Windows Analysis Report
file.exe

Overview

General Information

Sample Name: file.exe
Analysis ID: 800802
MD5: 546a040e4479958f7c6b862dead9a269
SHA1: 69a99c8f2fbfc316140690be348d6b54d6c01d7d
SHA256: 229d8701db31564e7eccab699121e96fe75d70896daa87323e9c59da3be74be0
Tags: exe
Infos:

Detection

Tofsee
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (overwrites its own PE header)
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Snort IDS alert for network traffic
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Yara detected Tofsee
Uses netsh to modify the Windows network and firewall settings
Query firmware table information (likely to detect VMs)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Writes to foreign memory regions
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Modifies the windows firewall
Found decision node followed by non-executed suspicious APIs
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Modifies existing windows services
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Creates files inside the system directory
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Uses SMTP (mail sending)
Found evaded block containing many API calls
Found evasive API chain (may stop execution after accessing registry keys)
Queries disk information (often used to detect virtual machines)
Contains functionality to query network adapater information

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\qbxctmyn.exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 43%
Source: file.exe Virustotal: Detection: 34% Perma Link
Multi AV Scanner detection for domain / URL
Source: svartalfheim.top Virustotal: Detection: 17% Perma Link
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\qbxctmyn.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 17.2.qbxctmyn.exe.400000.0.unpack Avira: Label: BDS/Backdoor.Gen
Source: 23.2.svchost.exe.120000.0.unpack Avira: Label: BDS/Backdoor.Gen
Source: 17.2.qbxctmyn.exe.e90000.2.unpack Avira: Label: BDS/Backdoor.Gen
Source: 0.2.file.exe.2080e67.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.file.exe.400000.0.unpack Avira: Label: BDS/Backdoor.Gen
Source: 0.3.file.exe.21c0000.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 17.2.qbxctmyn.exe.e30e67.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 17.3.qbxctmyn.exe.e50000.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 17.2.qbxctmyn.exe.400000.0.unpack Malware Configuration Extractor: Tofsee {"C2 list": ["svartalfheim.top:443", "jotunheim.name:443"]}

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack
Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe Unpacked PE file: 17.2.qbxctmyn.exe.400000.0.unpack
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: C:\xidiw\reduhorulutufa\nidegiv_naxose.pdb source: file.exe, qbxctmyn.exe.0.dr
Source: Binary string: WaaSMedicSvc.pdb source: waasmedic.20230208_040427_786.etl.22.dr
Source: Binary string: *C:\xidiw\reduhorulutufa\nidegiv_naxose.pdb source: file.exe, qbxctmyn.exe.0.dr

