Analysis
-
max time kernel
112s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 18:48
Static task
static1
Behavioral task
behavioral1
Sample
086d569820100e59cb3709bb6c5ea5b1026861c52ff05c7d9afad992885f790fN.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
086d569820100e59cb3709bb6c5ea5b1026861c52ff05c7d9afad992885f790fN.exe
Resource
win10v2004-20241007-en
General
-
Target
086d569820100e59cb3709bb6c5ea5b1026861c52ff05c7d9afad992885f790fN.exe
-
Size
144KB
-
MD5
79e36707abf82183a03e9d8dda3b3430
-
SHA1
d986b8ba3ed36333f127b34842fc991713c4f5ac
-
SHA256
086d569820100e59cb3709bb6c5ea5b1026861c52ff05c7d9afad992885f790f
-
SHA512
26f0b48f09193014bd9fc5f1ede8df23979e4791ae47e6d4395656fa62d22a32435f43aba15e3f32facb4fdc24f2ed97305bebf1eb53bc5033bae82710e88b4d
-
SSDEEP
3072:uaVP6HaGT5SR8fGzIpYDx1cTqO9lkS2jbxWGqSV3:uaGoEpWxSbGqSV3
Malware Config
Extracted
tofsee
91.218.39.211
188.130.237.44
91.204.162.103
188.165.132.183
rgtryhbgddtyh.biz
wertdghbyrukl.ch
Signatures
-
Tofsee family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 086d569820100e59cb3709bb6c5ea5b1026861c52ff05c7d9afad992885f790fN.exe -
Executes dropped EXE 1 IoCs
pid Process 1400 efxvvphu.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\efxvvphu.exe\"" 086d569820100e59cb3709bb6c5ea5b1026861c52ff05c7d9afad992885f790fN.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1400 set thread context of 4672 1400 efxvvphu.exe 86 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 868 4672 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language efxvvphu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 086d569820100e59cb3709bb6c5ea5b1026861c52ff05c7d9afad992885f790fN.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2764 wrote to memory of 1400 2764 086d569820100e59cb3709bb6c5ea5b1026861c52ff05c7d9afad992885f790fN.exe 84 PID 2764 wrote to memory of 1400 2764 086d569820100e59cb3709bb6c5ea5b1026861c52ff05c7d9afad992885f790fN.exe 84 PID 2764 wrote to memory of 1400 2764 086d569820100e59cb3709bb6c5ea5b1026861c52ff05c7d9afad992885f790fN.exe 84 PID 1400 wrote to memory of 4672 1400 efxvvphu.exe 86 PID 1400 wrote to memory of 4672 1400 efxvvphu.exe 86 PID 1400 wrote to memory of 4672 1400 efxvvphu.exe 86 PID 1400 wrote to memory of 4672 1400 efxvvphu.exe 86 PID 1400 wrote to memory of 4672 1400 efxvvphu.exe 86 PID 2764 wrote to memory of 4124 2764 086d569820100e59cb3709bb6c5ea5b1026861c52ff05c7d9afad992885f790fN.exe 91 PID 2764 wrote to memory of 4124 2764 086d569820100e59cb3709bb6c5ea5b1026861c52ff05c7d9afad992885f790fN.exe 91 PID 2764 wrote to memory of 4124 2764 086d569820100e59cb3709bb6c5ea5b1026861c52ff05c7d9afad992885f790fN.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\086d569820100e59cb3709bb6c5ea5b1026861c52ff05c7d9afad992885f790fN.exe"C:\Users\Admin\AppData\Local\Temp\086d569820100e59cb3709bb6c5ea5b1026861c52ff05c7d9afad992885f790fN.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\efxvvphu.exe"C:\Users\Admin\efxvvphu.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:4672 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 3604⤵
- Program crash
PID:868
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0368.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:4124
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4672 -ip 46721⤵PID:1532
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD5260fe91b48cd9bdd9eb9a3677f18f128
SHA12f7334722de5e25d81de5be4fadc98ef92dadca2
SHA256f30ed516ce5be9cdfe1e84c78d3e5c600ec50d0458ba0f0bf72f7f21de3da549
SHA51255687dc48f7a889652472e797571ef31eb51269fe3441c3046a005b326d2dadba274c677de2b0496aabd76df5a0d6dd395efef4990ec9650a548612d61668bd9
-
Filesize
46.6MB
MD58e52897086626ccc804e6e35799ba637
SHA19587371fc0238858dbc4118a30bd03d4302390a9
SHA256dd3d0118992e80ee4bde16e012d0494122c84da392e56cab3c3ad998d4c87f7c
SHA51205fab1c53a88c92b4190d1dc6d762211eb66e7f7384ddf20c9c1d6356f3760903c983f06ef55dc9b7a462bb38f178b53d4e8c0ddc19f04efcba38c408d15af9a