Overview

overview

10

Static

static

3

VirusShare...61.exe

windows7-x64

10

VirusShare...61.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-06-2024 21:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VirusShare_71efd5f8d2ad4c891d4d52f2cce17561.exe

  • Size

    144KB

  • MD5

    71efd5f8d2ad4c891d4d52f2cce17561

  • SHA1

    f34013094d0de6756de5c4979181e1a468836454

  • SHA256

    62c10c55dac6618eff4716e89de4bae41c429102fae8cae2f0ffc86a05ad82e2

  • SHA512

    0f8bab954b18c6e57a3bd0b1b685a5c4d4b194ab30c4b0e8a192cf57d9343c33e7b3f2ed9cb8a815f931b702c528d01ac58f30b8bfa3921854b285cd899bd7b0

  • SSDEEP

    3072:XNfr+k4XY4h+PhzjzrOdt9lES2jbxWGqe:XNf14D+PhznrOdmSbGqe

Score
10/10
tofseepersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

91.218.39.211

188.130.237.44

91.204.162.103

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirusShare_71efd5f8d2ad4c891d4d52f2cce17561.exe
    "C:\Users\Admin\AppData\Local\Temp\VirusShare_71efd5f8d2ad4c891d4d52f2cce17561.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4440
    • C:\Users\Admin\obgtylem.exe
      "C:\Users\Admin\obgtylem.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3580
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
          PID:5004
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 356
            4⤵
            • Program crash
            PID:2964
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3144.bat" "
        2⤵
          PID:1528
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5004 -ip 5004
        1⤵
          PID:3340

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\3144.bat
          Filesize

          260B

          MD5

          a54d95aaffc8e6ad3c02c8ba1bab1655

          SHA1

          a1e2225c660ac94e9af43bf7636fc9fce7388ec0

          SHA256

          23e43064f4cdf6de171ba53bdcbdaedcae860970931d1374fe55369ae80bbab6

          SHA512

          a03918618148690d0526e47366de0f9a11e748bc1e2eb332899c9ef49fe1ee802ac9f60d25b85bf107b7e1448fb473cfa06e809aeb957ac09199f206eff546bc

          Download Submit

        • C:\Users\Admin\obgtylem.exe
          Filesize

          37.0MB

          MD5

          476661bcd6b81ac401d2033411d0fdce

          SHA1

          8ae3eed4269fc42a1ab2d26ea68f772d90a4524a

          SHA256

          a7f19de76f2d8ac16b093a887e6defe98c7bd65f4b1ac672e60e17a3a3ecc5eb

          SHA512

          3c7fe15f197ff08aaad4711738bf413002a195aa8aeb66c4fa4b8eddae463e8d0062544274dbd7e03adb86857ccefee3b2ff6010287562cc5f4fa5ddec71ba28

          Download Submit

        • memory/3580-8-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB

          Download

        • memory/3580-7-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB

          Download

        • memory/3580-12-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4440-22-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4440-2-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4440-0-0x0000000002190000-0x00000000021A2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/5004-14-0x0000000000E80000-0x0000000000E92000-memory.dmp

          Filesize

          72KB

          Download

        • memory/5004-17-0x0000000000E80000-0x0000000000E92000-memory.dmp

          Filesize

          72KB

          Download

        • memory/5004-9-0x0000000000E80000-0x0000000000E92000-memory.dmp

          Filesize

          72KB

          Download

        • memory/5004-25-0x0000000002E10000-0x0000000002E11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5004-26-0x0000000000E80000-0x0000000000E92000-memory.dmp

          Filesize

          72KB

          Download

        • memory/5004-27-0x0000000000E80000-0x0000000000E92000-memory.dmp

          Filesize

          72KB

          Download