Windows Analysis Report
file.exe

Overview

General Information

Sample Name: file.exe
Analysis ID: 780217
MD5: 4c085e942806b5c8d972695451aa8f48
SHA1: 208d04b2528058609221c87cf1272d420099c493
SHA256: 283b0f136d26968786e7a0abe1354758de4cdade534ddee63b93569c282f2299
Tags: exe
Infos:

Detection

Tofsee
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for domain / URL
Yara detected Tofsee
Snort IDS alert for network traffic
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Found API chain indicative of debugger detection
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Deletes itself after installation
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Modifies the windows firewall
Drops executables to the windows directory (C:\Windows) and starts them
Uses 32bit PE files
Found decision node followed by non-executed suspicious APIs
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Modifies existing windows services
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Uses SMTP (mail sending)
Found evaded block containing many API calls
Found evasive API chain (may stop execution after accessing registry keys)
Found large amount of non-executed APIs
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 46%
Multi AV Scanner detection for domain / URL
Source: svartalfheim.top Virustotal: Detection: 16% Perma Link
Source: jotunheim.name Virustotal: Detection: 15% Perma Link
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\qtcnnjjg.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.3.file.exe.2d40000.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.2.qtcnnjjg.exe.2c40e67.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.file.exe.2d20e67.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.2.qtcnnjjg.exe.400000.0.unpack Avira: Label: BDS/Backdoor.Gen
Source: 14.2.svchost.exe.4d0000.0.unpack Avira: Label: BDS/Backdoor.Gen
Source: 0.2.file.exe.400000.0.unpack Avira: Label: BDS/Backdoor.Gen
Source: 11.2.qtcnnjjg.exe.2da0000.2.unpack Avira: Label: BDS/Backdoor.Gen
Source: 11.3.qtcnnjjg.exe.2d40000.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.file.exe.2d20e67.1.raw.unpack Malware Configuration Extractor: Tofsee {"C2 list": ["svartalfheim.top:443", "jotunheim.name:443"]}

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack
Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe Unpacked PE file: 11.2.qtcnnjjg.exe.400000.0.unpack
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: C:\joraxobufovo 8-nukasemuluz\24\ruyal\geyobuwu.pdb source: file.exe, qtcnnjjg.exe.0.dr

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 80.66.75.254 443 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 93.189.42.6 443 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Domain query: svartalfheim.top
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 52.101.40.29 25 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Domain query: jotunheim.name
Source: C:\Windows\SysWOW64\svchost.exe Domain query: microsoft-com.mail.protection.outlook.com
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:51441 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:63446 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:59220 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:56682 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:62659 -> 8.8.8.8:53
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: svartalfheim.top:443
Source: Malware configuration extractor URLs: jotunheim.name:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: RISS-ASRU RISS-ASRU
Source: Joe Sandbox View ASN Name: NTCOM-ASRU NTCOM-ASRU
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 80.66.75.254 80.66.75.254
Source: Joe Sandbox View IP Address: 93.189.42.6 93.189.42.6
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.5:49700 -> 52.101.40.29:25
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown DNS traffic detected: queries for: microsoft-com.mail.protection.outlook.com
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree, 0_2_00402A62

Spam, unwanted Advertisements and Ransom Demands
barindex
Yara detected Tofsee
Source: Yara match File source: 11.2.qtcnnjjg.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.qtcnnjjg.exe.2c40e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.qtcnnjjg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.svchost.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.qtcnnjjg.exe.2da0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.2d20e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.svchost.exe.4d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.qtcnnjjg.exe.2d40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.qtcnnjjg.exe.2da0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.2d40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.342422923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.344302410.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.354409615.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.355868044.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.355978031.0000000002DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.355049753.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.320355730.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.826846421.00000000004D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 4516, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qtcnnjjg.exe PID: 5940, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3232, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.3.file.exe.2d40000.0.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 0.3.file.exe.2d40000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 0.2.file.exe.2d20e67.1.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 0.2.file.exe.2d20e67.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 11.2.qtcnnjjg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 11.2.qtcnnjjg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 11.2.qtcnnjjg.exe.2c40e67.1.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 11.2.qtcnnjjg.exe.2c40e67.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 11.2.qtcnnjjg.exe.2c40e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 11.2.qtcnnjjg.exe.2c40e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 11.2.qtcnnjjg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 11.2.qtcnnjjg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 14.2.svchost.exe.4d0000.0.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 14.2.svchost.exe.4d0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 11.2.qtcnnjjg.exe.2da0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 11.2.qtcnnjjg.exe.2da0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 0.2.file.exe.2d20e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 0.2.file.exe.2d20e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 14.2.svchost.exe.4d0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 14.2.svchost.exe.4d0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 11.3.qtcnnjjg.exe.2d40000.0.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 11.3.qtcnnjjg.exe.2d40000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 11.3.qtcnnjjg.exe.2d40000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 11.3.qtcnnjjg.exe.2d40000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 11.2.qtcnnjjg.exe.2da0000.2.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 11.2.qtcnnjjg.exe.2da0000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 0.3.file.exe.2d40000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 0.3.file.exe.2d40000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 00000000.00000002.344749194.0000000002DA8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.342422923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects Tofsee Author: ditekSHen
Source: 00000000.00000002.342422923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 00000000.00000002.344302410.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.344302410.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 0000000B.00000003.354409615.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Tofsee Author: ditekSHen
Source: 0000000B.00000003.354409615.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 0000000B.00000002.355868044.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000B.00000002.355868044.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 0000000B.00000002.355978031.0000000002DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Tofsee Author: ditekSHen
Source: 0000000B.00000002.355978031.0000000002DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 0000000B.00000002.355049753.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: Detects Tofsee Author: ditekSHen
Source: 0000000B.00000002.355049753.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 00000000.00000003.320355730.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Tofsee Author: ditekSHen
Source: 00000000.00000003.320355730.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 0000000B.00000002.356106077.0000000002E23000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000E.00000002.826846421.00000000004D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Tofsee Author: ditekSHen
Source: 0000000E.00000002.826846421.00000000004D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.3.file.exe.2d40000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 0.3.file.exe.2d40000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 0.2.file.exe.2d20e67.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 0.2.file.exe.2d20e67.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 11.2.qtcnnjjg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 11.2.qtcnnjjg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 11.2.qtcnnjjg.exe.2c40e67.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 11.2.qtcnnjjg.exe.2c40e67.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 11.2.qtcnnjjg.exe.2c40e67.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 11.2.qtcnnjjg.exe.2c40e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 11.2.qtcnnjjg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 11.2.qtcnnjjg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 14.2.svchost.exe.4d0000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 14.2.svchost.exe.4d0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 11.2.qtcnnjjg.exe.2da0000.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 11.2.qtcnnjjg.exe.2da0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 0.2.file.exe.2d20e67.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 0.2.file.exe.2d20e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 14.2.svchost.exe.4d0000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 14.2.svchost.exe.4d0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 11.3.qtcnnjjg.exe.2d40000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 11.3.qtcnnjjg.exe.2d40000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 11.3.qtcnnjjg.exe.2d40000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 11.3.qtcnnjjg.exe.2d40000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 11.2.qtcnnjjg.exe.2da0000.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 11.2.qtcnnjjg.exe.2da0000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 0.3.file.exe.2d40000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 0.3.file.exe.2d40000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 00000000.00000002.344749194.0000000002DA8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.342422923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 00000000.00000002.342422923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 00000000.00000002.344302410.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.344302410.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 0000000B.00000003.354409615.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 0000000B.00000003.354409615.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 0000000B.00000002.355868044.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000B.00000002.355868044.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 0000000B.00000002.355978031.0000000002DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 0000000B.00000002.355978031.0000000002DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 0000000B.00000002.355049753.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 0000000B.00000002.355049753.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 00000000.00000003.320355730.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 00000000.00000003.320355730.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 0000000B.00000002.356106077.0000000002E23000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000E.00000002.826846421.00000000004D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 0000000E.00000002.826846421.00000000004D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Creates files inside the system directory
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Windows\SysWOW64\tsqtjgfo\ Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040C913 0_2_0040C913
Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe Code function: 11_2_0040C913 11_2_0040C913
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_004DC913 14_2_004DC913
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0040EE2A appears 40 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00402544 appears 53 times
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError, 0_2_00401280
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle, 0_2_00408E26
Source: file.exe ReversingLabs: Detection: 46%
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Source: unknown Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tsqtjgfo\
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qtcnnjjg.exe" C:\Windows\SysWOW64\tsqtjgfo\
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create tsqtjgfo binPath= "C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi support
Source: C:\Windows\SysWOW64\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description tsqtjgfo "wifi internet conection
Source: C:\Windows\SysWOW64\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start tsqtjgfo
Source: C:\Windows\SysWOW64\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe /d"C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe Process created: C:\Windows\SysWOW64\svchost.exe svchost.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tsqtjgfo\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qtcnnjjg.exe" C:\Windows\SysWOW64\tsqtjgfo\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create tsqtjgfo binPath= "C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi support Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description tsqtjgfo "wifi internet conection Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start tsqtjgfo Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul Jump to behavior
Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe Process created: C:\Windows\SysWOW64\svchost.exe svchost.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\qtcnnjjg.exe Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@22/3@9/3
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,FindCloseChangeNotification,GetLastError,CloseHandle,DeleteFileA,GetLastError, 0_2_00406A60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, 0_2_00409A6B
Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe Code function: 11_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, 11_2_00409A6B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_004D9A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, 14_2_004D9A6B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, 0_2_00409A6B
Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe Code function: 11_2_02E2572E CreateToolhelp32Snapshot,Module32First, 11_2_02E2572E
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5268:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1348:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5020:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2328:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4696:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4352:120:WilError_01
Source: C:\Windows\SysWOW64\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\joraxobufovo 8-nukasemuluz\24\ruyal\geyobuwu.pdb source: file.exe, qtcnnjjg.exe.0.dr

Data Obfuscation
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack
Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe Unpacked PE file: 11.2.qtcnnjjg.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe Unpacked PE file: 11.2.qtcnnjjg.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe Code function: 11_2_02E28A16 push 0000002Bh; iretd 11_2_02E28A1C
Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe Code function: 11_2_02E23598 push eax; iretd 11_2_02E23599
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr, 0_2_00406069

Persistence and Installation Behavior
barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: unknown Executable created and started: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe
Drops PE files
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\qtcnnjjg.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe (copy) Jump to dropped file
Modifies existing windows services
Source: C:\Windows\SysWOW64\svchost.exe Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tsqtjgfo Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, 0_2_00409A6B
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create tsqtjgfo binPath= "C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi support

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\SysWOW64\svchost.exe File deleted: c:\users\user\desktop\file.exe Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00401000
Source: C:\Users\user\Desktop\file.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\file.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\SysWOW64\svchost.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\svchost.exe TID: 5004 Thread sleep count: 191 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5004 Thread sleep time: -191000s >= -30000s Jump to behavior
Found evasive API chain (date check)
Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\SysWOW64\svchost.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe Last function: Thread delayed
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Windows\SysWOW64\svchost.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found evaded block containing many API calls
Source: C:\Windows\SysWOW64\svchost.exe Evaded block: after key decision
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\svchost.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file.exe API coverage: 8.6 %
Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe API coverage: 3.9 %
Contains functionality to query network adapater information
Source: C:\Windows\SysWOW64\svchost.exe Code function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary, 14_2_004D199C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount, 0_2_00401D96
Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\svchost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\svchost.exe API call chain: ExitProcess graph end node

Anti Debugging
barindex
Found API chain indicative of debugger detection
Source: C:\Users\user\Desktop\file.exe Debugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleep
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr, 0_2_00406069
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040EBCC GetProcessHeap,RtlAllocateHeap, 0_2_0040EBCC
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe Code function: 11_2_02C4092B mov eax, dword ptr fs:[00000030h] 11_2_02C4092B
Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe Code function: 11_2_02C40D90 mov eax, dword ptr fs:[00000030h] 11_2_02C40D90
Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe Code function: 11_2_02E2500B push dword ptr fs:[00000030h] 11_2_02E2500B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, 0_2_00409A6B
Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe Code function: 11_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, 11_2_00409A6B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_004D9A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, 14_2_004D9A6B

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 80.66.75.254 443 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 93.189.42.6 443 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Domain query: svartalfheim.top
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 52.101.40.29 25 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Domain query: jotunheim.name
Source: C:\Windows\SysWOW64\svchost.exe Domain query: microsoft-com.mail.protection.outlook.com
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 4D0000 Jump to behavior
Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 3D3008 Jump to behavior
Allocates memory in foreign processes
Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe Memory allocated: C:\Windows\SysWOW64\svchost.exe base: 4D0000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 4D0000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tsqtjgfo\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qtcnnjjg.exe" C:\Windows\SysWOW64\tsqtjgfo\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create tsqtjgfo binPath= "C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi support Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description tsqtjgfo "wifi internet conection Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start tsqtjgfo Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul Jump to behavior
Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe Process created: C:\Windows\SysWOW64\svchost.exe svchost.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree, 0_2_00407809
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_00406EDD
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle, 0_2_0040405E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount, 0_2_0040EC54
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA, 0_2_0040B211
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey, 0_2_00409326
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree, 0_2_00407809

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
Modifies the windows firewall
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

Stealing of Sensitive Information
barindex
Yara detected Tofsee
Source: Yara match File source: 11.2.qtcnnjjg.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.qtcnnjjg.exe.2c40e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.qtcnnjjg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.svchost.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.qtcnnjjg.exe.2da0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.2d20e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.svchost.exe.4d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.qtcnnjjg.exe.2d40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.qtcnnjjg.exe.2da0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.2d40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.342422923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.344302410.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.354409615.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.355868044.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.355978031.0000000002DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.355049753.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.320355730.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.826846421.00000000004D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 4516, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qtcnnjjg.exe PID: 5940, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3232, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Tofsee
Source: Yara match File source: 11.2.qtcnnjjg.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.qtcnnjjg.exe.2c40e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.qtcnnjjg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.svchost.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.qtcnnjjg.exe.2da0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.2d20e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.svchost.exe.4d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.qtcnnjjg.exe.2d40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.qtcnnjjg.exe.2da0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.2d40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.342422923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.344302410.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.354409615.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.355868044.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.355978031.0000000002DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.355049753.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.320355730.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.826846421.00000000004D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 4516, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qtcnnjjg.exe PID: 5940, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3232, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname, 0_2_004088B0
Source: C:\Windows\SysWOW64\tsqtjgfo\qtcnnjjg.exe Code function: 11_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname, 11_2_004088B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_004D88B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname, 14_2_004D88B0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 780217 Sample: file.exe Startdate: 08/01/2023 Architecture: WINDOWS Score: 100 43 jotunheim.name 2->43 45 microsoft-com.mail.protection.outlook.com 2->45 53 Snort IDS alert for network traffic 2->53 55 Multi AV Scanner detection for domain / URL 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 6 other signatures 2->59 8 qtcnnjjg.exe 2->8         started        11 file.exe 2 2->11         started        signatures3 process4 file5 61 Detected unpacking (changes PE section rights) 8->61 63 Detected unpacking (overwrites its own PE header) 8->63 65 Writes to foreign memory regions 8->65 73 2 other signatures 8->73 14 svchost.exe 1 8->14         started        41 C:\Users\user\AppData\Local\...\qtcnnjjg.exe, PE32 11->41 dropped 67 Found API chain indicative of debugger detection 11->67 69 Uses netsh to modify the Windows network and firewall settings 11->69 71 Modifies the windows firewall 11->71 18 cmd.exe 1 11->18         started        21 netsh.exe 3 11->21         started        23 cmd.exe 2 11->23         started        25 3 other processes 11->25 signatures6 process7 dnsIp8 47 jotunheim.name 80.66.75.254, 443, 49717, 49721 RISS-ASRU Russian Federation 14->47 49 svartalfheim.top 93.189.42.6, 443, 49701, 49707 NTCOM-ASRU Russian Federation 14->49 51 microsoft-com.mail.protection.outlook.com 52.101.40.29, 25, 49700 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 14->51 75 System process connects to network (likely due to code injection or exploit) 14->75 77 Deletes itself after installation 14->77 39 C:\Windows\SysWOW64\...\qtcnnjjg.exe (copy), PE32 18->39 dropped 27 conhost.exe 18->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        35 conhost.exe 25->35         started        37 conhost.exe 25->37         started        file9 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
80.66.75.254
 jotunheim.name Russian Federation
20803 RISS-ASRU true
93.189.42.6
 svartalfheim.top Russian Federation
41853 NTCOM-ASRU true
52.101.40.29
 microsoft-com.mail.protection.outlook.com United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false

Contacted Domains

Name IP Active
svartalfheim.top 93.189.42.6 true
jotunheim.name 80.66.75.254 true
microsoft-com.mail.protection.outlook.com 52.101.40.29 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
svartalfheim.top:443 true
  • URL Reputation: safe
  • URL Reputation: safe
 unknown
jotunheim.name:443 true
  • URL Reputation: safe
 unknown