tofsee | 8a6320644407262f3cabe048c266256c85f90abc320a72b6fed07bea485a7637

Analysis

max time kernel
150s
max time network
186s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15c6baeffcaf713f893bde05acc50d3e.exe
Size

13.9MB
MD5

15c6baeffcaf713f893bde05acc50d3e
SHA1

89515a974db16b6f4fe0d24989c0cc128c534163
SHA256

8a6320644407262f3cabe048c266256c85f90abc320a72b6fed07bea485a7637
SHA512

30b49a09ef5f77c6b7d9618c9c3fc23f533284ecf3c4c3806df978e3bea7060b7580d1718d95e011cae3680692c0299bd82d264408091ef5d87372b06df85cb6
SSDEEP

393216:UkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkH:

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\zrrbkfkt = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2580	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\zrrbkfkt\ImagePath = "C:\\Windows\\SysWOW64\\zrrbkfkt\\yhxlmapv.exe"	svchost.exe

Deletes itself 1 IoCs

pid	Process
2564	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2660	yhxlmapv.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2660 set thread context of 2564	2660	yhxlmapv.exe	43

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2608	sc.exe
2748	sc.exe
2948	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2288	2260	15c6baeffcaf713f893bde05acc50d3e.exe	28
PID 2260 wrote to memory of 2288	2260	15c6baeffcaf713f893bde05acc50d3e.exe	28
PID 2260 wrote to memory of 2288	2260	15c6baeffcaf713f893bde05acc50d3e.exe	28
PID 2260 wrote to memory of 2288	2260	15c6baeffcaf713f893bde05acc50d3e.exe	28
PID 2260 wrote to memory of 2796	2260	15c6baeffcaf713f893bde05acc50d3e.exe	30
PID 2260 wrote to memory of 2796	2260	15c6baeffcaf713f893bde05acc50d3e.exe	30
PID 2260 wrote to memory of 2796	2260	15c6baeffcaf713f893bde05acc50d3e.exe	30
PID 2260 wrote to memory of 2796	2260	15c6baeffcaf713f893bde05acc50d3e.exe	30
PID 2260 wrote to memory of 2948	2260	15c6baeffcaf713f893bde05acc50d3e.exe	34
PID 2260 wrote to memory of 2948	2260	15c6baeffcaf713f893bde05acc50d3e.exe	34
PID 2260 wrote to memory of 2948	2260	15c6baeffcaf713f893bde05acc50d3e.exe	34
PID 2260 wrote to memory of 2948	2260	15c6baeffcaf713f893bde05acc50d3e.exe	34
PID 2260 wrote to memory of 2608	2260	15c6baeffcaf713f893bde05acc50d3e.exe	36
PID 2260 wrote to memory of 2608	2260	15c6baeffcaf713f893bde05acc50d3e.exe	36
PID 2260 wrote to memory of 2608	2260	15c6baeffcaf713f893bde05acc50d3e.exe	36
PID 2260 wrote to memory of 2608	2260	15c6baeffcaf713f893bde05acc50d3e.exe	36
PID 2260 wrote to memory of 2748	2260	15c6baeffcaf713f893bde05acc50d3e.exe	38
PID 2260 wrote to memory of 2748	2260	15c6baeffcaf713f893bde05acc50d3e.exe	38
PID 2260 wrote to memory of 2748	2260	15c6baeffcaf713f893bde05acc50d3e.exe	38
PID 2260 wrote to memory of 2748	2260	15c6baeffcaf713f893bde05acc50d3e.exe	38
PID 2260 wrote to memory of 2580	2260	15c6baeffcaf713f893bde05acc50d3e.exe	40
PID 2260 wrote to memory of 2580	2260	15c6baeffcaf713f893bde05acc50d3e.exe	40
PID 2260 wrote to memory of 2580	2260	15c6baeffcaf713f893bde05acc50d3e.exe	40
PID 2260 wrote to memory of 2580	2260	15c6baeffcaf713f893bde05acc50d3e.exe	40
PID 2660 wrote to memory of 2564	2660	yhxlmapv.exe	43
PID 2660 wrote to memory of 2564	2660	yhxlmapv.exe	43
PID 2660 wrote to memory of 2564	2660	yhxlmapv.exe	43
PID 2660 wrote to memory of 2564	2660	yhxlmapv.exe	43
PID 2660 wrote to memory of 2564	2660	yhxlmapv.exe	43
PID 2660 wrote to memory of 2564	2660	yhxlmapv.exe	43

C:\Users\Admin\AppData\Local\Temp\15c6baeffcaf713f893bde05acc50d3e.exe
"C:\Users\Admin\AppData\Local\Temp\15c6baeffcaf713f893bde05acc50d3e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zrrbkfkt\
  2⤵
  PID:2288
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\yhxlmapv.exe" C:\Windows\SysWOW64\zrrbkfkt\
  2⤵
  PID:2796
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create zrrbkfkt binPath= "C:\Windows\SysWOW64\zrrbkfkt\yhxlmapv.exe /d\"C:\Users\Admin\AppData\Local\Temp\15c6baeffcaf713f893bde05acc50d3e.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:2948
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description zrrbkfkt "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:2608
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start zrrbkfkt
  2⤵
  - Launches sc.exe
  PID:2748
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2580

C:\Windows\SysWOW64\zrrbkfkt\yhxlmapv.exe
C:\Windows\SysWOW64\zrrbkfkt\yhxlmapv.exe /d"C:\Users\Admin\AppData\Local\Temp\15c6baeffcaf713f893bde05acc50d3e.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Windows security bypass
  - Sets service image path in registry
  - Deletes itself
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yhxlmapv.exe

Filesize
4.0MB

MD5
8efaab5ca76678846938f7e6222dd775

SHA1
60f3cb3afc82a9b4c2d3f9ac84859272e2d890af

SHA256
9f039cc09b63227aa972cfe262f4fac76392799a9a0b8af7cfff759e0f8a6d5e

SHA512
524d931f9c3fe99319e16a56747c3e5897505234991afa7a2de48cfe0f210a358a82ba13410f86cc8496e7252d948450cd766c99f70d52b074c17bde0a6fa921

Download Submit
C:\Windows\SysWOW64\zrrbkfkt\yhxlmapv.exe

Filesize
1.2MB

MD5
d5297210b211e460471ae4cb211ca3fc

SHA1
cda5927de810dd46766eb9229e92b0589d43ad9d

SHA256
51cf9d0c5b36a7877b427172d696dbbaf3a936bb1d663b98385606eeb4ab1a52

SHA512
a2ed75c5e87440ad534120056a99b508f34846c9069c0432a07171cdc410c4870d6cf1ce0baf174b5c0c7d8b3f44303ed7c3dd4e6aaf612641bad011b6cc0d1c

Download Submit
memory/2260-1-0x0000000000230000-0x0000000000330000-memory.dmp

Filesize
1024KB

Download
memory/2260-2-0x00000000003B0000-0x00000000003C3000-memory.dmp

Filesize
76KB

Download
memory/2260-4-0x0000000000400000-0x00000000023AC000-memory.dmp

Filesize
31.7MB

Download
memory/2260-6-0x0000000000400000-0x00000000023AC000-memory.dmp

Filesize
31.7MB

Download
memory/2564-13-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2564-9-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2564-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2564-19-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2564-20-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2564-21-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2660-10-0x0000000002520000-0x0000000002620000-memory.dmp

Filesize
1024KB

Download
memory/2660-15-0x0000000000400000-0x00000000023AC000-memory.dmp

Filesize
31.7MB

Download
memory/2660-16-0x0000000000400000-0x00000000023AC000-memory.dmp

Filesize
31.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads