tofsee | c2b497b796bd3e02cf5fd162ca2bf225846f1312bbdfdb8e01486bc9b41c88f3

Analysis

max time kernel
0s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0807543971e18ff126a7d0005b5e677e.exe
Size

13.5MB
MD5

0807543971e18ff126a7d0005b5e677e
SHA1

0fc94ea9321da3d9b44d15f1a34066ec87a2b04f
SHA256

c2b497b796bd3e02cf5fd162ca2bf225846f1312bbdfdb8e01486bc9b41c88f3
SHA512

978b1c6ef843124841341d2fee8d910d57fb314db97da24e1db74f9e2c431945d1d84091899b5f353eb51df694fb1e6ef05264a140a0665b56ccb039bc8cce29
SSDEEP

6144:paMudoalz7/PDt9m2O0TAxhlJlHWmuPoVd4/VVtytytytytytytytytytytytyt/:nudoSjt9m2cTlXHWmugIV

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2544	netsh.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2044	sc.exe
2648	sc.exe
2692	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2272	2884	0807543971e18ff126a7d0005b5e677e.exe	23
PID 2884 wrote to memory of 2272	2884	0807543971e18ff126a7d0005b5e677e.exe	23
PID 2884 wrote to memory of 2272	2884	0807543971e18ff126a7d0005b5e677e.exe	23
PID 2884 wrote to memory of 2272	2884	0807543971e18ff126a7d0005b5e677e.exe	23

C:\Users\Admin\AppData\Local\Temp\0807543971e18ff126a7d0005b5e677e.exe
"C:\Users\Admin\AppData\Local\Temp\0807543971e18ff126a7d0005b5e677e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\awgegzwp\
  2⤵
  PID:2272
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\asxxewqu.exe" C:\Windows\SysWOW64\awgegzwp\
  2⤵
  PID:2196
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create awgegzwp binPath= "C:\Windows\SysWOW64\awgegzwp\asxxewqu.exe /d\"C:\Users\Admin\AppData\Local\Temp\0807543971e18ff126a7d0005b5e677e.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:2044
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description awgegzwp "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:2648
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start awgegzwp
  2⤵
  - Launches sc.exe
  PID:2692
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2544

C:\Windows\SysWOW64\awgegzwp\asxxewqu.exe
C:\Windows\SysWOW64\awgegzwp\asxxewqu.exe /d"C:\Users\Admin\AppData\Local\Temp\0807543971e18ff126a7d0005b5e677e.exe"
1⤵
PID:2600
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asxxewqu.exe

Filesize
92KB

MD5
1de93dec12f5d3422e101152ee833006

SHA1
d3376263f484f49685a1c207fddb1004dddf943a

SHA256
26ba110d94de780615e7dbb007168c4f388a866fdc7f1aa0a0250ec9d929f51c

SHA512
dd38be3b292d2231dfb78380c0af5710e6b7563e1a1173753a6608482ab153c04cdc2aab9e0ed526b49139dfffef7e72ebff7ec6de07b1664944bcf177b61b72

Download Submit
memory/2600-8-0x0000000003320000-0x0000000003420000-memory.dmp

Filesize
1024KB

Download
memory/2600-14-0x0000000000400000-0x000000000324F000-memory.dmp

Filesize
46.3MB

Download
memory/2600-16-0x0000000000400000-0x000000000324F000-memory.dmp

Filesize
46.3MB

Download
memory/2884-4-0x0000000000400000-0x000000000324F000-memory.dmp

Filesize
46.3MB

Download
memory/2884-3-0x00000000001B0000-0x00000000001C3000-memory.dmp

Filesize
76KB

Download
memory/2884-1-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/2884-15-0x0000000000400000-0x000000000324F000-memory.dmp

Filesize
46.3MB

Download
memory/3004-9-0x00000000000D0000-0x00000000000E5000-memory.dmp

Filesize
84KB

Download
memory/3004-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3004-12-0x00000000000D0000-0x00000000000E5000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads