Overview

overview

10

Static

static

3

c2f295f43b...e9.exe

windows7-x64

10

c2f295f43b...e9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    10-06-2024 16:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c2f295f43bcac36547da04ac4c01d449d75952c9da75f22b0b63a3130948f1e9.exe

  • Size

    240KB

  • MD5

    a89a288b919ddd651b732bb9bd007036

  • SHA1

    6c92fac6954dfe04ce6308557fda191bdb1dadbf

  • SHA256

    c2f295f43bcac36547da04ac4c01d449d75952c9da75f22b0b63a3130948f1e9

  • SHA512

    cce4f2e6c3c8953226005d860b2413abb5ad6cd89b4fda244725147ac38cee0ea6002100a406c45d9729a66107acaf662b6b0fba68816e5823424ff0776f4809

  • SSDEEP

    3072:47WLco6DTm+7AOxmcacr5CV+S5ALQ4+EDUZwW:4SLco6vF7Jscac7d+Ex

Score
10/10
tofseeevasionexecutionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c2f295f43bcac36547da04ac4c01d449d75952c9da75f22b0b63a3130948f1e9.exe
    "C:\Users\Admin\AppData\Local\Temp\c2f295f43bcac36547da04ac4c01d449d75952c9da75f22b0b63a3130948f1e9.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ujvderhq\
      2⤵
        PID:2328
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\trgohxso.exe" C:\Windows\SysWOW64\ujvderhq\
        2⤵
          PID:2992
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create ujvderhq binPath= "C:\Windows\SysWOW64\ujvderhq\trgohxso.exe /d\"C:\Users\Admin\AppData\Local\Temp\c2f295f43bcac36547da04ac4c01d449d75952c9da75f22b0b63a3130948f1e9.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2600
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description ujvderhq "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2496
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start ujvderhq
          2⤵
          • Launches sc.exe
          PID:2524
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2580
      • C:\Windows\SysWOW64\ujvderhq\trgohxso.exe
        C:\Windows\SysWOW64\ujvderhq\trgohxso.exe /d"C:\Users\Admin\AppData\Local\Temp\c2f295f43bcac36547da04ac4c01d449d75952c9da75f22b0b63a3130948f1e9.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2640
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:2388

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\trgohxso.exe
        Filesize

        11.7MB

        MD5

        ab790fb9ef56d8b686f68970f9ec8721

        SHA1

        c1aa8f1272aadeb1e68098ee23058ed648bbfdac

        SHA256

        0973353af1f8ddd8551103b8085158555f7920b72046d3aa4d51ff551b0afd9f

        SHA512

        d2df402647cc0918c89f18517764c223b155fdbd10d7e94e275682ad27e2f7432cbb9054c576db836e26fea6ab5f784eaae24a4a6aad61ed7174191a1a494d44

        Download Submit

      • memory/2108-15-0x0000000000400000-0x0000000000415000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2108-4-0x0000000000400000-0x0000000000415000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2108-2-0x0000000000220000-0x0000000000233000-memory.dmp

        Filesize

        76KB

        Download

      • memory/2108-1-0x0000000001D70000-0x0000000001E70000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2108-14-0x0000000000400000-0x0000000001BB7000-memory.dmp

        Filesize

        23.7MB

        Download

      • memory/2388-53-0x0000000005500000-0x000000000590B000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2388-46-0x00000000001F0000-0x00000000001F5000-memory.dmp

        Filesize

        20KB

        Download

      • memory/2388-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2388-11-0x00000000000D0000-0x00000000000E5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2388-16-0x00000000000D0000-0x00000000000E5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2388-17-0x00000000000D0000-0x00000000000E5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2388-19-0x00000000018C0000-0x0000000001ACF000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2388-22-0x00000000018C0000-0x0000000001ACF000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2388-23-0x0000000000080000-0x0000000000086000-memory.dmp

        Filesize

        24KB

        Download

      • memory/2388-26-0x0000000000130000-0x0000000000140000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2388-44-0x0000000000130000-0x0000000000140000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2388-54-0x0000000000200000-0x0000000000207000-memory.dmp

        Filesize

        28KB

        Download

      • memory/2388-8-0x00000000000D0000-0x00000000000E5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2388-50-0x0000000005500000-0x000000000590B000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2388-49-0x00000000001F0000-0x00000000001F5000-memory.dmp

        Filesize

        20KB

        Download

      • memory/2388-29-0x0000000000130000-0x0000000000140000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2388-45-0x0000000000130000-0x0000000000140000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2388-43-0x0000000000130000-0x0000000000140000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2388-42-0x0000000000130000-0x0000000000140000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2388-41-0x0000000000130000-0x0000000000140000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2388-40-0x0000000000130000-0x0000000000140000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2388-39-0x0000000000130000-0x0000000000140000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2388-38-0x0000000000130000-0x0000000000140000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2388-37-0x0000000000130000-0x0000000000140000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2388-36-0x0000000000130000-0x0000000000140000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2388-35-0x0000000000130000-0x0000000000140000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2388-34-0x0000000000130000-0x0000000000140000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2388-33-0x0000000000130000-0x0000000000140000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2388-32-0x0000000000130000-0x0000000000140000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2388-31-0x0000000000130000-0x0000000000140000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2388-30-0x0000000000130000-0x0000000000140000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2640-12-0x0000000000400000-0x0000000001BB7000-memory.dmp

        Filesize

        23.7MB

        Download