tofsee | 5363de7557a8cea70d59831cdeb9f42268f0d8628168c343bcd8f09851d0b6c2

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26c40137d44baffaed0feef784b5a6bd.exe
Size

14.7MB
MD5

26c40137d44baffaed0feef784b5a6bd
SHA1

cbd0f74afe260641d62a4020e6d3f00d56c14e75
SHA256

5363de7557a8cea70d59831cdeb9f42268f0d8628168c343bcd8f09851d0b6c2
SHA512

12f9c4a04590c72c75796eebcd06e7f8f7c94bd5495c57dee75ab9abbf6d3c8bca8be8edb4d86e2a17cff88116c4449fba491b201cf194859c259f75ae98b4c3
SSDEEP

98304:Bffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffn:

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\mchcyiil = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2472	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\mchcyiil\ImagePath = "C:\\Windows\\SysWOW64\\mchcyiil\\yuouacul.exe"	svchost.exe

Deletes itself 1 IoCs

pid	Process
2632	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2600	yuouacul.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2600 set thread context of 2632	2600	yuouacul.exe	38

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2840	sc.exe
2576	sc.exe
2664	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2896	2412	26c40137d44baffaed0feef784b5a6bd.exe	18
PID 2412 wrote to memory of 2896	2412	26c40137d44baffaed0feef784b5a6bd.exe	18
PID 2412 wrote to memory of 2896	2412	26c40137d44baffaed0feef784b5a6bd.exe	18
PID 2412 wrote to memory of 2896	2412	26c40137d44baffaed0feef784b5a6bd.exe	18
PID 2412 wrote to memory of 2980	2412	26c40137d44baffaed0feef784b5a6bd.exe	28
PID 2412 wrote to memory of 2980	2412	26c40137d44baffaed0feef784b5a6bd.exe	28
PID 2412 wrote to memory of 2980	2412	26c40137d44baffaed0feef784b5a6bd.exe	28
PID 2412 wrote to memory of 2980	2412	26c40137d44baffaed0feef784b5a6bd.exe	28
PID 2412 wrote to memory of 2840	2412	26c40137d44baffaed0feef784b5a6bd.exe	33
PID 2412 wrote to memory of 2840	2412	26c40137d44baffaed0feef784b5a6bd.exe	33
PID 2412 wrote to memory of 2840	2412	26c40137d44baffaed0feef784b5a6bd.exe	33
PID 2412 wrote to memory of 2840	2412	26c40137d44baffaed0feef784b5a6bd.exe	33
PID 2412 wrote to memory of 2576	2412	26c40137d44baffaed0feef784b5a6bd.exe	35
PID 2412 wrote to memory of 2576	2412	26c40137d44baffaed0feef784b5a6bd.exe	35
PID 2412 wrote to memory of 2576	2412	26c40137d44baffaed0feef784b5a6bd.exe	35
PID 2412 wrote to memory of 2576	2412	26c40137d44baffaed0feef784b5a6bd.exe	35
PID 2412 wrote to memory of 2664	2412	26c40137d44baffaed0feef784b5a6bd.exe	37
PID 2412 wrote to memory of 2664	2412	26c40137d44baffaed0feef784b5a6bd.exe	37
PID 2412 wrote to memory of 2664	2412	26c40137d44baffaed0feef784b5a6bd.exe	37
PID 2412 wrote to memory of 2664	2412	26c40137d44baffaed0feef784b5a6bd.exe	37
PID 2600 wrote to memory of 2632	2600	yuouacul.exe	38
PID 2600 wrote to memory of 2632	2600	yuouacul.exe	38
PID 2600 wrote to memory of 2632	2600	yuouacul.exe	38
PID 2600 wrote to memory of 2632	2600	yuouacul.exe	38
PID 2600 wrote to memory of 2632	2600	yuouacul.exe	38
PID 2600 wrote to memory of 2632	2600	yuouacul.exe	38
PID 2412 wrote to memory of 2472	2412	26c40137d44baffaed0feef784b5a6bd.exe	40
PID 2412 wrote to memory of 2472	2412	26c40137d44baffaed0feef784b5a6bd.exe	40
PID 2412 wrote to memory of 2472	2412	26c40137d44baffaed0feef784b5a6bd.exe	40
PID 2412 wrote to memory of 2472	2412	26c40137d44baffaed0feef784b5a6bd.exe	40

C:\Users\Admin\AppData\Local\Temp\26c40137d44baffaed0feef784b5a6bd.exe
"C:\Users\Admin\AppData\Local\Temp\26c40137d44baffaed0feef784b5a6bd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\mchcyiil\
  2⤵
  PID:2896
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\yuouacul.exe" C:\Windows\SysWOW64\mchcyiil\
  2⤵
  PID:2980
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create mchcyiil binPath= "C:\Windows\SysWOW64\mchcyiil\yuouacul.exe /d\"C:\Users\Admin\AppData\Local\Temp\26c40137d44baffaed0feef784b5a6bd.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:2840
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description mchcyiil "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:2576
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start mchcyiil
  2⤵
  - Launches sc.exe
  PID:2664
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2472

C:\Windows\SysWOW64\svchost.exe
svchost.exe
1⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:2632

C:\Windows\SysWOW64\mchcyiil\yuouacul.exe
C:\Windows\SysWOW64\mchcyiil\yuouacul.exe /d"C:\Users\Admin\AppData\Local\Temp\26c40137d44baffaed0feef784b5a6bd.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yuouacul.exe

Filesize
382KB

MD5
1050169a5ed69ed592f24c82382b66d1

SHA1
d72f56de40699214ac323ec325edf40ed52d9916

SHA256
e23ea8515bb21eb72d1f13374e6f53167a2cb0e8893925b5f273430bc04013ce

SHA512
6550baf4f75cd6a9becb7491d00108a8b08449d9a1c671ecdd0f4a90c08e38fe0b6e1c8ef2df8687888d16645371d8e7ff46e8e8a3978331562f48b5e308fb51

Download Submit
C:\Windows\SysWOW64\mchcyiil\yuouacul.exe

Filesize
92KB

MD5
b5afb2b21c608611b73d50aee0dea81f

SHA1
d7aeb3b41d97164fcea6602ef434da8c5ede715b

SHA256
508f63052e0fa61759d915e94615c400b377a5006ba4ab03b2aff8c1e72ba7db

SHA512
51957f9513c20fa32d95783525412fe857985669b059f8cdcebbc97d066ed58ba6f49bd0b681793d4c17aab33d4c54d1cfa045b058d8bb60a4e4391f5e224030

Download Submit
memory/2412-16-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2412-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2412-2-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2412-1-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2600-13-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2600-7-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2632-15-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download
memory/2632-11-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download
memory/2632-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2632-8-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download
memory/2632-18-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download
memory/2632-17-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download
memory/2632-19-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads