tofsee | 78616f6bae70f51382c8c642a5580b9c433085a606ae59224ec8396aca6218f3

Analysis

max time kernel
3s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

005a0841424cc8d1b71fc19702ca7647.exe
Size

14.8MB
MD5

005a0841424cc8d1b71fc19702ca7647
SHA1

c8be6235c1f962d109f0b42a7d61f4687b9bf03f
SHA256

78616f6bae70f51382c8c642a5580b9c433085a606ae59224ec8396aca6218f3
SHA512

bf1f71f1a4f71dcc2e4ca83677c080ad6540c8db4054f8eaea3f43b82f40f231e343bfb4005b6ec0f0cbc0243fa2b7fc5234345ae00fee9ef06437bae56e3f7c
SSDEEP

6144:/xbQq7asTdx16ifogWuQK4ZpG3XQ4L0hlDF5r:/ashxM05WewpmAljr

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
220	netsh.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1324	sc.exe
724	sc.exe
1284	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4500	4636	WerFault.exe	102
4804	4616	WerFault.exe	53

C:\Users\Admin\AppData\Local\Temp\005a0841424cc8d1b71fc19702ca7647.exe
"C:\Users\Admin\AppData\Local\Temp\005a0841424cc8d1b71fc19702ca7647.exe"
1⤵
PID:4616
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\mdkebrt\
  2⤵
  PID:1856
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hyyrhghv.exe" C:\Windows\SysWOW64\mdkebrt\
  2⤵
  PID:3864
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create mdkebrt binPath= "C:\Windows\SysWOW64\mdkebrt\hyyrhghv.exe /d\"C:\Users\Admin\AppData\Local\Temp\005a0841424cc8d1b71fc19702ca7647.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:1324
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description mdkebrt "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:724
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start mdkebrt
  2⤵
  - Launches sc.exe
  PID:1284
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 792
  2⤵
  - Program crash
  PID:4804

C:\Windows\SysWOW64\mdkebrt\hyyrhghv.exe
C:\Windows\SysWOW64\mdkebrt\hyyrhghv.exe /d"C:\Users\Admin\AppData\Local\Temp\005a0841424cc8d1b71fc19702ca7647.exe"
1⤵
PID:4636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 532
  2⤵
  - Program crash
  PID:4500
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4616 -ip 4616
1⤵
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4636 -ip 4636
1⤵
PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1788-11-0x0000000000960000-0x0000000000975000-memory.dmp

Filesize
84KB

Download
memory/1788-14-0x0000000000960000-0x0000000000975000-memory.dmp

Filesize
84KB

Download
memory/1788-18-0x0000000000960000-0x0000000000975000-memory.dmp

Filesize
84KB

Download
memory/1788-17-0x0000000000960000-0x0000000000975000-memory.dmp

Filesize
84KB

Download
memory/1788-19-0x0000000000960000-0x0000000000975000-memory.dmp

Filesize
84KB

Download
memory/4616-3-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4616-1-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download
memory/4616-16-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4616-2-0x0000000002200000-0x0000000002213000-memory.dmp

Filesize
76KB

Download
memory/4636-10-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4636-9-0x0000000000D80000-0x0000000000D93000-memory.dmp

Filesize
76KB

Download
memory/4636-8-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/4636-15-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads