tofsee | 790ff7291e4267aeaffdd71ea6767353b0f46ee27dc9b1d287797d2f403b0715

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 18:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0a6f8d6155ae1fd81f089e2f2459d79a.exe
Size

10.5MB
MD5

0a6f8d6155ae1fd81f089e2f2459d79a
SHA1

9ed665dcff37925024f78a80001e88e230054146
SHA256

790ff7291e4267aeaffdd71ea6767353b0f46ee27dc9b1d287797d2f403b0715
SHA512

fa27d4bef6d28d06f326b236fd0f02679074c5fe8a24f7a796a79acfdf3a28fff91fd22dd7bd83e538813d67c4cf894f7114c41a8c384280943f8d77130f3646
SSDEEP

98304:xbxPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPn:xb

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

176.111.174.19

defeatwax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\sihvtyjh = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2756	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\sihvtyjh\ImagePath = "C:\\Windows\\SysWOW64\\sihvtyjh\\vhtqzxg.exe"	svchost.exe

Deletes itself 1 IoCs

pid	Process
2104	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2612	vhtqzxg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2612 set thread context of 2104	2612	vhtqzxg.exe	41

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2744	sc.exe
2792	sc.exe
2768	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2696	2668	0a6f8d6155ae1fd81f089e2f2459d79a.exe	28
PID 2668 wrote to memory of 2696	2668	0a6f8d6155ae1fd81f089e2f2459d79a.exe	28
PID 2668 wrote to memory of 2696	2668	0a6f8d6155ae1fd81f089e2f2459d79a.exe	28
PID 2668 wrote to memory of 2696	2668	0a6f8d6155ae1fd81f089e2f2459d79a.exe	28
PID 2668 wrote to memory of 2824	2668	0a6f8d6155ae1fd81f089e2f2459d79a.exe	30
PID 2668 wrote to memory of 2824	2668	0a6f8d6155ae1fd81f089e2f2459d79a.exe	30
PID 2668 wrote to memory of 2824	2668	0a6f8d6155ae1fd81f089e2f2459d79a.exe	30
PID 2668 wrote to memory of 2824	2668	0a6f8d6155ae1fd81f089e2f2459d79a.exe	30
PID 2668 wrote to memory of 2744	2668	0a6f8d6155ae1fd81f089e2f2459d79a.exe	32
PID 2668 wrote to memory of 2744	2668	0a6f8d6155ae1fd81f089e2f2459d79a.exe	32
PID 2668 wrote to memory of 2744	2668	0a6f8d6155ae1fd81f089e2f2459d79a.exe	32
PID 2668 wrote to memory of 2744	2668	0a6f8d6155ae1fd81f089e2f2459d79a.exe	32
PID 2668 wrote to memory of 2792	2668	0a6f8d6155ae1fd81f089e2f2459d79a.exe	34
PID 2668 wrote to memory of 2792	2668	0a6f8d6155ae1fd81f089e2f2459d79a.exe	34
PID 2668 wrote to memory of 2792	2668	0a6f8d6155ae1fd81f089e2f2459d79a.exe	34
PID 2668 wrote to memory of 2792	2668	0a6f8d6155ae1fd81f089e2f2459d79a.exe	34
PID 2668 wrote to memory of 2768	2668	0a6f8d6155ae1fd81f089e2f2459d79a.exe	37
PID 2668 wrote to memory of 2768	2668	0a6f8d6155ae1fd81f089e2f2459d79a.exe	37
PID 2668 wrote to memory of 2768	2668	0a6f8d6155ae1fd81f089e2f2459d79a.exe	37
PID 2668 wrote to memory of 2768	2668	0a6f8d6155ae1fd81f089e2f2459d79a.exe	37
PID 2668 wrote to memory of 2756	2668	0a6f8d6155ae1fd81f089e2f2459d79a.exe	38
PID 2668 wrote to memory of 2756	2668	0a6f8d6155ae1fd81f089e2f2459d79a.exe	38
PID 2668 wrote to memory of 2756	2668	0a6f8d6155ae1fd81f089e2f2459d79a.exe	38
PID 2668 wrote to memory of 2756	2668	0a6f8d6155ae1fd81f089e2f2459d79a.exe	38
PID 2612 wrote to memory of 2104	2612	vhtqzxg.exe	41
PID 2612 wrote to memory of 2104	2612	vhtqzxg.exe	41
PID 2612 wrote to memory of 2104	2612	vhtqzxg.exe	41
PID 2612 wrote to memory of 2104	2612	vhtqzxg.exe	41
PID 2612 wrote to memory of 2104	2612	vhtqzxg.exe	41
PID 2612 wrote to memory of 2104	2612	vhtqzxg.exe	41

C:\Users\Admin\AppData\Local\Temp\0a6f8d6155ae1fd81f089e2f2459d79a.exe
"C:\Users\Admin\AppData\Local\Temp\0a6f8d6155ae1fd81f089e2f2459d79a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\sihvtyjh\
  2⤵
  PID:2696
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vhtqzxg.exe" C:\Windows\SysWOW64\sihvtyjh\
  2⤵
  PID:2824
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create sihvtyjh binPath= "C:\Windows\SysWOW64\sihvtyjh\vhtqzxg.exe /d\"C:\Users\Admin\AppData\Local\Temp\0a6f8d6155ae1fd81f089e2f2459d79a.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:2744
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description sihvtyjh "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:2792
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start sihvtyjh
  2⤵
  - Launches sc.exe
  PID:2768
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2756

C:\Windows\SysWOW64\sihvtyjh\vhtqzxg.exe
C:\Windows\SysWOW64\sihvtyjh\vhtqzxg.exe /d"C:\Users\Admin\AppData\Local\Temp\0a6f8d6155ae1fd81f089e2f2459d79a.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Windows security bypass
  - Sets service image path in registry
  - Deletes itself
  PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vhtqzxg.exe

Filesize
1.1MB

MD5
5357d48c584a467d969f93afd8623b55

SHA1
5e6ffa044667146e74e9f2c38e3f6dde94ed2cd4

SHA256
1e16c20c4975cd38ae0a54eaa5dbf8e7588eaf09d18904f7567082ac168e8b93

SHA512
f19cd82aa38b7ef4a532259ecd0896a6e323fe381bd966a6c784e7b0710cb35fa4fa8871991b127e05e57a6c56f4f56000ae39d231937d2e80ffb2b09c55cc51

Download Submit
C:\Windows\SysWOW64\sihvtyjh\vhtqzxg.exe

Filesize
892KB

MD5
0158069f11c7d77a2310478d423d2cd8

SHA1
356f5b6264252ec416f15a21236d52e17e5cfd51

SHA256
b998ff0af4cfb22a2d18ba99837bbe019b1d1cc3d5543ec5d254ceab49975b2f

SHA512
bdea13d66989980c0d969fd5f22bebe44b67473ea5cddccb7d071ff403e7dec829dbb3cc46038ecf61c9a809eac87cce906060b4fc9500ec100f98247013dba3

Download Submit
memory/2104-15-0x0000000000110000-0x0000000000125000-memory.dmp

Filesize
84KB

Download
memory/2104-22-0x0000000000110000-0x0000000000125000-memory.dmp

Filesize
84KB

Download
memory/2104-21-0x0000000000110000-0x0000000000125000-memory.dmp

Filesize
84KB

Download
memory/2104-19-0x0000000000110000-0x0000000000125000-memory.dmp

Filesize
84KB

Download
memory/2104-20-0x0000000000110000-0x0000000000125000-memory.dmp

Filesize
84KB

Download
memory/2104-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2104-10-0x0000000000110000-0x0000000000125000-memory.dmp

Filesize
84KB

Download
memory/2612-14-0x0000000000400000-0x00000000009B1000-memory.dmp

Filesize
5.7MB

Download
memory/2612-17-0x0000000000400000-0x00000000009B1000-memory.dmp

Filesize
5.7MB

Download
memory/2612-11-0x0000000000A40000-0x0000000000B40000-memory.dmp

Filesize
1024KB

Download
memory/2668-1-0x0000000000B30000-0x0000000000C30000-memory.dmp

Filesize
1024KB

Download
memory/2668-9-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download
memory/2668-8-0x0000000000400000-0x00000000009B1000-memory.dmp

Filesize
5.7MB

Download
memory/2668-4-0x0000000000400000-0x00000000009B1000-memory.dmp

Filesize
5.7MB

Download
memory/2668-2-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads