Edit tour
Windows
Analysis Report
OcmKX57vR7
Overview
General Information
Detection
Tofsee
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected unpacking (overwrites its own PE header)
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Snort IDS alert for network traffic
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Yara detected Tofsee
Uses netsh to modify the Windows network and firewall settings
Query firmware table information (likely to detect VMs)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Writes to foreign memory regions
Changes security center settings (notifications, updates, antivirus, firewall)
Found API chain indicative of debugger detection
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Modifies the windows firewall
Found decision node followed by non-executed suspicious APIs
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Modifies existing windows services
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Uses SMTP (mail sending)
Found evaded block containing many API calls
Queries disk information (often used to detect virtual machines)
Contains functionality to query network adapater information
Classification
- System is w10x64
- OcmKX57vR7.exe (PID: 6360 cmdline:
"C:\Users\ user\Deskt op\OcmKX57 vR7.exe" MD5: DB4D9CA855430682836DB0A535E75594) - cmd.exe (PID: 6440 cmdline:
"C:\Window s\System32 \cmd.exe" /C mkdir C :\Windows\ SysWOW64\g hrubsm\ MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 6448 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 6488 cmdline:
"C:\Window s\System32 \cmd.exe" /C move /Y "C:\Users \user\AppD ata\Local\ Temp\pjzcu pje.exe" C :\Windows\ SysWOW64\g hrubsm\ MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 6496 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - sc.exe (PID: 6540 cmdline:
C:\Windows \System32\ sc.exe" cr eate ghrub sm binPath = "C:\Wind ows\SysWOW 64\ghrubsm \pjzcupje. exe /d\"C: \Users\use r\Desktop\ OcmKX57vR7 .exe\"" ty pe= own st art= auto DisplayNam e= "wifi s upport MD5: 24A3E2603E63BCB9695A2935D3B24695) - conhost.exe (PID: 6572 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - sc.exe (PID: 6636 cmdline:
C:\Windows \System32\ sc.exe" de scription ghrubsm "w ifi intern et conecti on MD5: 24A3E2603E63BCB9695A2935D3B24695) - conhost.exe (PID: 6680 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - sc.exe (PID: 6740 cmdline:
"C:\Window s\System32 \sc.exe" s tart ghrub sm MD5: 24A3E2603E63BCB9695A2935D3B24695) - conhost.exe (PID: 6756 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - netsh.exe (PID: 6804 cmdline:
"C:\Window s\System32 \netsh.exe " advfirew all firewa ll add rul e name="Ho st-process for servi ces of Win dows" dir= in action= allow prog ram="C:\Wi ndows\SysW OW64\svcho st.exe" en able=yes>n ul MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) - conhost.exe (PID: 6820 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- pjzcupje.exe (PID: 6792 cmdline:
C:\Windows \SysWOW64\ ghrubsm\pj zcupje.exe /d"C:\Use rs\user\De sktop\OcmK X57vR7.exe " MD5: CD1553A922DBF34673BA9D9D9A0FF5DE) - svchost.exe (PID: 6936 cmdline:
svchost.ex e MD5: FA6C268A5B5BDA067A901764D203D433)
- svchost.exe (PID: 7012 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 7048 cmdline:
c:\windows \system32\ svchost.ex e -k local service -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 7124 cmdline:
c:\windows \system32\ svchost.ex e -k netwo rkservice -p -s DoSv c MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 2560 cmdline:
C:\Windows \System32\ svchost.ex e -k Netwo rkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- SgrmBroker.exe (PID: 2912 cmdline:
C:\Windows \system32\ SgrmBroker .exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
- svchost.exe (PID: 5484 cmdline:
c:\windows \system32\ svchost.ex e -k local servicenet workrestri cted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA) - MpCmdRun.exe (PID: 6728 cmdline:
"C:\Progra m Files\Wi ndows Defe nder\mpcmd run.exe" - wdenable MD5: A267555174BFA53844371226F482B86B) - conhost.exe (PID: 6956 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- svchost.exe (PID: 6016 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 5044 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 6148 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 6392 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 5000 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 4432 cmdline:
C:\Windows \system32\ svchost.ex e -k wusvc s -p -s Wa aSMedicSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
- cleanup
{"C2 list": ["svartalfheim.top:443", "jo:443"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Tofsee | Yara detected Tofsee | Joe Security | ||
JoeSecurity_Tofsee | Yara detected Tofsee | Joe Security | ||
MALWARE_Win_Tofsee | Detects Tofsee | ditekSHen |
| |
JoeSecurity_Tofsee | Yara detected Tofsee | Joe Security | ||
MALWARE_Win_Tofsee | Detects Tofsee | ditekSHen |
|