tofsee | 958fed2ae0ab7d68ce87e0694d6dca03c67d318a7d7cda91db4d1ad711b771d4

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2577b910eeaf33608920f2202a64b07c.exe
Size

10.4MB
MD5

2577b910eeaf33608920f2202a64b07c
SHA1

e3a0dd0c1cab946b2ba8fdb24dca6db350ae6630
SHA256

958fed2ae0ab7d68ce87e0694d6dca03c67d318a7d7cda91db4d1ad711b771d4
SHA512

824bec1b9ce5b3a4087cf434910ebb40c2b779deb22260b755e49282c9c651322f9c00242e97c39de44d5a6b6e44c51bb59ba3d390750fcae66e1b0f41e87e4c
SSDEEP

6144:d5VCb4QuzFYpIozzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzv:D8NKFYp

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\ucmstaxr = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2828	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ucmstaxr\ImagePath = "C:\\Windows\\SysWOW64\\ucmstaxr\\gwcvweud.exe"	svchost.exe

Deletes itself 1 IoCs

pid	Process
2728	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2676	gwcvweud.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2676 set thread context of 2728	2676	gwcvweud.exe	41

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2748	sc.exe
2548	sc.exe
2812	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2232	1728	2577b910eeaf33608920f2202a64b07c.exe	28
PID 1728 wrote to memory of 2232	1728	2577b910eeaf33608920f2202a64b07c.exe	28
PID 1728 wrote to memory of 2232	1728	2577b910eeaf33608920f2202a64b07c.exe	28
PID 1728 wrote to memory of 2232	1728	2577b910eeaf33608920f2202a64b07c.exe	28
PID 1728 wrote to memory of 2316	1728	2577b910eeaf33608920f2202a64b07c.exe	30
PID 1728 wrote to memory of 2316	1728	2577b910eeaf33608920f2202a64b07c.exe	30
PID 1728 wrote to memory of 2316	1728	2577b910eeaf33608920f2202a64b07c.exe	30
PID 1728 wrote to memory of 2316	1728	2577b910eeaf33608920f2202a64b07c.exe	30
PID 1728 wrote to memory of 2748	1728	2577b910eeaf33608920f2202a64b07c.exe	32
PID 1728 wrote to memory of 2748	1728	2577b910eeaf33608920f2202a64b07c.exe	32
PID 1728 wrote to memory of 2748	1728	2577b910eeaf33608920f2202a64b07c.exe	32
PID 1728 wrote to memory of 2748	1728	2577b910eeaf33608920f2202a64b07c.exe	32
PID 1728 wrote to memory of 2548	1728	2577b910eeaf33608920f2202a64b07c.exe	34
PID 1728 wrote to memory of 2548	1728	2577b910eeaf33608920f2202a64b07c.exe	34
PID 1728 wrote to memory of 2548	1728	2577b910eeaf33608920f2202a64b07c.exe	34
PID 1728 wrote to memory of 2548	1728	2577b910eeaf33608920f2202a64b07c.exe	34
PID 1728 wrote to memory of 2812	1728	2577b910eeaf33608920f2202a64b07c.exe	36
PID 1728 wrote to memory of 2812	1728	2577b910eeaf33608920f2202a64b07c.exe	36
PID 1728 wrote to memory of 2812	1728	2577b910eeaf33608920f2202a64b07c.exe	36
PID 1728 wrote to memory of 2812	1728	2577b910eeaf33608920f2202a64b07c.exe	36
PID 1728 wrote to memory of 2828	1728	2577b910eeaf33608920f2202a64b07c.exe	38
PID 1728 wrote to memory of 2828	1728	2577b910eeaf33608920f2202a64b07c.exe	38
PID 1728 wrote to memory of 2828	1728	2577b910eeaf33608920f2202a64b07c.exe	38
PID 1728 wrote to memory of 2828	1728	2577b910eeaf33608920f2202a64b07c.exe	38
PID 2676 wrote to memory of 2728	2676	gwcvweud.exe	41
PID 2676 wrote to memory of 2728	2676	gwcvweud.exe	41
PID 2676 wrote to memory of 2728	2676	gwcvweud.exe	41
PID 2676 wrote to memory of 2728	2676	gwcvweud.exe	41
PID 2676 wrote to memory of 2728	2676	gwcvweud.exe	41
PID 2676 wrote to memory of 2728	2676	gwcvweud.exe	41

C:\Users\Admin\AppData\Local\Temp\2577b910eeaf33608920f2202a64b07c.exe
"C:\Users\Admin\AppData\Local\Temp\2577b910eeaf33608920f2202a64b07c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ucmstaxr\
  2⤵
  PID:2232
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gwcvweud.exe" C:\Windows\SysWOW64\ucmstaxr\
  2⤵
  PID:2316
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create ucmstaxr binPath= "C:\Windows\SysWOW64\ucmstaxr\gwcvweud.exe /d\"C:\Users\Admin\AppData\Local\Temp\2577b910eeaf33608920f2202a64b07c.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:2748
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description ucmstaxr "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:2548
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start ucmstaxr
  2⤵
  - Launches sc.exe
  PID:2812
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2828

C:\Windows\SysWOW64\ucmstaxr\gwcvweud.exe
C:\Windows\SysWOW64\ucmstaxr\gwcvweud.exe /d"C:\Users\Admin\AppData\Local\Temp\2577b910eeaf33608920f2202a64b07c.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Windows security bypass
  - Sets service image path in registry
  - Deletes itself
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gwcvweud.exe

Filesize
14.2MB

MD5
d30133f605449790dac9c6b7750207c2

SHA1
ffb97b28fc42e1f7ed2dd9832652ee1563245653

SHA256
f9445c7cceed11958692006ab5fea842c0a2fe06fc7fef4255afeddff5659a8c

SHA512
3f0e5d88f7d69a099d8233a1f76b5cf96ac97b4e2e8bff3652b9e7ec82fc114534fc7f72d3649f90e1398c3d493a007c07d6ad65861f8a5d7d450abd4eb7a730

Download Submit
memory/2728-7-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2728-5-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2728-3-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2728-11-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2728-10-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2728-12-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2728-13-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads