tofsee | 7da7a2f8b2d06754ee5f6e4caf7a21528704ed80a08f0cedf25894d84d3dfb88

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b9cc0ee2d9c9a88d789249ecb86b1ba.exe
Size

10.7MB
MD5

4b9cc0ee2d9c9a88d789249ecb86b1ba
SHA1

64710b02f796d02403901b8cdf1a5ca331f2b037
SHA256

7da7a2f8b2d06754ee5f6e4caf7a21528704ed80a08f0cedf25894d84d3dfb88
SHA512

781b520f96df3f99e5f92a65e4512603b55ab23359c816c453f2200916fff5fdd2d778c3db158ce603166192207b04058313e52a33ed7bf52b688567209e6248
SSDEEP

24576:UjDuKnh7YzbKBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBX:Unh

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\btkcvznq = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2568	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\btkcvznq\ImagePath = "C:\\Windows\\SysWOW64\\btkcvznq\\gpftuixd.exe"	svchost.exe

Deletes itself 1 IoCs

pid	Process
2508	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1488	gpftuixd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1488 set thread context of 2508	1488	gpftuixd.exe	43

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2360	sc.exe
2064	sc.exe
1756	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2800	2080	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	28
PID 2080 wrote to memory of 2800	2080	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	28
PID 2080 wrote to memory of 2800	2080	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	28
PID 2080 wrote to memory of 2800	2080	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	28
PID 2080 wrote to memory of 2844	2080	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	30
PID 2080 wrote to memory of 2844	2080	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	30
PID 2080 wrote to memory of 2844	2080	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	30
PID 2080 wrote to memory of 2844	2080	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	30
PID 2080 wrote to memory of 2360	2080	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	32
PID 2080 wrote to memory of 2360	2080	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	32
PID 2080 wrote to memory of 2360	2080	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	32
PID 2080 wrote to memory of 2360	2080	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	32
PID 2080 wrote to memory of 2064	2080	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	34
PID 2080 wrote to memory of 2064	2080	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	34
PID 2080 wrote to memory of 2064	2080	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	34
PID 2080 wrote to memory of 2064	2080	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	34
PID 2080 wrote to memory of 1756	2080	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	36
PID 2080 wrote to memory of 1756	2080	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	36
PID 2080 wrote to memory of 1756	2080	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	36
PID 2080 wrote to memory of 1756	2080	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	36
PID 2080 wrote to memory of 2568	2080	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	38
PID 2080 wrote to memory of 2568	2080	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	38
PID 2080 wrote to memory of 2568	2080	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	38
PID 2080 wrote to memory of 2568	2080	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	38
PID 1488 wrote to memory of 2508	1488	gpftuixd.exe	43
PID 1488 wrote to memory of 2508	1488	gpftuixd.exe	43
PID 1488 wrote to memory of 2508	1488	gpftuixd.exe	43
PID 1488 wrote to memory of 2508	1488	gpftuixd.exe	43
PID 1488 wrote to memory of 2508	1488	gpftuixd.exe	43
PID 1488 wrote to memory of 2508	1488	gpftuixd.exe	43

C:\Users\Admin\AppData\Local\Temp\4b9cc0ee2d9c9a88d789249ecb86b1ba.exe
"C:\Users\Admin\AppData\Local\Temp\4b9cc0ee2d9c9a88d789249ecb86b1ba.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\btkcvznq\
  2⤵
  PID:2800
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gpftuixd.exe" C:\Windows\SysWOW64\btkcvznq\
  2⤵
  PID:2844
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create btkcvznq binPath= "C:\Windows\SysWOW64\btkcvznq\gpftuixd.exe /d\"C:\Users\Admin\AppData\Local\Temp\4b9cc0ee2d9c9a88d789249ecb86b1ba.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:2360
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description btkcvznq "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:2064
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start btkcvznq
  2⤵
  - Launches sc.exe
  PID:1756
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2568

C:\Windows\SysWOW64\btkcvznq\gpftuixd.exe
C:\Windows\SysWOW64\btkcvznq\gpftuixd.exe /d"C:\Users\Admin\AppData\Local\Temp\4b9cc0ee2d9c9a88d789249ecb86b1ba.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Windows security bypass
  - Sets service image path in registry
  - Deletes itself
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gpftuixd.exe

Filesize
5.5MB

MD5
63222f6d7bd763bafeb26373cb96c695

SHA1
f6ebfee995bce52917227a439165098c805ada42

SHA256
8d31cb40321191743cc17d59c620fc84bdb4a4d6dcf69ece574c73ccf0eee77e

SHA512
82dc7d32c3784ab9ecf460007f1779d558b0b380cfb3131fb3ce2d453a1df702e0609b998375700da4359c4c371b7fbf99c7fb023c1fe2bf10c73d249561cc9f

Download Submit
C:\Windows\SysWOW64\btkcvznq\gpftuixd.exe

Filesize
2.3MB

MD5
4b18563bab27122568b5ee85d1a50ceb

SHA1
b362127e4c9010e2b5eaa7df7ffd61d0b65b00fc

SHA256
57fa990f0bf439ec66d5637e022508f247d1e4ed2b61c9a2d3a7a96ee2814388

SHA512
9242dfc18e23b1c9ac1c232f8e36996b0faba968684393ecac9d565182431dec14a250c58a91abbec7ebd7382009867dc5bf4abd8e57b7640cf7c590b82cc400

Download Submit
memory/1488-13-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/1488-19-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1488-15-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2080-8-0x0000000000510000-0x0000000000610000-memory.dmp

Filesize
1024KB

Download
memory/2080-2-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download
memory/2080-10-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2080-1-0x0000000000510000-0x0000000000610000-memory.dmp

Filesize
1024KB

Download
memory/2080-9-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download
memory/2080-3-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2080-6-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2508-18-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2508-14-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2508-21-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2508-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2508-22-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2508-23-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2508-24-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2508-25-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads