Overview

overview

10

Static

static

80cd7cddd76f84...6c.exe

windows7_x64

10

80cd7cddd76f84...6c.exe

windows10-2004_x64

10
General
Target

80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c

Size

207KB

Sample

220625-jywb4acdbn

Score
10/10
MD5

ad39ad585aa201d750e984c89aa02e9c

SHA1

142a5de3ec0af160e7f21368e39eb45a654df086

SHA256

80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c

SHA512

6edfe20a8ae02b9b312689225fdd90fb208d8fde57491e9999946f16334600face6776b6011c96c22bd29d58f1fcd3a43addba849893ef89f07e171b96a76794

Malware Config

Extracted

Family

tofsee
C2

43.231.4.7

lazystax.ru
Targets
Target

80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c

MD5

ad39ad585aa201d750e984c89aa02e9c

Filesize

207KB

Score
10/10
SHA1

142a5de3ec0af160e7f21368e39eb45a654df086

SHA256

80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c

SHA512

6edfe20a8ae02b9b312689225fdd90fb208d8fde57491e9999946f16334600face6776b6011c96c22bd29d58f1fcd3a43addba849893ef89f07e171b96a76794

Tags

Signatures

  • Tofsee

    Description

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    Tags

  • Windows security bypass

    Tags

    TTPs

    Disabling Security ToolsModify Registry

  • Creates new service(s)

    Tags

    TTPs

    New Service

  • Executes dropped EXE

  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service

  • Sets service image path in registry

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

  • Deletes itself

  • Suspicious use of SetThreadContext

Related Tasks

behavioral1behavioral2
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                  Privilege Escalation
                    Tasks

                    static1

                    Score
                    N/A

                    behavioral1

                    Score
                    10/10

                    behavioral2

                    Score
                    10/10