Overview

overview

10

Static

static

3

sus_file.exe

windows7-x64

10

sus_file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-05-2024 18:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sus_file.exe

  • Size

    2.0MB

  • MD5

    b5829ea81cde8f48ba1190e20e6bb15d

  • SHA1

    51fbb15275360bbf2a866f339045527e941e1a85

  • SHA256

    71d1f22830e0f40506171cda626891b4f954ec22f4a4cd0045b37f8d6c404451

  • SHA512

    d84e43e6cf342d0e7696be6b1cbcf42dce5d1efe518f4949faa8841ee398a25a63a6e41440eb10ba0d276454ba73752c9ffb17eddbfd0813a636646663e26b4a

  • SSDEEP

    49152:aaXI0V7PoU9lHrHmvtiLGMIqCGLhRSCquJnm:3Y0V7gU9l2tiLGVGLhRvquJnm

Score
10/10
tofseezgratevasionexecutionpersistenceratspywaretrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Detect ZGRat V1 1 IoCs
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 3 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sus_file.exe
    "C:\Users\Admin\AppData\Local\Temp\sus_file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4244
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
        PID:4708
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1928
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:380
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4756
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gjsekfaf\
          3⤵
            PID:1896
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jeorfqqy.exe" C:\Windows\SysWOW64\gjsekfaf\
            3⤵
              PID:4628
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" create gjsekfaf binPath= "C:\Windows\SysWOW64\gjsekfaf\jeorfqqy.exe /d\"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe\"" type= own start= auto DisplayName= "wifi support"
              3⤵
              • Launches sc.exe
              PID:3948
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" description gjsekfaf "wifi internet conection"
              3⤵
              • Launches sc.exe
              PID:2624
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start gjsekfaf
              3⤵
              • Launches sc.exe
              PID:1924
            • C:\Windows\SysWOW64\netsh.exe
              "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
              3⤵
              • Modifies Windows Firewall
              PID:1672
        • C:\Windows\SysWOW64\gjsekfaf\jeorfqqy.exe
          C:\Windows\SysWOW64\gjsekfaf\jeorfqqy.exe /d"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          1⤵
          • Executes dropped EXE
          PID:2652

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\jeorfqqy.exe
          Filesize

          12.4MB

          MD5

          2fbedd2f69d48e0c5f34d88c0362f08c

          SHA1

          652c556b85c4825d46fc449370d18964143b83db

          SHA256

          b73409811e043c20243687a573c200bbe9b298806f49c73c63ab0dc397091717

          SHA512

          f90fbb3b9ddf9fd87a4d4d1653243a5b10206d8aea7cc4c9f3bd1f572ff5bf3cbf6723358553be9562274412b76c9f5b3536b668c34d288032865823bda26d02

          Download Submit

        • memory/380-35-0x0000000008C90000-0x00000000092A8000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/380-32-0x0000000000400000-0x0000000000484000-memory.dmp

          Filesize

          528KB

          Download

        • memory/380-36-0x00000000087F0000-0x00000000088FA000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/380-41-0x00000000093B0000-0x0000000009426000-memory.dmp

          Filesize

          472KB

          Download

        • memory/380-40-0x0000000008A80000-0x0000000008AE6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/380-39-0x0000000008900000-0x000000000894C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/380-38-0x0000000008790000-0x00000000087CC000-memory.dmp

          Filesize

          240KB

          Download

        • memory/380-37-0x0000000008730000-0x0000000008742000-memory.dmp

          Filesize

          72KB

          Download

        • memory/380-42-0x0000000008C60000-0x0000000008C7E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/380-44-0x000000000AE30000-0x000000000B35C000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/380-43-0x000000000A730000-0x000000000A8F2000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1928-34-0x0000000074440000-0x0000000074BF0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1928-14-0x0000000000400000-0x0000000000538000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1928-12-0x0000000000400000-0x0000000000538000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1928-16-0x0000000074440000-0x0000000074BF0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1928-17-0x0000000074440000-0x0000000074BF0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1928-18-0x0000000074440000-0x0000000074BF0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1928-20-0x0000000074440000-0x0000000074BF0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1928-21-0x0000000074440000-0x0000000074BF0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4244-9-0x0000000007460000-0x0000000007466000-memory.dmp

          Filesize

          24KB

          Download

        • memory/4244-10-0x000000007444E000-0x000000007444F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4244-1-0x00000000002F0000-0x00000000004F2000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4244-26-0x0000000074440000-0x0000000074BF0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4244-2-0x00000000058F0000-0x0000000005E94000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4244-19-0x0000000074440000-0x0000000074BF0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4244-3-0x00000000053E0000-0x0000000005472000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4244-15-0x0000000074440000-0x0000000074BF0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4244-11-0x0000000074440000-0x0000000074BF0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4244-4-0x0000000005520000-0x00000000055BC000-memory.dmp

          Filesize

          624KB

          Download

        • memory/4244-0-0x000000007444E000-0x000000007444F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4244-8-0x0000000007550000-0x000000000756A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/4244-7-0x0000000006590000-0x000000000659A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4244-6-0x00000000062E0000-0x0000000006324000-memory.dmp

          Filesize

          272KB

          Download

        • memory/4244-5-0x0000000074440000-0x0000000074BF0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4756-22-0x0000000000400000-0x0000000000415000-memory.dmp

          Filesize

          84KB

          Download

        • memory/4756-31-0x0000000000400000-0x0000000000415000-memory.dmp

          Filesize

          84KB

          Download

        • memory/4756-27-0x0000000000400000-0x0000000000415000-memory.dmp

          Filesize

          84KB

          Download

        • memory/4756-25-0x0000000000400000-0x0000000000415000-memory.dmp

          Filesize

          84KB

          Download