tofsee | bc9ad68ce7fadb5334dcad56464a9f19bd010f91d042146efd475ee75cd66fcf

Analysis

max time kernel
151s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24e7e55104c81fd3475a9ef3c5793e0d.exe
Size

13.5MB
MD5

24e7e55104c81fd3475a9ef3c5793e0d
SHA1

2e0199e1d53bb01fa88627c635eeb7a536b423f3
SHA256

bc9ad68ce7fadb5334dcad56464a9f19bd010f91d042146efd475ee75cd66fcf
SHA512

7780247138929e6b0f7301341192e02ffe3f8f9c94ee940872297aca2493d6d5e92f212acf909379c0c680e9b687f5bb27caba32308da5b1704ed9156200d9e0
SSDEEP

49152:V1yvllllllllllllllllllllllllllllllllllllllllllllllllllllllllllln:VA

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2608	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
1248	cexipxlb.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2280	sc.exe
2720	sc.exe
2576	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 2660	1288	24e7e55104c81fd3475a9ef3c5793e0d.exe	29
PID 1288 wrote to memory of 2660	1288	24e7e55104c81fd3475a9ef3c5793e0d.exe	29
PID 1288 wrote to memory of 2660	1288	24e7e55104c81fd3475a9ef3c5793e0d.exe	29
PID 1288 wrote to memory of 2660	1288	24e7e55104c81fd3475a9ef3c5793e0d.exe	29
PID 1288 wrote to memory of 2776	1288	24e7e55104c81fd3475a9ef3c5793e0d.exe	31
PID 1288 wrote to memory of 2776	1288	24e7e55104c81fd3475a9ef3c5793e0d.exe	31
PID 1288 wrote to memory of 2776	1288	24e7e55104c81fd3475a9ef3c5793e0d.exe	31
PID 1288 wrote to memory of 2776	1288	24e7e55104c81fd3475a9ef3c5793e0d.exe	31
PID 1288 wrote to memory of 2720	1288	24e7e55104c81fd3475a9ef3c5793e0d.exe	33
PID 1288 wrote to memory of 2720	1288	24e7e55104c81fd3475a9ef3c5793e0d.exe	33
PID 1288 wrote to memory of 2720	1288	24e7e55104c81fd3475a9ef3c5793e0d.exe	33
PID 1288 wrote to memory of 2720	1288	24e7e55104c81fd3475a9ef3c5793e0d.exe	33
PID 1288 wrote to memory of 2576	1288	24e7e55104c81fd3475a9ef3c5793e0d.exe	35
PID 1288 wrote to memory of 2576	1288	24e7e55104c81fd3475a9ef3c5793e0d.exe	35
PID 1288 wrote to memory of 2576	1288	24e7e55104c81fd3475a9ef3c5793e0d.exe	35
PID 1288 wrote to memory of 2576	1288	24e7e55104c81fd3475a9ef3c5793e0d.exe	35
PID 1288 wrote to memory of 2280	1288	24e7e55104c81fd3475a9ef3c5793e0d.exe	36
PID 1288 wrote to memory of 2280	1288	24e7e55104c81fd3475a9ef3c5793e0d.exe	36
PID 1288 wrote to memory of 2280	1288	24e7e55104c81fd3475a9ef3c5793e0d.exe	36
PID 1288 wrote to memory of 2280	1288	24e7e55104c81fd3475a9ef3c5793e0d.exe	36
PID 1288 wrote to memory of 2608	1288	24e7e55104c81fd3475a9ef3c5793e0d.exe	38
PID 1288 wrote to memory of 2608	1288	24e7e55104c81fd3475a9ef3c5793e0d.exe	38
PID 1288 wrote to memory of 2608	1288	24e7e55104c81fd3475a9ef3c5793e0d.exe	38
PID 1288 wrote to memory of 2608	1288	24e7e55104c81fd3475a9ef3c5793e0d.exe	38
PID 1248 wrote to memory of 1100	1248	cexipxlb.exe	43
PID 1248 wrote to memory of 1100	1248	cexipxlb.exe	43
PID 1248 wrote to memory of 1100	1248	cexipxlb.exe	43
PID 1248 wrote to memory of 1100	1248	cexipxlb.exe	43
PID 1248 wrote to memory of 1100	1248	cexipxlb.exe	43

C:\Users\Admin\AppData\Local\Temp\24e7e55104c81fd3475a9ef3c5793e0d.exe
"C:\Users\Admin\AppData\Local\Temp\24e7e55104c81fd3475a9ef3c5793e0d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\mfdnzsea\
  2⤵
  PID:2660
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\cexipxlb.exe" C:\Windows\SysWOW64\mfdnzsea\
  2⤵
  PID:2776
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create mfdnzsea binPath= "C:\Windows\SysWOW64\mfdnzsea\cexipxlb.exe /d\"C:\Users\Admin\AppData\Local\Temp\24e7e55104c81fd3475a9ef3c5793e0d.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:2720
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description mfdnzsea "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:2576
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start mfdnzsea
  2⤵
  - Launches sc.exe
  PID:2280
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2608

C:\Windows\SysWOW64\mfdnzsea\cexipxlb.exe
C:\Windows\SysWOW64\mfdnzsea\cexipxlb.exe /d"C:\Users\Admin\AppData\Local\Temp\24e7e55104c81fd3475a9ef3c5793e0d.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cexipxlb.exe

Filesize
53KB

MD5
f9dd9cdb46cded74974bb61ed060c9f8

SHA1
239b895fa4c4464a8e8449fe04bf2f3bf7dbed22

SHA256
2619b42c0246a04e2472181c08d206e118ff005215e1ce84df1bb29b2559b3cf

SHA512
fd96ab69bb22abf09d1ee84783573c0b9b28ed7d451dbc9eff73f5fd721317e31d5718a6f1b13a3c66632ba2f3ead2c01a4119ffebdc5668f9d95340fa5ebba5

Download Submit
C:\Windows\SysWOW64\mfdnzsea\cexipxlb.exe

Filesize
384KB

MD5
38d512aee5a005b77aa75d21fb6d2c27

SHA1
123729dba371fff7bf45edaa6c09a6991780012c

SHA256
0ec70c0007af64bc45db42038ce7c283c5730a02c49f347e162f3613c3347f82

SHA512
05dd56082c94f124632d49011b1bc0da236db692d354f3531e88a477aeb1e93f393ba226651db3b247e0d45157ed0f9dad054913280d8f3c18fa7d7d91bccc39

Download Submit
memory/1100-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1100-10-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1248-9-0x0000000000CE0000-0x0000000000DE0000-memory.dmp

Filesize
1024KB

Download
memory/1248-12-0x0000000000400000-0x0000000000C20000-memory.dmp

Filesize
8.1MB

Download
memory/1248-16-0x0000000000CE0000-0x0000000000DE0000-memory.dmp

Filesize
1024KB

Download
memory/1288-3-0x00000000001B0000-0x00000000001C3000-memory.dmp

Filesize
76KB

Download
memory/1288-1-0x0000000000270000-0x0000000000370000-memory.dmp

Filesize
1024KB

Download
memory/1288-4-0x0000000000400000-0x0000000000C20000-memory.dmp

Filesize
8.1MB

Download
memory/1288-6-0x0000000000400000-0x0000000000C20000-memory.dmp

Filesize
8.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads