tofsee | 30cda9b67432d82254db302482b46478ef00329dd6ebffde2433acfbb524fa21

Analysis

max time kernel
23s
max time network
147s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04-01-2024 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4097178d42417041c6dfce21a0702db1.exe
Size

12.2MB
MD5

4097178d42417041c6dfce21a0702db1
SHA1

7c42b2d34f8a175c3d9dff286329e4e562f0c881
SHA256

30cda9b67432d82254db302482b46478ef00329dd6ebffde2433acfbb524fa21
SHA512

6effa7b8fb3e17cca13c0dcd162554e5c3df6640eb12ba4d3adbf8d909026a40ab5cdd369e393d08b5c06d0e4aebcdb550a22713c6961b30627a4b8eb178b7d6
SSDEEP

24576:AUqN67OT8888888888888888888888888888888888888888888888888888888P:AK7

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2640	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
1520	fwwpfeft.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1520 set thread context of 2992	1520	fwwpfeft.exe	41

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2696	sc.exe
2680	sc.exe
2092	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2832	2656	4097178d42417041c6dfce21a0702db1.exe	28
PID 2656 wrote to memory of 2832	2656	4097178d42417041c6dfce21a0702db1.exe	28
PID 2656 wrote to memory of 2832	2656	4097178d42417041c6dfce21a0702db1.exe	28
PID 2656 wrote to memory of 2832	2656	4097178d42417041c6dfce21a0702db1.exe	28
PID 2656 wrote to memory of 2820	2656	4097178d42417041c6dfce21a0702db1.exe	30
PID 2656 wrote to memory of 2820	2656	4097178d42417041c6dfce21a0702db1.exe	30
PID 2656 wrote to memory of 2820	2656	4097178d42417041c6dfce21a0702db1.exe	30
PID 2656 wrote to memory of 2820	2656	4097178d42417041c6dfce21a0702db1.exe	30
PID 2656 wrote to memory of 2696	2656	4097178d42417041c6dfce21a0702db1.exe	32
PID 2656 wrote to memory of 2696	2656	4097178d42417041c6dfce21a0702db1.exe	32
PID 2656 wrote to memory of 2696	2656	4097178d42417041c6dfce21a0702db1.exe	32
PID 2656 wrote to memory of 2696	2656	4097178d42417041c6dfce21a0702db1.exe	32
PID 2656 wrote to memory of 2680	2656	4097178d42417041c6dfce21a0702db1.exe	35
PID 2656 wrote to memory of 2680	2656	4097178d42417041c6dfce21a0702db1.exe	35
PID 2656 wrote to memory of 2680	2656	4097178d42417041c6dfce21a0702db1.exe	35
PID 2656 wrote to memory of 2680	2656	4097178d42417041c6dfce21a0702db1.exe	35
PID 2656 wrote to memory of 2092	2656	4097178d42417041c6dfce21a0702db1.exe	37
PID 2656 wrote to memory of 2092	2656	4097178d42417041c6dfce21a0702db1.exe	37
PID 2656 wrote to memory of 2092	2656	4097178d42417041c6dfce21a0702db1.exe	37
PID 2656 wrote to memory of 2092	2656	4097178d42417041c6dfce21a0702db1.exe	37
PID 2656 wrote to memory of 2640	2656	4097178d42417041c6dfce21a0702db1.exe	38
PID 2656 wrote to memory of 2640	2656	4097178d42417041c6dfce21a0702db1.exe	38
PID 2656 wrote to memory of 2640	2656	4097178d42417041c6dfce21a0702db1.exe	38
PID 2656 wrote to memory of 2640	2656	4097178d42417041c6dfce21a0702db1.exe	38
PID 1520 wrote to memory of 2992	1520	fwwpfeft.exe	41
PID 1520 wrote to memory of 2992	1520	fwwpfeft.exe	41
PID 1520 wrote to memory of 2992	1520	fwwpfeft.exe	41
PID 1520 wrote to memory of 2992	1520	fwwpfeft.exe	41
PID 1520 wrote to memory of 2992	1520	fwwpfeft.exe	41
PID 1520 wrote to memory of 2992	1520	fwwpfeft.exe	41

C:\Users\Admin\AppData\Local\Temp\4097178d42417041c6dfce21a0702db1.exe
"C:\Users\Admin\AppData\Local\Temp\4097178d42417041c6dfce21a0702db1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\plkfifkh\
  2⤵
  PID:2832
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\fwwpfeft.exe" C:\Windows\SysWOW64\plkfifkh\
  2⤵
  PID:2820
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create plkfifkh binPath= "C:\Windows\SysWOW64\plkfifkh\fwwpfeft.exe /d\"C:\Users\Admin\AppData\Local\Temp\4097178d42417041c6dfce21a0702db1.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:2696
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description plkfifkh "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:2680
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start plkfifkh
  2⤵
  - Launches sc.exe
  PID:2092
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2640

C:\Windows\SysWOW64\plkfifkh\fwwpfeft.exe
C:\Windows\SysWOW64\plkfifkh\fwwpfeft.exe /d"C:\Users\Admin\AppData\Local\Temp\4097178d42417041c6dfce21a0702db1.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fwwpfeft.exe

Filesize
651KB

MD5
ba79a1f519ba0d0a20ca99f9748f1bc6

SHA1
9a56541963bda7a2eb49f2f39578e401e39e4aae

SHA256
80ad1ca0c925cebcf1bb780f2b5afada4977294ef8b1eb5fed2fdc4842ce3505

SHA512
9592480cff40d83b7dd352479be8824ef57bae626a470c41afb9080b5ca424d9a4955501d2f50344b26794d93496be46814d38a02a03a9ffe5bee481107f00ec

Download Submit
C:\Windows\SysWOW64\plkfifkh\fwwpfeft.exe

Filesize
92KB

MD5
9cffb9a3e7f5b756477460f195989d09

SHA1
49c3efb8abbf15607264c614c23c4d9fec7da514

SHA256
61ad7d0b2b5c1102c8319d68c13b6ef9925497a5ff818752624bee42a8926b59

SHA512
28ab3ef2c9c892ac83917d896c6c2171e404150ad29d8723655fca14d698ef046b18f739fb759e1ac093a8b597de80a871fc397159f153041034d677326482c8

Download Submit
memory/1520-11-0x00000000024A0000-0x00000000025A0000-memory.dmp

Filesize
1024KB

Download
memory/1520-19-0x0000000000400000-0x00000000023B0000-memory.dmp

Filesize
31.7MB

Download
memory/1520-17-0x0000000000400000-0x00000000023B0000-memory.dmp

Filesize
31.7MB

Download
memory/2656-6-0x0000000000400000-0x00000000023B0000-memory.dmp

Filesize
31.7MB

Download
memory/2656-7-0x0000000000400000-0x00000000023B0000-memory.dmp

Filesize
31.7MB

Download
memory/2656-8-0x00000000003C0000-0x00000000003D3000-memory.dmp

Filesize
76KB

Download
memory/2656-1-0x0000000000250000-0x0000000000350000-memory.dmp

Filesize
1024KB

Download
memory/2656-4-0x0000000000400000-0x00000000023B0000-memory.dmp

Filesize
31.7MB

Download
memory/2656-2-0x00000000003C0000-0x00000000003D3000-memory.dmp

Filesize
76KB

Download
memory/2992-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2992-15-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2992-12-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2992-20-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2992-21-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2992-22-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads