Overview

overview

10

Static

static

3

2779351a1b...8d.exe

windows7-x64

10

2779351a1b...8d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-09-2024 10:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2779351a1b414beaa4082cf515986f42005dbded271630ec4f7c97efdff85b8d.exe

  • Size

    239KB

  • MD5

    002356e241ed93062ea8cf0c80e250de

  • SHA1

    e81f528cd1f782c03943f48d9c8496c60ae3433f

  • SHA256

    2779351a1b414beaa4082cf515986f42005dbded271630ec4f7c97efdff85b8d

  • SHA512

    dcdc74eb2307329fdc3d00c4848e890c6f10f79ebea475efd0991aaf6a2ad46afb26ada642ff46e00d7cae491341a05d8f6622aae8695273d55e5e34921ede93

  • SSDEEP

    6144:MnucMBiyeneCyknMgs2Mkv/MJ0Vdh1tQ:Jc4iye5nS2MkrVdz

Score
10/10
tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2779351a1b414beaa4082cf515986f42005dbded271630ec4f7c97efdff85b8d.exe
    "C:\Users\Admin\AppData\Local\Temp\2779351a1b414beaa4082cf515986f42005dbded271630ec4f7c97efdff85b8d.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1092
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hlezhcez\
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4320
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ilibsuoe.exe" C:\Windows\SysWOW64\hlezhcez\
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4580
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" create hlezhcez binPath= "C:\Windows\SysWOW64\hlezhcez\ilibsuoe.exe /d\"C:\Users\Admin\AppData\Local\Temp\2779351a1b414beaa4082cf515986f42005dbded271630ec4f7c97efdff85b8d.exe\"" type= own start= auto DisplayName= "wifi support"
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:3516
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" description hlezhcez "wifi internet conection"
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2748
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" start hlezhcez
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:3212
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:2328
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 1040
      2⤵
      • Program crash
      PID:2272
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4448,i,1330210614411927383,9239043499051775691,262144 --variations-seed-version --mojo-platform-channel-handle=4464 /prefetch:8
    1⤵
      PID:5072
    • C:\Windows\SysWOW64\hlezhcez\ilibsuoe.exe
      C:\Windows\SysWOW64\hlezhcez\ilibsuoe.exe /d"C:\Users\Admin\AppData\Local\Temp\2779351a1b414beaa4082cf515986f42005dbded271630ec4f7c97efdff85b8d.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1544
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        2⤵
        • Sets service image path in registry
        • Deletes itself
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:3904
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 528
        2⤵
        • Program crash
        PID:2952
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1092 -ip 1092
      1⤵
        PID:1936
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1544 -ip 1544
        1⤵
          PID:1604

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        System Services

        1
        T1569

        Service Execution

        1
        T1569.002

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Create or Modify System Process

        2
        T1543

        Windows Service

        2
        T1543.003

        Event Triggered Execution

        1
        T1546

        Netsh Helper DLL

        1
        T1546.007

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Create or Modify System Process

        2
        T1543

        Windows Service

        2
        T1543.003

        Event Triggered Execution

        1
        T1546

        Netsh Helper DLL

        1
        T1546.007

        Defense Evasion

        Impair Defenses

        1
        T1562

        Disable or Modify System Firewall

        1
        T1562.004

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\ilibsuoe.exe
          Filesize

          12.0MB

          MD5

          46c500e61e1307d8e0e17f76f39471d1

          SHA1

          b10514c80f248cd3fb31102634776f74e4a1a613

          SHA256

          6ea33595da2a8c51c155a98eb47109a8a0c5fb690e486a389101b51c289708fa

          SHA512

          8e7aaff6521aaab46facb164c3c9a7bc0e8115e1bbd4783a9e62552fcbff8daf3b6250ab78aa8bea3a1cc00dfb53dc7ae4ab749200948e3b0317f551747a2743

          Download Submit

        • memory/1092-2-0x0000000002050000-0x0000000002063000-memory.dmp

          Filesize

          76KB

          Download

        • memory/1092-3-0x0000000000400000-0x0000000000415000-memory.dmp

          Filesize

          84KB

          Download

        • memory/1092-7-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

          Download

        • memory/1092-9-0x0000000000400000-0x0000000000415000-memory.dmp

          Filesize

          84KB

          Download

        • memory/1092-8-0x0000000002050000-0x0000000002063000-memory.dmp

          Filesize

          76KB

          Download

        • memory/1092-1-0x00000000005A0000-0x00000000006A0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/1544-18-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

          Download

        • memory/1544-12-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

          Download

        • memory/1544-11-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

          Download

        • memory/1544-13-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

          Download

        • memory/3904-46-0x0000000001D60000-0x0000000001D70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3904-40-0x0000000001D60000-0x0000000001D70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3904-16-0x0000000000790000-0x00000000007A5000-memory.dmp

          Filesize

          84KB

          Download

        • memory/3904-21-0x0000000002600000-0x000000000280F000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/3904-27-0x0000000001D60000-0x0000000001D70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3904-51-0x0000000007580000-0x000000000798B000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/3904-55-0x0000000002BD0000-0x0000000002BD7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3904-50-0x0000000001DF0000-0x0000000001DF5000-memory.dmp

          Filesize

          20KB

          Download

        • memory/3904-47-0x0000000001DF0000-0x0000000001DF5000-memory.dmp

          Filesize

          20KB

          Download

        • memory/3904-14-0x0000000000790000-0x00000000007A5000-memory.dmp

          Filesize

          84KB

          Download

        • memory/3904-45-0x0000000001D60000-0x0000000001D70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3904-44-0x0000000001D60000-0x0000000001D70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3904-43-0x0000000001D60000-0x0000000001D70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3904-42-0x0000000001D60000-0x0000000001D70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3904-41-0x0000000001D60000-0x0000000001D70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3904-17-0x0000000000790000-0x00000000007A5000-memory.dmp

          Filesize

          84KB

          Download

        • memory/3904-39-0x0000000001D60000-0x0000000001D70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3904-38-0x0000000001D60000-0x0000000001D70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3904-37-0x0000000001D60000-0x0000000001D70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3904-36-0x0000000001D60000-0x0000000001D70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3904-35-0x0000000001D60000-0x0000000001D70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3904-34-0x0000000001D60000-0x0000000001D70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3904-32-0x0000000001D60000-0x0000000001D70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3904-31-0x0000000001D60000-0x0000000001D70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3904-30-0x0000000001D60000-0x0000000001D70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3904-23-0x0000000002600000-0x000000000280F000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/3904-33-0x0000000001D60000-0x0000000001D70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3904-24-0x0000000000BF0000-0x0000000000BF6000-memory.dmp

          Filesize

          24KB

          Download

        • memory/3904-54-0x0000000007580000-0x000000000798B000-memory.dmp

          Filesize

          4.0MB

          Download