -ip 4700
        1⤵
          PID:4788
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 772 -ip 772
          1⤵
            PID:2308

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\xgmxvkc.exe
            Filesize

            12.4MB

            MD5

            568508668ab07a436daa9f0e63fb547b

            SHA1

            be60b9527df6a9d803045f55ba070ff7964c0d52

            SHA256

            c0e1b3f07387aba9d9365eabf80caa6a72468c59c21b8f5cbe813f4cc3bb317f

            SHA512

            3d726062788777e659c12a556d8bdd3457ace4873c51e0cda96012a871481adb14924f86cb8924736d3594e9b2658ac8cae526dd1ea553482c5b5121c846938f

            Download Submit

          • memory/760-40-0x0000000002620000-0x0000000002630000-memory.dmp

            Filesize

            64KB

            Download

          • memory/760-23-0x0000000002400000-0x000000000260F000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/760-55-0x0000000007850000-0x0000000007857000-memory.dmp

            Filesize

            28KB

            Download

          • memory/760-47-0x00000000027F0000-0x00000000027F5000-memory.dmp

            Filesize

            20KB

            Download

          • memory/760-9-0x0000000000540000-0x0000000000555000-memory.dmp

            Filesize

            84KB

            Download

          • memory/760-30-0x0000000002620000-0x0000000002630000-memory.dmp

            Filesize

            64KB

            Download

          • memory/760-31-0x0000000002620000-0x0000000002630000-memory.dmp

            Filesize

            64KB

            Download

          • memory/760-32-0x0000000002620000-0x0000000002630000-memory.dmp

            Filesize

            64KB

            Download

          • memory/760-50-0x00000000027F0000-0x00000000027F5000-memory.dmp

            Filesize

            20KB

            Download

          • memory/760-33-0x0000000002620000-0x0000000002630000-memory.dmp

            Filesize

            64KB

            Download

          • memory/760-17-0x0000000000540000-0x0000000000555000-memory.dmp

            Filesize

            84KB

            Download

          • memory/760-18-0x0000000000540000-0x0000000000555000-memory.dmp

            Filesize

            84KB

            Download

          • memory/760-39-0x0000000002620000-0x0000000002630000-memory.dmp

            Filesize

            64KB

            Download

          • memory/760-21-0x0000000002400000-0x000000000260F000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/760-27-0x0000000002620000-0x0000000002630000-memory.dmp

            Filesize

            64KB

            Download

          • memory/760-24-0x0000000002610000-0x0000000002616000-memory.dmp

            Filesize

            24KB

            Download

          • memory/760-51-0x0000000007300000-0x000000000770B000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/760-54-0x0000000007300000-0x000000000770B000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/760-34-0x0000000002620000-0x0000000002630000-memory.dmp

            Filesize

            64KB

            Download

          • memory/760-35-0x0000000002620000-0x0000000002630000-memory.dmp

            Filesize

            64KB

            Download

          • memory/760-41-0x0000000002620000-0x0000000002630000-memory.dmp

            Filesize

            64KB

            Download

          • memory/760-45-0x0000000002620000-0x0000000002630000-memory.dmp

            Filesize

            64KB

            Download

          • memory/760-44-0x0000000002620000-0x0000000002630000-memory.dmp

            Filesize

            64KB

            Download

          • memory/760-43-0x0000000002620000-0x0000000002630000-memory.dmp

            Filesize

            64KB

            Download

          • memory/760-42-0x0000000002620000-0x0000000002630000-memory.dmp

            Filesize

            64KB

            Download

          • memory/760-46-0x0000000002620000-0x0000000002630000-memory.dmp

            Filesize

            64KB

            Download

          • memory/760-36-0x0000000002620000-0x0000000002630000-memory.dmp

            Filesize

            64KB

            Download

          • memory/760-38-0x0000000002620000-0x0000000002630000-memory.dmp

            Filesize

            64KB

            Download

          • memory/760-37-0x0000000002620000-0x0000000002630000-memory.dmp

            Filesize

            64KB

            Download

          • memory/772-2-0x0000000001B80000-0x0000000001B93000-memory.dmp

            Filesize

            76KB

            Download

          • memory/772-4-0x0000000000400000-0x0000000000415000-memory.dmp

            Filesize

            84KB

            Download

          • memory/772-15-0x0000000001B80000-0x0000000001B93000-memory.dmp

            Filesize

            76KB

            Download

          • memory/772-14-0x0000000000400000-0x0000000001A1B000-memory.dmp

            Filesize

            22.1MB

            Download

          • memory/772-16-0x0000000000400000-0x0000000000415000-memory.dmp

            Filesize

            84KB

            Download

          • memory/772-1-0x0000000001BA0000-0x0000000001CA0000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/4700-13-0x0000000000400000-0x0000000001A1B000-memory.dmp

            Filesize

            22.1MB

            Download

          • memory/4700-11-0x0000000000400000-0x0000000001A1B000-memory.dmp

            Filesize

            22.1MB

            Download

          • memory/4700-8-0x0000000000400000-0x0000000001A1B000-memory.dmp

            Filesize

            22.1MB

            Download