tofsee | 96d8d4d0cd9304b198005109fc99354a3a353f5f03a9aaf1ddbf0baa179ab0cf

Analysis

max time kernel
139s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

000308f3e95064bc9116bcfcff9bd464.exe
Size

12.5MB
MD5

000308f3e95064bc9116bcfcff9bd464
SHA1

6a4b7f0d3ccb0a40a21265e14fa60bbfc5162bc8
SHA256

96d8d4d0cd9304b198005109fc99354a3a353f5f03a9aaf1ddbf0baa179ab0cf
SHA512

f5efd2c6728a3d12a83efca5dd0a979f34e9af3a7859d1010fafea300f4dd58d34e208f3b3bf3ffb8ca254ea3236957ca650e28c6c02391bbaffeb7f9a833d3c
SSDEEP

98304:qvjOF//////////////////////////////////////////////////////////H:c

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\nnvufepi = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2712	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\nnvufepi\ImagePath = "C:\\Windows\\SysWOW64\\nnvufepi\\yatelthx.exe"	svchost.exe

Deletes itself 1 IoCs

pid	Process
2556	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2564	yatelthx.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2564 set thread context of 2556	2564	yatelthx.exe	41

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2132	sc.exe
2076	sc.exe
2696	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2352	2196	000308f3e95064bc9116bcfcff9bd464.exe	28
PID 2196 wrote to memory of 2352	2196	000308f3e95064bc9116bcfcff9bd464.exe	28
PID 2196 wrote to memory of 2352	2196	000308f3e95064bc9116bcfcff9bd464.exe	28
PID 2196 wrote to memory of 2352	2196	000308f3e95064bc9116bcfcff9bd464.exe	28
PID 2196 wrote to memory of 1644	2196	000308f3e95064bc9116bcfcff9bd464.exe	30
PID 2196 wrote to memory of 1644	2196	000308f3e95064bc9116bcfcff9bd464.exe	30
PID 2196 wrote to memory of 1644	2196	000308f3e95064bc9116bcfcff9bd464.exe	30
PID 2196 wrote to memory of 1644	2196	000308f3e95064bc9116bcfcff9bd464.exe	30
PID 2196 wrote to memory of 2132	2196	000308f3e95064bc9116bcfcff9bd464.exe	32
PID 2196 wrote to memory of 2132	2196	000308f3e95064bc9116bcfcff9bd464.exe	32
PID 2196 wrote to memory of 2132	2196	000308f3e95064bc9116bcfcff9bd464.exe	32
PID 2196 wrote to memory of 2132	2196	000308f3e95064bc9116bcfcff9bd464.exe	32
PID 2196 wrote to memory of 2076	2196	000308f3e95064bc9116bcfcff9bd464.exe	35
PID 2196 wrote to memory of 2076	2196	000308f3e95064bc9116bcfcff9bd464.exe	35
PID 2196 wrote to memory of 2076	2196	000308f3e95064bc9116bcfcff9bd464.exe	35
PID 2196 wrote to memory of 2076	2196	000308f3e95064bc9116bcfcff9bd464.exe	35
PID 2196 wrote to memory of 2696	2196	000308f3e95064bc9116bcfcff9bd464.exe	37
PID 2196 wrote to memory of 2696	2196	000308f3e95064bc9116bcfcff9bd464.exe	37
PID 2196 wrote to memory of 2696	2196	000308f3e95064bc9116bcfcff9bd464.exe	37
PID 2196 wrote to memory of 2696	2196	000308f3e95064bc9116bcfcff9bd464.exe	37
PID 2196 wrote to memory of 2712	2196	000308f3e95064bc9116bcfcff9bd464.exe	40
PID 2196 wrote to memory of 2712	2196	000308f3e95064bc9116bcfcff9bd464.exe	40
PID 2196 wrote to memory of 2712	2196	000308f3e95064bc9116bcfcff9bd464.exe	40
PID 2196 wrote to memory of 2712	2196	000308f3e95064bc9116bcfcff9bd464.exe	40
PID 2564 wrote to memory of 2556	2564	yatelthx.exe	41
PID 2564 wrote to memory of 2556	2564	yatelthx.exe	41
PID 2564 wrote to memory of 2556	2564	yatelthx.exe	41
PID 2564 wrote to memory of 2556	2564	yatelthx.exe	41
PID 2564 wrote to memory of 2556	2564	yatelthx.exe	41
PID 2564 wrote to memory of 2556	2564	yatelthx.exe	41

C:\Users\Admin\AppData\Local\Temp\000308f3e95064bc9116bcfcff9bd464.exe
"C:\Users\Admin\AppData\Local\Temp\000308f3e95064bc9116bcfcff9bd464.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nnvufepi\
  2⤵
  PID:2352
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\yatelthx.exe" C:\Windows\SysWOW64\nnvufepi\
  2⤵
  PID:1644
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create nnvufepi binPath= "C:\Windows\SysWOW64\nnvufepi\yatelthx.exe /d\"C:\Users\Admin\AppData\Local\Temp\000308f3e95064bc9116bcfcff9bd464.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:2132
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description nnvufepi "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:2076
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start nnvufepi
  2⤵
  - Launches sc.exe
  PID:2696
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2712

C:\Windows\SysWOW64\nnvufepi\yatelthx.exe
C:\Windows\SysWOW64\nnvufepi\yatelthx.exe /d"C:\Users\Admin\AppData\Local\Temp\000308f3e95064bc9116bcfcff9bd464.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Windows security bypass
  - Sets service image path in registry
  - Deletes itself
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yatelthx.exe

Filesize
4.5MB

MD5
8a494ccfd4301e68fa2b6970a5efbca1

SHA1
7a61c3ca8ab092d6477f2f53dcbb34b2d210c57c

SHA256
e510aaa0f4981b67fd8c486badf83db3bcda076e63dd45db23824127473b6094

SHA512
cca942ea0ef9e1d115bccaaa76ecb46dcef5ef078dbab852b51552ac56a67a9398faff1b9fcd2901ca562f2a14271deec19192cb4848a0905a28721add98c0b7

Download Submit
C:\Windows\SysWOW64\nnvufepi\yatelthx.exe

Filesize
2.8MB

MD5
15081dfdf5b178b870caf63df5ef20c9

SHA1
f5b996a640a10d37cacafca7669884e3abadccdc

SHA256
5a3fa242430eba1d58c92871a3d6b950b4d3be819689b0c0cbf5d303b7a1f929

SHA512
2c6577e0c51fb1863569c2a2f0be18f3eb55683682a392ec6ac553662be02ee20e74c03d35b6f622a8946911d9fd6eff8d2d419567dae568531ab39b543a5938

Download Submit
memory/2196-1-0x0000000000DA0000-0x0000000000EA0000-memory.dmp

Filesize
1024KB

Download
memory/2196-2-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download
memory/2196-4-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/2196-7-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/2196-8-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download
memory/2556-21-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2556-15-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2556-20-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2556-19-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2556-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2556-11-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2556-22-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2564-17-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/2564-12-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/2564-10-0x0000000000CC0000-0x0000000000DC0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads