tofsee | e20e7f2023e6134233122ceed2bc52430829399f9db2e49eb744308f96d510d9

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/12/2023, 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47801cad0998c489473fface21cd3db1.exe
Size

12.7MB
MD5

47801cad0998c489473fface21cd3db1
SHA1

5bb5f2cbb6c14ece7ad706de007c14708e4c6d08
SHA256

e20e7f2023e6134233122ceed2bc52430829399f9db2e49eb744308f96d510d9
SHA512

476481eae82de1938c55131ce384903fe66ab4032dcca7bf0b2fdc27101ab8bfd77ac71186b23bef98a585f628c376844cc90ac1a24f09b8e0842abf3fbbf31f
SSDEEP

12288:f+/49QM1wKw8Xwl9Uxhof+zCTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTH:MRKw5bU9z

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\pndfsymm = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2820	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\pndfsymm\ImagePath = "C:\\Windows\\SysWOW64\\pndfsymm\\coaiitiq.exe"	svchost.exe

Deletes itself 1 IoCs

pid	Process
2636	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2536	coaiitiq.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2536 set thread context of 2636	2536	coaiitiq.exe	41

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2672	sc.exe
2788	sc.exe
2796	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2608	1928	47801cad0998c489473fface21cd3db1.exe	28
PID 1928 wrote to memory of 2608	1928	47801cad0998c489473fface21cd3db1.exe	28
PID 1928 wrote to memory of 2608	1928	47801cad0998c489473fface21cd3db1.exe	28
PID 1928 wrote to memory of 2608	1928	47801cad0998c489473fface21cd3db1.exe	28
PID 1928 wrote to memory of 2732	1928	47801cad0998c489473fface21cd3db1.exe	30
PID 1928 wrote to memory of 2732	1928	47801cad0998c489473fface21cd3db1.exe	30
PID 1928 wrote to memory of 2732	1928	47801cad0998c489473fface21cd3db1.exe	30
PID 1928 wrote to memory of 2732	1928	47801cad0998c489473fface21cd3db1.exe	30
PID 1928 wrote to memory of 2672	1928	47801cad0998c489473fface21cd3db1.exe	32
PID 1928 wrote to memory of 2672	1928	47801cad0998c489473fface21cd3db1.exe	32
PID 1928 wrote to memory of 2672	1928	47801cad0998c489473fface21cd3db1.exe	32
PID 1928 wrote to memory of 2672	1928	47801cad0998c489473fface21cd3db1.exe	32
PID 1928 wrote to memory of 2788	1928	47801cad0998c489473fface21cd3db1.exe	34
PID 1928 wrote to memory of 2788	1928	47801cad0998c489473fface21cd3db1.exe	34
PID 1928 wrote to memory of 2788	1928	47801cad0998c489473fface21cd3db1.exe	34
PID 1928 wrote to memory of 2788	1928	47801cad0998c489473fface21cd3db1.exe	34
PID 1928 wrote to memory of 2796	1928	47801cad0998c489473fface21cd3db1.exe	36
PID 1928 wrote to memory of 2796	1928	47801cad0998c489473fface21cd3db1.exe	36
PID 1928 wrote to memory of 2796	1928	47801cad0998c489473fface21cd3db1.exe	36
PID 1928 wrote to memory of 2796	1928	47801cad0998c489473fface21cd3db1.exe	36
PID 1928 wrote to memory of 2820	1928	47801cad0998c489473fface21cd3db1.exe	40
PID 1928 wrote to memory of 2820	1928	47801cad0998c489473fface21cd3db1.exe	40
PID 1928 wrote to memory of 2820	1928	47801cad0998c489473fface21cd3db1.exe	40
PID 1928 wrote to memory of 2820	1928	47801cad0998c489473fface21cd3db1.exe	40
PID 2536 wrote to memory of 2636	2536	coaiitiq.exe	41
PID 2536 wrote to memory of 2636	2536	coaiitiq.exe	41
PID 2536 wrote to memory of 2636	2536	coaiitiq.exe	41
PID 2536 wrote to memory of 2636	2536	coaiitiq.exe	41
PID 2536 wrote to memory of 2636	2536	coaiitiq.exe	41
PID 2536 wrote to memory of 2636	2536	coaiitiq.exe	41

C:\Users\Admin\AppData\Local\Temp\47801cad0998c489473fface21cd3db1.exe
"C:\Users\Admin\AppData\Local\Temp\47801cad0998c489473fface21cd3db1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\pndfsymm\
  2⤵
  PID:2608
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\coaiitiq.exe" C:\Windows\SysWOW64\pndfsymm\
  2⤵
  PID:2732
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create pndfsymm binPath= "C:\Windows\SysWOW64\pndfsymm\coaiitiq.exe /d\"C:\Users\Admin\AppData\Local\Temp\47801cad0998c489473fface21cd3db1.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:2672
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description pndfsymm "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:2788
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start pndfsymm
  2⤵
  - Launches sc.exe
  PID:2796
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2820

C:\Windows\SysWOW64\pndfsymm\coaiitiq.exe
C:\Windows\SysWOW64\pndfsymm\coaiitiq.exe /d"C:\Users\Admin\AppData\Local\Temp\47801cad0998c489473fface21cd3db1.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Windows security bypass
  - Sets service image path in registry
  - Deletes itself
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\coaiitiq.exe

Filesize
10.4MB

MD5
d64399431da8a21d17c2a269ea7cc709

SHA1
e9fda60afae2452d4ca8260330b58e9b6a9ed1be

SHA256
217a8e735b9e1944267951137478a617ed0d411ed82f7a886f1e7c8db5691712

SHA512
0cdeea9813ee8f158c0a6b0bcf7d94ac6e21f97dd60aa39030c0ec52e109a349b477e2b8360ad89006500f1b6ae5401d3648442aa1475316487ab3e20587324a

Download Submit
C:\Windows\SysWOW64\pndfsymm\coaiitiq.exe

Filesize
9.1MB

MD5
69d9c7b45e3bc7ca44583019a6a3113b

SHA1
902b0e7d40dd7ce584b3217081f77a5f02e1cd0e

SHA256
37c0b05c587ac89e572394ab423efb7a9948f0bc2a5e2deef94f92d45adb802f

SHA512
c54aa096951789d73be1c8cd5654a58367d83900e3d0305476bbfc7a4cd7d8142529a3a3aa204a3ef04018fe4977eed08ee0838f762fac4f1562c8f762b4c20f

Download Submit
memory/1928-1-0x0000000000A40000-0x0000000000B40000-memory.dmp

Filesize
1024KB

Download
memory/1928-2-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/1928-4-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download
memory/1928-7-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download
memory/1928-9-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/2536-12-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download
memory/2536-10-0x0000000000A10000-0x0000000000B10000-memory.dmp

Filesize
1024KB

Download
memory/2536-17-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download
memory/2636-11-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2636-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2636-15-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2636-20-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2636-21-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2636-22-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads