Overview

overview

10

Static

static

3

ab13a459f1...6e.exe

windows7-x64

10

ab13a459f1...6e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    2s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 03:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab13a459f15b1c218389383542076efa884ad26d5d4898b3d1dd3ba108bfbe6e.exe

  • Size

    13.1MB

  • MD5

    bb4ee97079a9375e48c5796cdf6b92a3

  • SHA1

    221dc8709cc35985dbaaf43974ba3d137d1f486a

  • SHA256

    ab13a459f15b1c218389383542076efa884ad26d5d4898b3d1dd3ba108bfbe6e

  • SHA512

    ac910d13a6694e496d6d49a0f20598fdfdea38e09134bf08e156525f2da612e58a454142cf1fe817eb11ca1d05cbf4794db0486e54bb8b1937b08b18e08e960b

  • SSDEEP

    393216:455555555555555555555555555555555555555555555555555555555555555k:4555555555555555555555555555555k

Score
10/10
tofseediscoveryevasionexecutionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Signatures

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab13a459f15b1c218389383542076efa884ad26d5d4898b3d1dd3ba108bfbe6e.exe
    "C:\Users\Admin\AppData\Local\Temp\ab13a459f15b1c218389383542076efa884ad26d5d4898b3d1dd3ba108bfbe6e.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:1296
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zimvuxfp\
      2⤵
        PID:3340
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\isxkrmla.exe" C:\Windows\SysWOW64\zimvuxfp\
        2⤵
          PID:1108
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create zimvuxfp binPath= "C:\Windows\SysWOW64\zimvuxfp\isxkrmla.exe /d\"C:\Users\Admin\AppData\Local\Temp\ab13a459f15b1c218389383542076efa884ad26d5d4898b3d1dd3ba108bfbe6e.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2472
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description zimvuxfp "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2068
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start zimvuxfp
          2⤵
          • Launches sc.exe
          PID:2776
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:1520
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 656
          2⤵
          • Program crash
          PID:4356
      • C:\Windows\SysWOW64\zimvuxfp\isxkrmla.exe
        C:\Windows\SysWOW64\zimvuxfp\isxkrmla.exe /d"C:\Users\Admin\AppData\Local\Temp\ab13a459f15b1c218389383542076efa884ad26d5d4898b3d1dd3ba108bfbe6e.exe"
        1⤵
          PID:2864
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe
            2⤵
              PID:3296
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 512
              2⤵
              • Program crash
              PID:4656
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1296 -ip 1296
            1⤵
              PID:2556
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2864 -ip 2864
              1⤵
                PID:452

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\isxkrmla.exe
                Filesize

                2.9MB

                MD5

                dd7751851e5728858364b4cfa203d128

                SHA1

                f6579de4676d4b6f79c6fb938c4a3e0ebcfc338e

                SHA256

                1c17ff7519377ab36d088c518cb0d008b97bb7a09f1677ef6a81b6bf3a3b20fc

                SHA512

                35ed7d4a1abbea22a41553c9c69f12c69503df37d9feeb9ecc5fad858b33bacda0c9408c1193033cae6c2d732b1d0c80a2fb2f4c52f4afae9068997a297861fc

                Download Submit

              • C:\Windows\SysWOW64\zimvuxfp\isxkrmla.exe
                Filesize

                2.4MB

                MD5

                7188b5b845bcec20baa3c540f6f59d47

                SHA1

                6cad161beb3ed56e17dbe4cf4642392cd52ff9d5

                SHA256

                74ea7c605d578485a34e87004f67180c70634fb6232fb65fe471174920da5bd4

                SHA512

                5a644cb83c861ab8b3180a57bf6ef5789158731fe306215347d2dfef330ba29349060eb6eb041aec40c0090cd98016275f1fcc3462116e412f17185b4701eb33

                Download Submit

              • memory/1296-9-0x0000000000660000-0x0000000000673000-memory.dmp

                Filesize

                76KB

                Download

              • memory/1296-1-0x00000000006A0000-0x00000000007A0000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/1296-3-0x0000000000400000-0x0000000000415000-memory.dmp

                Filesize

                84KB

                Download

              • memory/1296-10-0x0000000000400000-0x0000000000415000-memory.dmp

                Filesize

                84KB

                Download

              • memory/1296-2-0x0000000000660000-0x0000000000673000-memory.dmp

                Filesize

                76KB

                Download

              • memory/1296-8-0x0000000000400000-0x00000000004B7000-memory.dmp

                Filesize

                732KB

                Download

              • memory/2864-12-0x0000000000400000-0x00000000004B7000-memory.dmp

                Filesize

                732KB

                Download

              • memory/2864-18-0x0000000000400000-0x00000000004B7000-memory.dmp

                Filesize

                732KB

                Download

              • memory/2864-11-0x0000000000400000-0x00000000004B7000-memory.dmp

                Filesize

                732KB

                Download

              • memory/2864-13-0x0000000000400000-0x00000000004B7000-memory.dmp

                Filesize

                732KB

                Download

              • memory/3296-16-0x0000000000F00000-0x0000000000F15000-memory.dmp

                Filesize

                84KB

                Download

              • memory/3296-17-0x0000000000F00000-0x0000000000F15000-memory.dmp

                Filesize

                84KB

                Download

              • memory/3296-14-0x0000000000F00000-0x0000000000F15000-memory.dmp

                Filesize

                84KB

                Download