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exe Domain query: svartalfheim.top
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 176.124.192.220 443 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 104.47.54.36 25 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Domain query: microsoft-com.mail.protection.outlook.com
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.3:52387 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.3:56924 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.3:60625 -> 8.8.8.8:53
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: svartalfheim.top:443
Source: Malware configuration extractor URLs: jotunheim.name:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GULFSTREAMUA GULFSTREAMUA
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 176.124.192.220 176.124.192.220
Source: Joe Sandbox View IP Address: 176.124.192.220 176.124.192.220
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.3:49703 -> 104.47.54.36:25
Source: svchost.exe, 0000000B.00000002.309310506.00000189DAC13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000005.00000002.531375972.0000028763243000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000005.00000002.531375972.0000028763243000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000005.00000002.531375972.0000028763243000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000005.00000002.531375972.0000028763243000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000005.00000002.531375972.0000028763243000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000B.00000002.309374208.00000189DAC3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000003.309061387.00000189DAC50000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309440269.00000189DAC56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.308990855.00000189DAC4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000B.00000002.309374208.00000189DAC3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000B.00000003.309018203.00000189DAC40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309380373.00000189DAC42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309042425.00000189DAC41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000B.00000003.309018203.00000189DAC40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309380373.00000189DAC42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309042425.00000189DAC41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000003.309018203.00000189DAC40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
Source: svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000003.308990855.00000189DAC4E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309042425.00000189DAC41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.309374208.00000189DAC3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000B.00000002.309374208.00000189DAC3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.309310506.00000189DAC13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309374208.00000189DAC3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000003.309037099.00000189DAC45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309018203.00000189DAC40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000B.00000002.309364718.00000189DAC39000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000B.00000003.309061387.00000189DAC50000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309440269.00000189DAC56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.308990855.00000189DAC4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: unknown DNS traffic detected: queries for: microsoft-com.mail.protection.outlook.com
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree, 0_2_00402A62
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Creates a DirectInput object (often for capturing keystrokes)
Source: file.exe, 00000000.00000002.289843511.00000000007A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands
barindex
Yara detected Tofsee
Source: Yara match File source: 0.2.file.exe.2080e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.qbxctmyn.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.svchost.exe.120000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.qbxctmyn.exe.e90000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.qbxctmyn.exe.e50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.21c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.qbxctmyn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.qbxctmyn.exe.e90000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.qbxctmyn.exe.e30e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.svchost.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.310889841.0000000000E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.309369013.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.279056535.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 5128, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qbxctmyn.exe PID: 4532, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 2888, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.file.exe.2080e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 0.2.file.exe.2080e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 17.2.qbxctmyn.exe.e30e67.1.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 17.2.qbxctmyn.exe.e30e67.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 17.2.qbxctmyn.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 17.2.qbxctmyn.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 23.2.svchost.exe.120000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 23.2.svchost.exe.120000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 17.3.qbxctmyn.exe.e50000.0.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 17.3.qbxctmyn.exe.e50000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 17.2.qbxctmyn.exe.e90000.2.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 17.2.qbxctmyn.exe.e90000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 17.3.qbxctmyn.exe.e50000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 17.3.qbxctmyn.exe.e50000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 0.3.file.exe.21c0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 0.3.file.exe.21c0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 0.3.file.exe.21c0000.0.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 0.3.file.exe.21c0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 17.2.qbxctmyn.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 17.2.qbxctmyn.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 0.2.file.exe.2080e67.1.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 0.2.file.exe.2080e67.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 17.2.qbxctmyn.exe.e90000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 17.2.qbxctmyn.exe.e90000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 17.2.qbxctmyn.exe.e30e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 17.2.qbxctmyn.exe.e30e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 23.2.svchost.exe.120000.0.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 23.2.svchost.exe.120000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: Detects Tofsee Author: ditekSHen
Source: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 00000011.00000002.310889841.0000000000E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Tofsee Author: ditekSHen
Source: 00000011.00000002.310889841.0000000000E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects Tofsee Author: ditekSHen
Source: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 00000000.00000002.290625632.00000000007B6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Tofsee Author: ditekSHen
Source: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 00000011.00000002.310684388.00000000005B1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000011.00000003.309369013.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Tofsee Author: ditekSHen
Source: 00000011.00000003.309369013.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 00000000.00000003.279056535.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Tofsee Author: ditekSHen
Source: 00000000.00000003.279056535.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040C913 0_2_0040C913
Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe Code function: 17_2_0040C913 17_2_0040C913
Source: C:\Windows\SysWOW64\svchost.exe Code function: 23_2_0012C913 23_2_0012C913
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError, 0_2_00401280
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windowscoredeviceinfo.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windowscoredeviceinfo.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windowscoredeviceinfo.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windowscoredeviceinfo.dll Jump to behavior
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.file.exe.2080e67.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 0.2.file.exe.2080e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 17.2.qbxctmyn.exe.e30e67.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 17.2.qbxctmyn.exe.e30e67.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 17.2.qbxctmyn.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 17.2.qbxctmyn.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 23.2.svchost.exe.120000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 23.2.svchost.exe.120000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 17.3.qbxctmyn.exe.e50000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 17.3.qbxctmyn.exe.e50000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 17.2.qbxctmyn.exe.e90000.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 17.2.qbxctmyn.exe.e90000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 17.3.qbxctmyn.exe.e50000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 17.3.qbxctmyn.exe.e50000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 0.3.file.exe.21c0000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 0.3.file.exe.21c0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 0.3.file.exe.21c0000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 0.3.file.exe.21c0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 17.2.qbxctmyn.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 17.2.qbxctmyn.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 0.2.file.exe.2080e67.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 0.2.file.exe.2080e67.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 17.2.qbxctmyn.exe.e90000.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 17.2.qbxctmyn.exe.e90000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 17.2.qbxctmyn.exe.e30e67.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 17.2.qbxctmyn.exe.e30e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 23.2.svchost.exe.120000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 23.2.svchost.exe.120000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 00000011.00000002.310889841.0000000000E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 00000011.00000002.310889841.0000000000E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 00000000.00000002.290625632.00000000007B6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 00000011.00000002.310684388.00000000005B1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000011.00000003.309369013.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 00000011.00000003.309369013.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 00000000.00000003.279056535.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 00000000.00000003.279056535.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Creates files inside the system directory
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Windows\SysWOW64\htdzdeug\ Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0040EE2A appears 40 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00402544 appears 53 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 020827AB appears 35 times
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle, 0_2_00408E26
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@34/16@5/2
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, 0_2_00409A6B
Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe Code function: 17_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, 17_2_00409A6B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 23_2_00129A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, 23_2_00129A6B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, 0_2_00409A6B
Source: file.exe ReversingLabs: Detection: 43%
Source: file.exe Virustotal: Detection: 34%
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\htdzdeug\
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qbxctmyn.exe" C:\Windows\SysWOW64\htdzdeug\
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create htdzdeug binPath= "C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi support
Source: C:\Windows\SysWOW64\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description htdzdeug "wifi internet conection
Source: C:\Windows\SysWOW64\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start htdzdeug
Source: C:\Windows\SysWOW64\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe /d"C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe Process created: C:\Windows\SysWOW64\svchost.exe svchost.exe
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\htdzdeug\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qbxctmyn.exe" C:\Windows\SysWOW64\htdzdeug\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create htdzdeug binPath= "C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi support Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description htdzdeug "wifi internet conection Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start htdzdeug Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul Jump to behavior
Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe Process created: C:\Windows\SysWOW64\svchost.exe svchost.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\qbxctmyn.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,FindCloseChangeNotification,GetLastError,CloseHandle,DeleteFileA,GetLastError, 0_2_00406A60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007B9EA4 CreateToolhelp32Snapshot,Module32First, 0_2_007B9EA4
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5800:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5036:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5260:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3176:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1500:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4952:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4844:120:WilError_01
Source: C:\Windows\SysWOW64\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\xidiw\reduhorulutufa\nidegiv_naxose.pdb source: file.exe, qbxctmyn.exe.0.dr
Source: Binary string: WaaSMedicSvc.pdb source: waasmedic.20230208_040427_786.etl.22.dr
Source: Binary string: *C:\xidiw\reduhorulutufa\nidegiv_naxose.pdb source: file.exe, qbxctmyn.exe.0.dr

Data Obfuscation
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack
Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe Unpacked PE file: 17.2.qbxctmyn.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe Unpacked PE file: 17.2.qbxctmyn.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007BD18C push 0000002Bh; iretd 0_2_007BD192
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr, 0_2_00406069

Persistence and Installation Behavior
barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: unknown Executable created and started: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\qbxctmyn.exe Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe (copy) Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe (copy) Jump to dropped file
Modifies existing windows services
Source: C:\Windows\SysWOW64\svchost.exe Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\htdzdeug Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create htdzdeug binPath= "C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi support
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, 0_2_00409A6B

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\SysWOW64\svchost.exe File deleted: c:\users\user\desktop\file.exe Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00401000
Source: C:\Users\user\Desktop\file.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\System32\svchost.exe System information queried: FirmwareTableInformation Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Users\user\Desktop\file.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\SysWOW64\svchost.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\svchost.exe TID: 5100 Thread sleep count: 93 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5100 Thread sleep time: -93000s >= -30000s Jump to behavior
Found evasive API chain (date check)
Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\SysWOW64\svchost.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file.exe API coverage: 5.5 %
Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe API coverage: 3.8 %
Found evaded block containing many API calls
Source: C:\Users\user\Desktop\file.exe Evaded block: after key decision
Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe Evaded block: after key decision
Source: C:\Windows\SysWOW64\svchost.exe Evaded block: after key decision
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Windows\SysWOW64\svchost.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Contains functionality to query network adapater information
Source: C:\Windows\SysWOW64\svchost.exe Code function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary, 23_2_0012199C
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe API call chain: ExitProcess graph end node
Source: svchost.exe, 00000014.00000002.531851789.0000027EFA7AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware, Inc.
Source: svchost.exe, 00000014.00000002.531361159.0000027EF9E89000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware820ES
Source: svchost.exe, 00000014.00000002.531851789.0000027EFA7AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware7,1
Source: svchost.exe, 00000001.00000002.530944246.000001A573402000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 00000014.00000002.531361159.0000027EF9E89000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware8
Source: svchost.exe, 00000001.00000002.531072410.000001A573428000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.531375972.0000028763264000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.531173272.0000021B36029000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount, 0_2_00401D96
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr, 0_2_00406069
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007B9781 push dword ptr fs:[00000030h] 0_2_007B9781
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0208092B mov eax, dword ptr fs:[00000030h] 0_2_0208092B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_02080D90 mov eax, dword ptr fs:[00000030h] 0_2_02080D90
Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe Code function: 17_2_00E3092B mov eax, dword ptr fs:[00000030h] 17_2_00E3092B
Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe Code function: 17_2_00E30D90 mov eax, dword ptr fs:[00000030h] 17_2_00E30D90
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040EBCC GetProcessHeap,RtlAllocateHeap, 0_2_0040EBCC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, 0_2_00409A6B
Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe Code function: 17_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, 17_2_00409A6B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 23_2_00129A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, 23_2_00129A6B

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exe Domain query: svartalfheim.top
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 176.124.192.220 443 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 104.47.54.36 25 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Domain query: microsoft-com.mail.protection.outlook.com
Allocates memory in foreign processes
Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe Memory allocated: C:\Windows\SysWOW64\svchost.exe base: 120000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 120000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 120000 Jump to behavior
Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 3D6008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\htdzdeug\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qbxctmyn.exe" C:\Windows\SysWOW64\htdzdeug\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create htdzdeug binPath= "C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi support Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description htdzdeug "wifi internet conection Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start htdzdeug Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul Jump to behavior
Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe Process created: C:\Windows\SysWOW64\svchost.exe svchost.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_00406EDD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree, 0_2_00407809
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount, 0_2_0040EC54
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA, 0_2_0040B211
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree, 0_2_00407809
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle, 0_2_0040405E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey, 0_2_00409326

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Modifies the windows firewall
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 00000014.00000002.531860154.0000027EFA7BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe
Source: svchost.exe, 00000014.00000002.531813562.0000027EFA76C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \BullGuard Ltd\BullGuard\BullGuard.exe
Source: svchost.exe, 00000015.00000002.531091256.000002142EE29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.531270706.000002142EF02000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information
barindex
Yara detected Tofsee
Source: Yara match File source: 0.2.file.exe.2080e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.qbxctmyn.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.svchost.exe.120000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.qbxctmyn.exe.e90000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.qbxctmyn.exe.e50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.21c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.qbxctmyn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.qbxctmyn.exe.e90000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.qbxctmyn.exe.e30e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.svchost.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.310889841.0000000000E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.309369013.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.279056535.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 5128, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qbxctmyn.exe PID: 4532, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 2888, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Tofsee
Source: Yara match File source: 0.2.file.exe.2080e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.qbxctmyn.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.svchost.exe.120000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.qbxctmyn.exe.e90000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.qbxctmyn.exe.e50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.21c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.qbxctmyn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.qbxctmyn.exe.e90000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.qbxctmyn.exe.e30e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.svchost.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.310889841.0000000000E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.309369013.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.279056535.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 5128, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qbxctmyn.exe PID: 4532, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 2888, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname, 0_2_004088B0
Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe Code function: 17_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname, 17_2_004088B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 23_2_001288B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname, 23_2_001288B0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 800802 Sample: file.exe Startdate: 07/02/2023 Architecture: WINDOWS Score: 100 51 microsoft-com.mail.protection.outlook.com 2->51 57 Snort IDS alert for network traffic 2->57 59 Multi AV Scanner detection for domain / URL 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 7 other signatures 2->63 8 qbxctmyn.exe 2->8         started        11 file.exe 2 2->11         started        14 svchost.exe 2->14         started        16 8 other processes 2->16 signatures3 process4 file5 69 Detected unpacking (changes PE section rights) 8->69 71 Detected unpacking (overwrites its own PE header) 8->71 73 Writes to foreign memory regions 8->73 83 2 other signatures 8->83 18 svchost.exe 1 8->18         started        49 C:\Users\user\AppData\Local\...\qbxctmyn.exe, PE32 11->49 dropped 75 Uses netsh to modify the Windows network and firewall settings 11->75 77 Modifies the windows firewall 11->77 22 cmd.exe 1 11->22         started        25 netsh.exe 3 11->25         started        27 cmd.exe 2 11->27         started        31 3 other processes 11->31 79 Changes security center settings (notifications, updates, antivirus, firewall) 14->79 29 MpCmdRun.exe 1 14->29         started        81 Query firmware table information (likely to detect VMs) 16->81 signatures6 process7 dnsIp8 53 svartalfheim.top 176.124.192.220, 443, 49704, 49705 GULFSTREAMUA Russian Federation 18->53 55 microsoft-com.mail.protection.outlook.com 104.47.54.36, 25, 49703 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->55 65 System process connects to network (likely due to code injection or exploit) 18->65 67 Deletes itself after installation 18->67 47 C:\Windows\SysWOW64\...\qbxctmyn.exe (copy), PE32 22->47 dropped 33 conhost.exe 22->33         started        35 conhost.exe 25->35         started        37 conhost.exe 27->37         started        39 conhost.exe 29->39         started        41 conhost.exe 31->41         started        43 conhost.exe 31->43         started        45 conhost.exe 31->45         started        file9 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
176.124.192.220
 svartalfheim.top Russian Federation
59652 GULFSTREAMUA true
104.47.54.36
 microsoft-com.mail.protection.outlook.com United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false

Contacted Domains

Name IP Active
svartalfheim.top 176.124.192.220 true
microsoft-com.mail.protection.outlook.com 104.47.54.36 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
jotunheim.name:443 true
  • URL Reputation: safe
 unknown
svartalfheim.top:443 true
  • URL Reputation: safe
 unknown