Overview

overview

10

Static

static

3

8f6f42565e...cs.exe

windows7-x64

10

8f6f42565e...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-05-2024 06:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8f6f42565e966692af1ac93e82a1d100_NeikiAnalytics.exe

  • Size

    223KB

  • MD5

    8f6f42565e966692af1ac93e82a1d100

  • SHA1

    097ccdca934cec31b2b54e6ca54ab9df6c04f7e0

  • SHA256

    af96cc289214800481e21ed8a8a4d52b49761bda1ae487648bbba6a949e69c13

  • SHA512

    b269ba4532c7de6471a9fafe43f64718711a36d0ea5250ed784e5b18bfb4451a23b0d414732f03c68375b7e3b88c01956a1738060d913e9814d4549c6579a6ea

  • SSDEEP

    3072:6tzKsLYSb9knI4UGW+D0pOG64gy4N9kSAU0oBHZStU7bZVC6PCZ9TTM1eQ:SIUGWvaV0YSSJVl8TTB

Score
10/10
tofseeevasionexecutionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8f6f42565e966692af1ac93e82a1d100_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\8f6f42565e966692af1ac93e82a1d100_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4352
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nokyxoee\
      2⤵
        PID:4320
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jqxapdwg.exe" C:\Windows\SysWOW64\nokyxoee\
        2⤵
          PID:1740
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create nokyxoee binPath= "C:\Windows\SysWOW64\nokyxoee\jqxapdwg.exe /d\"C:\Users\Admin\AppData\Local\Temp\8f6f42565e966692af1ac93e82a1d100_NeikiAnalytics.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2960
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description nokyxoee "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2844
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start nokyxoee
          2⤵
          • Launches sc.exe
          PID:2896
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:4380
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 1036
          2⤵
          • Program crash
          PID:1716
      • C:\Windows\SysWOW64\nokyxoee\jqxapdwg.exe
        C:\Windows\SysWOW64\nokyxoee\jqxapdwg.exe /d"C:\Users\Admin\AppData\Local\Temp\8f6f42565e966692af1ac93e82a1d100_NeikiAnalytics.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4520
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:632
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 512
          2⤵
          • Program crash
          PID:828
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4352 -ip 4352
        1⤵
          PID:1736
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4520 -ip 4520
          1⤵
            PID:1888
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4232,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4324 /prefetch:8
            1⤵
              PID:4952

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\jqxapdwg.exe
              Filesize

              12.8MB

              MD5

              365bf524b1f4bfe11d169cf568502480

              SHA1

              f4cd5b7fa0a4f73952bf213e02c413618002c213

              SHA256

              1f6cedfcf48a0d9b89c7af46ee9b496f04c4a389ac601a30bfa412ebcca6e212

              SHA512

              ceee198ffccf767cc892950279b63e03237c15b80381c8b8048e0f2f3c8330370457a62f37fcc984e13db9e0e49ac1f7889ef3da682260f118d1c5cce0875474

              Download Submit
            • memory/632-47-0x00000000027F0000-0x00000000027F5000-memory.dmp
              Filesize

              20KB

              Download
            • memory/632-43-0x00000000027A0000-0x00000000027B0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/632-48-0x0000000007F00000-0x000000000830B000-memory.dmp
              Filesize

              4.0MB

              Download
            • memory/632-51-0x0000000007F00000-0x000000000830B000-memory.dmp
              Filesize

              4.0MB

              Download
            • memory/632-52-0x00000000033D0000-0x00000000033D7000-memory.dmp
              Filesize

              28KB

              Download
            • memory/632-27-0x00000000027A0000-0x00000000027B0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/632-11-0x00000000012E0000-0x00000000012F5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/632-13-0x00000000012E0000-0x00000000012F5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/632-14-0x00000000012E0000-0x00000000012F5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/632-28-0x00000000027A0000-0x00000000027B0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/632-17-0x0000000003000000-0x000000000320F000-memory.dmp
              Filesize

              2.1MB

              Download
            • memory/632-24-0x00000000027A0000-0x00000000027B0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/632-21-0x0000000002790000-0x0000000002796000-memory.dmp
              Filesize

              24KB

              Download
            • memory/632-20-0x0000000003000000-0x000000000320F000-memory.dmp
              Filesize

              2.1MB

              Download
            • memory/632-31-0x00000000027A0000-0x00000000027B0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/632-32-0x00000000027A0000-0x00000000027B0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/632-29-0x00000000027A0000-0x00000000027B0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/632-44-0x00000000027F0000-0x00000000027F5000-memory.dmp
              Filesize

              20KB

              Download
            • memory/632-30-0x00000000027A0000-0x00000000027B0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/632-42-0x00000000027A0000-0x00000000027B0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/632-41-0x00000000027A0000-0x00000000027B0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/632-40-0x00000000027A0000-0x00000000027B0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/632-39-0x00000000027A0000-0x00000000027B0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/632-38-0x00000000027A0000-0x00000000027B0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/632-37-0x00000000027A0000-0x00000000027B0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/632-36-0x00000000027A0000-0x00000000027B0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/632-35-0x00000000027A0000-0x00000000027B0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/632-34-0x00000000027A0000-0x00000000027B0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/632-33-0x00000000027A0000-0x00000000027B0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/4352-9-0x0000000000400000-0x0000000000415000-memory.dmp
              Filesize

              84KB

              Download
            • memory/4352-4-0x0000000000400000-0x0000000000415000-memory.dmp
              Filesize

              84KB

              Download
            • memory/4352-2-0x00000000026D0000-0x00000000026E3000-memory.dmp
              Filesize

              76KB

              Download
            • memory/4352-7-0x0000000000400000-0x0000000002574000-memory.dmp
              Filesize

              33.5MB

              Download
            • memory/4352-8-0x00000000026D0000-0x00000000026E3000-memory.dmp
              Filesize

              76KB

              Download
            • memory/4352-1-0x0000000002820000-0x0000000002920000-memory.dmp
              Filesize

              1024KB

              Download
            • memory/4520-15-0x0000000000400000-0x0000000002574000-memory.dmp
              Filesize

              33.5MB

              Download