tofsee | 7da7a2f8b2d06754ee5f6e4caf7a21528704ed80a08f0cedf25894d84d3dfb88

Analysis

max time kernel
162s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b9cc0ee2d9c9a88d789249ecb86b1ba.exe
Size

10.7MB
MD5

4b9cc0ee2d9c9a88d789249ecb86b1ba
SHA1

64710b02f796d02403901b8cdf1a5ca331f2b037
SHA256

7da7a2f8b2d06754ee5f6e4caf7a21528704ed80a08f0cedf25894d84d3dfb88
SHA512

781b520f96df3f99e5f92a65e4512603b55ab23359c816c453f2200916fff5fdd2d778c3db158ce603166192207b04058313e52a33ed7bf52b688567209e6248
SSDEEP

24576:UjDuKnh7YzbKBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBX:Unh

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
3492	netsh.exe
4184	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aapgrimt\ImagePath = "C:\\Windows\\SysWOW64\\aapgrimt\\oxfdwybb.exe"	svchost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	llerdazb.exe

Executes dropped EXE 2 IoCs

pid	Process
2600	llerdazb.exe
3816	oxfdwybb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oodufwah = "\"C:\\Users\\Admin\\llerdazb.exe\""	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3816 set thread context of 1368	3816	oxfdwybb.exe	122

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1716	sc.exe
3424	sc.exe
1452	sc.exe
3312	sc.exe
1012	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3748 wrote to memory of 4784	3748	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	96
PID 3748 wrote to memory of 4784	3748	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	96
PID 3748 wrote to memory of 4784	3748	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	96
PID 3748 wrote to memory of 4872	3748	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	97
PID 3748 wrote to memory of 4872	3748	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	97
PID 3748 wrote to memory of 4872	3748	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	97
PID 3748 wrote to memory of 1716	3748	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	100
PID 3748 wrote to memory of 1716	3748	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	100
PID 3748 wrote to memory of 1716	3748	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	100
PID 3748 wrote to memory of 3424	3748	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	102
PID 3748 wrote to memory of 3424	3748	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	102
PID 3748 wrote to memory of 3424	3748	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	102
PID 3748 wrote to memory of 1452	3748	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	104
PID 3748 wrote to memory of 1452	3748	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	104
PID 3748 wrote to memory of 1452	3748	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	104
PID 3748 wrote to memory of 4184	3748	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	106
PID 3748 wrote to memory of 4184	3748	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	106
PID 3748 wrote to memory of 4184	3748	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	106
PID 3748 wrote to memory of 2600	3748	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	109
PID 3748 wrote to memory of 2600	3748	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	109
PID 3748 wrote to memory of 2600	3748	4b9cc0ee2d9c9a88d789249ecb86b1ba.exe	109
PID 2600 wrote to memory of 4032	2600	llerdazb.exe	110
PID 2600 wrote to memory of 4032	2600	llerdazb.exe	110
PID 2600 wrote to memory of 4032	2600	llerdazb.exe	110
PID 2600 wrote to memory of 3312	2600	llerdazb.exe	112
PID 2600 wrote to memory of 3312	2600	llerdazb.exe	112
PID 2600 wrote to memory of 3312	2600	llerdazb.exe	112
PID 2600 wrote to memory of 1012	2600	llerdazb.exe	116
PID 2600 wrote to memory of 1012	2600	llerdazb.exe	116
PID 2600 wrote to memory of 1012	2600	llerdazb.exe	116
PID 2600 wrote to memory of 3492	2600	llerdazb.exe	118
PID 2600 wrote to memory of 3492	2600	llerdazb.exe	118
PID 2600 wrote to memory of 3492	2600	llerdazb.exe	118
PID 3816 wrote to memory of 1368	3816	oxfdwybb.exe	122
PID 3816 wrote to memory of 1368	3816	oxfdwybb.exe	122
PID 3816 wrote to memory of 1368	3816	oxfdwybb.exe	122
PID 3816 wrote to memory of 1368	3816	oxfdwybb.exe	122
PID 3816 wrote to memory of 1368	3816	oxfdwybb.exe	122

C:\Users\Admin\AppData\Local\Temp\4b9cc0ee2d9c9a88d789249ecb86b1ba.exe
"C:\Users\Admin\AppData\Local\Temp\4b9cc0ee2d9c9a88d789249ecb86b1ba.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\aapgrimt\
  2⤵
  PID:4784
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\mfxtrcq.exe" C:\Windows\SysWOW64\aapgrimt\
  2⤵
  PID:4872
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create aapgrimt binPath= "C:\Windows\SysWOW64\aapgrimt\mfxtrcq.exe /d\"C:\Users\Admin\AppData\Local\Temp\4b9cc0ee2d9c9a88d789249ecb86b1ba.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:1716
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description aapgrimt "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:3424
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start aapgrimt
  2⤵
  - Launches sc.exe
  PID:1452
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:4184
- C:\Users\Admin\llerdazb.exe
  "C:\Users\Admin\llerdazb.exe" /d"C:\Users\Admin\AppData\Local\Temp\4b9cc0ee2d9c9a88d789249ecb86b1ba.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\oxfdwybb.exe" C:\Windows\SysWOW64\aapgrimt\
    3⤵
    PID:4032
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" config aapgrimt binPath= "C:\Windows\SysWOW64\aapgrimt\oxfdwybb.exe /d\"C:\Users\Admin\llerdazb.exe\""
    3⤵
    - Launches sc.exe
    PID:3312
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" start aapgrimt
    3⤵
    - Launches sc.exe
    PID:1012
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
    3⤵
    - Modifies Windows Firewall
    PID:3492

C:\Windows\SysWOW64\aapgrimt\oxfdwybb.exe
C:\Windows\SysWOW64\aapgrimt\oxfdwybb.exe /d"C:\Users\Admin\llerdazb.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3816
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mfxtrcq.exe

Filesize
11.8MB

MD5
9297d4928396135aeab981fbc8af39f4

SHA1
60abed7ef7d8819231eae3030a4865bc89e4c849

SHA256
5e2758195b6d6d2c391d12cbd73eb3234e47a595c6b5c2cab4542a9bcb543528

SHA512
977015ff90181f2e70e80ba73eec9f02053cbbfbcbf0282c3db37a00b59603cbcf972174bca966f4321debb612c7dc06cce40da41e01c301503bd6896d944909

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxfdwybb.exe

Filesize
9.4MB

MD5
f6bfff2060fd3bd82b7fa3352f4d9c8c

SHA1
b519fe7cc945f5650eaecb71149526afaf591810

SHA256
3f4e17e8b46354e557742fda049a1eb4d11bdd044e1130680fa4914aacb9f04f

SHA512
c120318b29409e428bc3b220bab0d7d8baca8cddcb398371f91f41ecca1c93b0e0a7c1d799da2988654bf655e1970c043331715d1dd8ef523b40bcb327326740

Download Submit
C:\Users\Admin\llerdazb.exe

Filesize
4.2MB

MD5
c8a570189f29ec209982e8f31a47472e

SHA1
2756c797fb78e6803b34529d044206f8711db364

SHA256
89df5bda8fe7d6a00be9578c156cf83b0c07bb6893bbc9ebd3c9d2e3ca22c318

SHA512
1062d54d763e7b1786203b4f56ba9353ba9fc554352bbcf433bec72ca8f915f1236ea0d8542b7e108eb7666dd116f314f0b67b0b2c928f720e19b61ae2b29e3c

Download Submit
C:\Users\Admin\llerdazb.exe

Filesize
2.4MB

MD5
55a757c7efbf5943537508c0efa379b2

SHA1
2b050b27ae8e33ccc11eba93e16f556c2d60f0e8

SHA256
eaed03f029c69f858c5c09cf636c23f75ab6d03ffa82fbf0b84171f8f5bd8eb3

SHA512
46ddf09381b3a0d9b3931e2166d2bb91c97ed6754cfbf70f8c9690c5e37a7eeb903f4e731fee4c71c7a835c6e832bd5f1315c50fbb5bd8acdba106016a38d581

Download Submit
C:\Windows\SysWOW64\aapgrimt\oxfdwybb.exe

Filesize
1.8MB

MD5
4f4f4aab98c5b393ee7165c25ae144f6

SHA1
b24da620c30c0284b1eef03efbb28945460e972d

SHA256
215d1cd3dc8430f0005bbf2579746934edd6631c2b134518a5a3e43d49631acd

SHA512
8b1a1e056dbcf960f16741f3416adab3907afbd9f5e74a29f329544663d52a2a29027d1c8cb968fbf628e10e621002b2ca6aea356cb4cd101a7c3873ac5018c3

Download Submit
memory/1368-37-0x00000000008C0000-0x00000000008D5000-memory.dmp

Filesize
84KB

Download
memory/1368-30-0x00000000008C0000-0x00000000008D5000-memory.dmp

Filesize
84KB

Download
memory/1368-33-0x00000000008C0000-0x00000000008D5000-memory.dmp

Filesize
84KB

Download
memory/1368-38-0x00000000008C0000-0x00000000008D5000-memory.dmp

Filesize
84KB

Download
memory/2600-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2600-47-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/2600-20-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/2600-21-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3748-8-0x0000000000610000-0x0000000000623000-memory.dmp

Filesize
76KB

Download
memory/3748-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3748-15-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3748-1-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/3748-7-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/3748-6-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3748-4-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3748-3-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3748-2-0x0000000000610000-0x0000000000623000-memory.dmp

Filesize
76KB

Download
memory/3816-28-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/3816-29-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3816-36-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads