tofsee | 132c5b03e61c06253f063bed3dcf12d79070e3fc0c9de2c124afe4370ae7849d

Analysis

max time kernel
3s
max time network
89s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c6a31ca39076991ef09c7b511221168.exe
Size

14.1MB
MD5

4c6a31ca39076991ef09c7b511221168
SHA1

5e0ece30434be7dd3a3fb5858d1121114ea40a6a
SHA256

132c5b03e61c06253f063bed3dcf12d79070e3fc0c9de2c124afe4370ae7849d
SHA512

01cc98c015ac0ea8cd301aa9c264d4417b9703b138f98901fa9ea31b70192e6a64b9df2afc83e75d76f2d6613f52cfb848a8ec97420ed524063264a37ae3733e
SSDEEP

49152:RHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH:

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

43.231.4.6

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
4404	netsh.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5032	sc.exe
2976	sc.exe
4812	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4068	2800	WerFault.exe	20
3156	2504	WerFault.exe	100

C:\Users\Admin\AppData\Local\Temp\4c6a31ca39076991ef09c7b511221168.exe
"C:\Users\Admin\AppData\Local\Temp\4c6a31ca39076991ef09c7b511221168.exe"
1⤵
PID:2800
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\vlqlgjfk\
  2⤵
  PID:1720
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\cpotdouy.exe" C:\Windows\SysWOW64\vlqlgjfk\
  2⤵
  PID:2448
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create vlqlgjfk binPath= "C:\Windows\SysWOW64\vlqlgjfk\cpotdouy.exe /d\"C:\Users\Admin\AppData\Local\Temp\4c6a31ca39076991ef09c7b511221168.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:5032
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description vlqlgjfk "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:2976
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start vlqlgjfk
  2⤵
  - Launches sc.exe
  PID:4812
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 1044
  2⤵
  - Program crash
  PID:4068
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:4404

C:\Windows\SysWOW64\vlqlgjfk\cpotdouy.exe
C:\Windows\SysWOW64\vlqlgjfk\cpotdouy.exe /d"C:\Users\Admin\AppData\Local\Temp\4c6a31ca39076991ef09c7b511221168.exe"
1⤵
PID:2504
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 520
  2⤵
  - Program crash
  PID:3156
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2800 -ip 2800
1⤵
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2504 -ip 2504
1⤵
PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2504-14-0x0000000000400000-0x0000000000C19000-memory.dmp

Filesize
8.1MB

Download
memory/2504-11-0x0000000000E20000-0x0000000000F20000-memory.dmp

Filesize
1024KB

Download
memory/2620-10-0x0000000001280000-0x0000000001295000-memory.dmp

Filesize
84KB

Download
memory/2620-17-0x0000000001280000-0x0000000001295000-memory.dmp

Filesize
84KB

Download
memory/2620-16-0x0000000001280000-0x0000000001295000-memory.dmp

Filesize
84KB

Download
memory/2620-19-0x0000000001280000-0x0000000001295000-memory.dmp

Filesize
84KB

Download
memory/2800-2-0x0000000000DC0000-0x0000000000DD3000-memory.dmp

Filesize
76KB

Download
memory/2800-4-0x0000000000400000-0x0000000000C19000-memory.dmp

Filesize
8.1MB

Download
memory/2800-1-0x0000000000E00000-0x0000000000F00000-memory.dmp

Filesize
1024KB

Download
memory/2800-7-0x0000000000400000-0x0000000000C19000-memory.dmp

Filesize
8.1MB

Download
memory/2800-8-0x0000000000DC0000-0x0000000000DD3000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads