tofsee | 30cda9b67432d82254db302482b46478ef00329dd6ebffde2433acfbb524fa21

Analysis

max time kernel
9s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 10:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4097178d42417041c6dfce21a0702db1.exe
Size

12.2MB
MD5

4097178d42417041c6dfce21a0702db1
SHA1

7c42b2d34f8a175c3d9dff286329e4e562f0c881
SHA256

30cda9b67432d82254db302482b46478ef00329dd6ebffde2433acfbb524fa21
SHA512

6effa7b8fb3e17cca13c0dcd162554e5c3df6640eb12ba4d3adbf8d909026a40ab5cdd369e393d08b5c06d0e4aebcdb550a22713c6961b30627a4b8eb178b7d6
SSDEEP

24576:AUqN67OT8888888888888888888888888888888888888888888888888888888P:AK7

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
4212	netsh.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4752	sc.exe
412	sc.exe
4772	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4360	4572	WerFault.exe	29
892	3060	WerFault.exe	101

C:\Users\Admin\AppData\Local\Temp\4097178d42417041c6dfce21a0702db1.exe
"C:\Users\Admin\AppData\Local\Temp\4097178d42417041c6dfce21a0702db1.exe"
1⤵
PID:4572
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tuivgtgk\
  2⤵
  PID:4128
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\raqeftio.exe" C:\Windows\SysWOW64\tuivgtgk\
  2⤵
  PID:1652
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create tuivgtgk binPath= "C:\Windows\SysWOW64\tuivgtgk\raqeftio.exe /d\"C:\Users\Admin\AppData\Local\Temp\4097178d42417041c6dfce21a0702db1.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:4752
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description tuivgtgk "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:412
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start tuivgtgk
  2⤵
  - Launches sc.exe
  PID:4772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 1160
  2⤵
  - Program crash
  PID:4360
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:4212

C:\Windows\SysWOW64\tuivgtgk\raqeftio.exe
C:\Windows\SysWOW64\tuivgtgk\raqeftio.exe /d"C:\Users\Admin\AppData\Local\Temp\4097178d42417041c6dfce21a0702db1.exe"
1⤵
PID:3060
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:744
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 560
  2⤵
  - Program crash
  PID:892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4572 -ip 4572
1⤵
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3060 -ip 3060
1⤵
PID:3184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/744-11-0x0000000000680000-0x0000000000695000-memory.dmp

Filesize
84KB

Download
memory/744-19-0x0000000000680000-0x0000000000695000-memory.dmp

Filesize
84KB

Download
memory/744-14-0x0000000000680000-0x0000000000695000-memory.dmp

Filesize
84KB

Download
memory/744-18-0x0000000000680000-0x0000000000695000-memory.dmp

Filesize
84KB

Download
memory/744-16-0x0000000000680000-0x0000000000695000-memory.dmp

Filesize
84KB

Download
memory/3060-17-0x0000000000400000-0x00000000023B0000-memory.dmp

Filesize
31.7MB

Download
memory/3060-15-0x0000000000400000-0x00000000023B0000-memory.dmp

Filesize
31.7MB

Download
memory/3060-10-0x00000000024E0000-0x00000000025E0000-memory.dmp

Filesize
1024KB

Download
memory/4572-8-0x0000000000400000-0x00000000023B0000-memory.dmp

Filesize
31.7MB

Download
memory/4572-9-0x00000000040F0000-0x0000000004103000-memory.dmp

Filesize
76KB

Download
memory/4572-2-0x00000000040F0000-0x0000000004103000-memory.dmp

Filesize
76KB

Download
memory/4572-4-0x0000000000400000-0x00000000023B0000-memory.dmp

Filesize
31.7MB

Download
memory/4572-1-0x00000000024C0000-0x00000000025C0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads