tofsee | ed12839b6d59af224c0160bb7431a252658952672b23436f0da75343ad30d9bb

Analysis

max time kernel
149s
max time network
159s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

570cb3c8f1b4128dccabb856d58cce88.exe
Size

13.7MB
MD5

570cb3c8f1b4128dccabb856d58cce88
SHA1

13a367d5217658076dea133c23f77b38d72c7e7a
SHA256

ed12839b6d59af224c0160bb7431a252658952672b23436f0da75343ad30d9bb
SHA512

5ceb0ab5dda28c22dca372a537270ad386e52a7ffefba94f508141641e6c0abd73e45dd5387b1640de2575d6c11fa808cfcca2d27ae93cae75065e265fafde1d
SSDEEP

24576:kjDuKnh7YzbKBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBX:knh

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\caqmbkqp = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2580	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\caqmbkqp\ImagePath = "C:\\Windows\\SysWOW64\\caqmbkqp\\osvrdmjf.exe"	svchost.exe

Deletes itself 1 IoCs

pid	Process
1624	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
840	osvrdmjf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 840 set thread context of 1624	840	osvrdmjf.exe	41

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2688	sc.exe
2812	sc.exe
2708	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2232	2460	570cb3c8f1b4128dccabb856d58cce88.exe	28
PID 2460 wrote to memory of 2232	2460	570cb3c8f1b4128dccabb856d58cce88.exe	28
PID 2460 wrote to memory of 2232	2460	570cb3c8f1b4128dccabb856d58cce88.exe	28
PID 2460 wrote to memory of 2232	2460	570cb3c8f1b4128dccabb856d58cce88.exe	28
PID 2460 wrote to memory of 2744	2460	570cb3c8f1b4128dccabb856d58cce88.exe	31
PID 2460 wrote to memory of 2744	2460	570cb3c8f1b4128dccabb856d58cce88.exe	31
PID 2460 wrote to memory of 2744	2460	570cb3c8f1b4128dccabb856d58cce88.exe	31
PID 2460 wrote to memory of 2744	2460	570cb3c8f1b4128dccabb856d58cce88.exe	31
PID 2460 wrote to memory of 2688	2460	570cb3c8f1b4128dccabb856d58cce88.exe	32
PID 2460 wrote to memory of 2688	2460	570cb3c8f1b4128dccabb856d58cce88.exe	32
PID 2460 wrote to memory of 2688	2460	570cb3c8f1b4128dccabb856d58cce88.exe	32
PID 2460 wrote to memory of 2688	2460	570cb3c8f1b4128dccabb856d58cce88.exe	32
PID 2460 wrote to memory of 2812	2460	570cb3c8f1b4128dccabb856d58cce88.exe	35
PID 2460 wrote to memory of 2812	2460	570cb3c8f1b4128dccabb856d58cce88.exe	35
PID 2460 wrote to memory of 2812	2460	570cb3c8f1b4128dccabb856d58cce88.exe	35
PID 2460 wrote to memory of 2812	2460	570cb3c8f1b4128dccabb856d58cce88.exe	35
PID 2460 wrote to memory of 2708	2460	570cb3c8f1b4128dccabb856d58cce88.exe	37
PID 2460 wrote to memory of 2708	2460	570cb3c8f1b4128dccabb856d58cce88.exe	37
PID 2460 wrote to memory of 2708	2460	570cb3c8f1b4128dccabb856d58cce88.exe	37
PID 2460 wrote to memory of 2708	2460	570cb3c8f1b4128dccabb856d58cce88.exe	37
PID 2460 wrote to memory of 2580	2460	570cb3c8f1b4128dccabb856d58cce88.exe	38
PID 2460 wrote to memory of 2580	2460	570cb3c8f1b4128dccabb856d58cce88.exe	38
PID 2460 wrote to memory of 2580	2460	570cb3c8f1b4128dccabb856d58cce88.exe	38
PID 2460 wrote to memory of 2580	2460	570cb3c8f1b4128dccabb856d58cce88.exe	38
PID 840 wrote to memory of 1624	840	osvrdmjf.exe	41
PID 840 wrote to memory of 1624	840	osvrdmjf.exe	41
PID 840 wrote to memory of 1624	840	osvrdmjf.exe	41
PID 840 wrote to memory of 1624	840	osvrdmjf.exe	41
PID 840 wrote to memory of 1624	840	osvrdmjf.exe	41
PID 840 wrote to memory of 1624	840	osvrdmjf.exe	41

C:\Users\Admin\AppData\Local\Temp\570cb3c8f1b4128dccabb856d58cce88.exe
"C:\Users\Admin\AppData\Local\Temp\570cb3c8f1b4128dccabb856d58cce88.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\caqmbkqp\
  2⤵
  PID:2232
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\osvrdmjf.exe" C:\Windows\SysWOW64\caqmbkqp\
  2⤵
  PID:2744
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create caqmbkqp binPath= "C:\Windows\SysWOW64\caqmbkqp\osvrdmjf.exe /d\"C:\Users\Admin\AppData\Local\Temp\570cb3c8f1b4128dccabb856d58cce88.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:2688
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description caqmbkqp "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:2812
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start caqmbkqp
  2⤵
  - Launches sc.exe
  PID:2708
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2580

C:\Windows\SysWOW64\caqmbkqp\osvrdmjf.exe
C:\Windows\SysWOW64\caqmbkqp\osvrdmjf.exe /d"C:\Users\Admin\AppData\Local\Temp\570cb3c8f1b4128dccabb856d58cce88.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:840
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Windows security bypass
  - Sets service image path in registry
  - Deletes itself
  PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\osvrdmjf.exe

Filesize
77KB

MD5
cbf27a20cbb46dd51a503422610b8027

SHA1
56f41c7053b030fcea989784ddbbc840314c3344

SHA256
d9c0e6a0f0d674b706248c634e247984da2f7f8dbcc289824f2a5cbf5f90c380

SHA512
b0b8ad8ac232d2753508ccce0b6fc5b5a2c6982186fa1a4bdae005761e56b300a85c8182127e4d6d51a4aa2e36c3a1ff8eb5382a706ab21d28d6202a82989181

Download Submit
C:\Windows\SysWOW64\caqmbkqp\osvrdmjf.exe

Filesize
159KB

MD5
ef1d3b3698f257811bbfff79b4bd99ee

SHA1
df10d181a50b4e70819a57b26ebc87022e9cf668

SHA256
e7ad57fd13252dc4d392a304b94702d18d59f687d153730cb47aa60469a6081a

SHA512
c3d0bb1d01114e72abb1b45667e79a553beb16fa4b29b4106960ffdfb68d31df9d12737f4b29e13996f45beb4a1629aebd2fdc691a9a29c6b90e2f47258346db

Download Submit
memory/840-18-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/840-12-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/840-11-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/1624-22-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1624-17-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1624-21-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1624-23-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1624-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1624-14-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1624-24-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2460-10-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download
memory/2460-8-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/2460-7-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2460-3-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2460-2-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download
memory/2460-1-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads