tofsee | 81c24a66dbb0f2f3c18d2d88f300fb0c93915af3f2f908b4659665a344d92a36

Analysis

max time kernel
148s
max time network
133s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/01/2024, 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a07cc8e36f22b398224b6685f28475b.exe
Size

13.2MB
MD5

5a07cc8e36f22b398224b6685f28475b
SHA1

10dba11f9e2080f7bc2fb2da7a768eb9a4bde53f
SHA256

81c24a66dbb0f2f3c18d2d88f300fb0c93915af3f2f908b4659665a344d92a36
SHA512

1a1fa5ff1c2ea6d9caeee53d605d9c905ab2960a2238a7d8c89f45ea1f67cb85f83fcbb956bfbf8859e5fff6fff49b85b55c252c30c307e1a0639484f7878a92
SSDEEP

49152:rGvEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEn:rG

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

43.231.4.6

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\ouzwhjjj = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2536	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ouzwhjjj\ImagePath = "C:\\Windows\\SysWOW64\\ouzwhjjj\\xdozrgam.exe"	svchost.exe

Deletes itself 1 IoCs

pid	Process
1756	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2604	xdozrgam.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2604 set thread context of 1756	2604	xdozrgam.exe	41

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2968	sc.exe
2716	sc.exe
2820	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2696	2684	5a07cc8e36f22b398224b6685f28475b.exe	28
PID 2684 wrote to memory of 2696	2684	5a07cc8e36f22b398224b6685f28475b.exe	28
PID 2684 wrote to memory of 2696	2684	5a07cc8e36f22b398224b6685f28475b.exe	28
PID 2684 wrote to memory of 2696	2684	5a07cc8e36f22b398224b6685f28475b.exe	28
PID 2684 wrote to memory of 2804	2684	5a07cc8e36f22b398224b6685f28475b.exe	30
PID 2684 wrote to memory of 2804	2684	5a07cc8e36f22b398224b6685f28475b.exe	30
PID 2684 wrote to memory of 2804	2684	5a07cc8e36f22b398224b6685f28475b.exe	30
PID 2684 wrote to memory of 2804	2684	5a07cc8e36f22b398224b6685f28475b.exe	30
PID 2684 wrote to memory of 2820	2684	5a07cc8e36f22b398224b6685f28475b.exe	32
PID 2684 wrote to memory of 2820	2684	5a07cc8e36f22b398224b6685f28475b.exe	32
PID 2684 wrote to memory of 2820	2684	5a07cc8e36f22b398224b6685f28475b.exe	32
PID 2684 wrote to memory of 2820	2684	5a07cc8e36f22b398224b6685f28475b.exe	32
PID 2684 wrote to memory of 2968	2684	5a07cc8e36f22b398224b6685f28475b.exe	34
PID 2684 wrote to memory of 2968	2684	5a07cc8e36f22b398224b6685f28475b.exe	34
PID 2684 wrote to memory of 2968	2684	5a07cc8e36f22b398224b6685f28475b.exe	34
PID 2684 wrote to memory of 2968	2684	5a07cc8e36f22b398224b6685f28475b.exe	34
PID 2684 wrote to memory of 2716	2684	5a07cc8e36f22b398224b6685f28475b.exe	36
PID 2684 wrote to memory of 2716	2684	5a07cc8e36f22b398224b6685f28475b.exe	36
PID 2684 wrote to memory of 2716	2684	5a07cc8e36f22b398224b6685f28475b.exe	36
PID 2684 wrote to memory of 2716	2684	5a07cc8e36f22b398224b6685f28475b.exe	36
PID 2684 wrote to memory of 2536	2684	5a07cc8e36f22b398224b6685f28475b.exe	39
PID 2684 wrote to memory of 2536	2684	5a07cc8e36f22b398224b6685f28475b.exe	39
PID 2684 wrote to memory of 2536	2684	5a07cc8e36f22b398224b6685f28475b.exe	39
PID 2684 wrote to memory of 2536	2684	5a07cc8e36f22b398224b6685f28475b.exe	39
PID 2604 wrote to memory of 1756	2604	xdozrgam.exe	41
PID 2604 wrote to memory of 1756	2604	xdozrgam.exe	41
PID 2604 wrote to memory of 1756	2604	xdozrgam.exe	41
PID 2604 wrote to memory of 1756	2604	xdozrgam.exe	41
PID 2604 wrote to memory of 1756	2604	xdozrgam.exe	41
PID 2604 wrote to memory of 1756	2604	xdozrgam.exe	41

C:\Users\Admin\AppData\Local\Temp\5a07cc8e36f22b398224b6685f28475b.exe
"C:\Users\Admin\AppData\Local\Temp\5a07cc8e36f22b398224b6685f28475b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ouzwhjjj\
  2⤵
  PID:2696
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xdozrgam.exe" C:\Windows\SysWOW64\ouzwhjjj\
  2⤵
  PID:2804
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create ouzwhjjj binPath= "C:\Windows\SysWOW64\ouzwhjjj\xdozrgam.exe /d\"C:\Users\Admin\AppData\Local\Temp\5a07cc8e36f22b398224b6685f28475b.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:2820
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description ouzwhjjj "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:2968
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start ouzwhjjj
  2⤵
  - Launches sc.exe
  PID:2716
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2536

C:\Windows\SysWOW64\ouzwhjjj\xdozrgam.exe
C:\Windows\SysWOW64\ouzwhjjj\xdozrgam.exe /d"C:\Users\Admin\AppData\Local\Temp\5a07cc8e36f22b398224b6685f28475b.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Windows security bypass
  - Sets service image path in registry
  - Deletes itself
  PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xdozrgam.exe

Filesize
10.6MB

MD5
d64b889be7250eb05ffde8c149240c9c

SHA1
80297259f4e66614e7f649f411d83b19250fbf31

SHA256
5784b7dfd34600bd31c582a07b6f65f7488c65db416f1b7bdb62b506ff3937b8

SHA512
e1560114e03d3ac4aada599a71e542aa97870b59ee283be9365d4c7761fa6aab7424f87f1636c4e3aedf6739fdcd65e0955892222e2cf16fabd79cf6e4ead9fc

Download Submit
C:\Windows\SysWOW64\ouzwhjjj\xdozrgam.exe

Filesize
5.1MB

MD5
29a63893b67b9dac8afb384dabae9ef4

SHA1
f94d783799e6726821070bd41e7bf8d3843ff958

SHA256
f7092223b45d9435022db3a5582d5af3efa6982914a814c526f8a67b2da231e0

SHA512
c625eafd8203aa4f8889db1764031808be19f4da5a93c3c4e1debc6b8f63bbb35f87bfb1b93bc0c32e97916111686ebf18193cc43eb1812b43ab2a1599b68ada

Download Submit
memory/1756-20-0x0000000000110000-0x0000000000125000-memory.dmp

Filesize
84KB

Download
memory/1756-15-0x0000000000110000-0x0000000000125000-memory.dmp

Filesize
84KB

Download
memory/1756-22-0x0000000000110000-0x0000000000125000-memory.dmp

Filesize
84KB

Download
memory/1756-21-0x0000000000110000-0x0000000000125000-memory.dmp

Filesize
84KB

Download
memory/1756-11-0x0000000000110000-0x0000000000125000-memory.dmp

Filesize
84KB

Download
memory/1756-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2604-18-0x0000000000400000-0x0000000000C14000-memory.dmp

Filesize
8.1MB

Download
memory/2604-10-0x0000000000D30000-0x0000000000E30000-memory.dmp

Filesize
1024KB

Download
memory/2604-12-0x0000000000400000-0x0000000000C14000-memory.dmp

Filesize
8.1MB

Download
memory/2684-8-0x00000000002B0000-0x00000000002C3000-memory.dmp

Filesize
76KB

Download
memory/2684-1-0x0000000000CA0000-0x0000000000DA0000-memory.dmp

Filesize
1024KB

Download
memory/2684-4-0x0000000000400000-0x0000000000C14000-memory.dmp

Filesize
8.1MB

Download
memory/2684-7-0x0000000000400000-0x0000000000C14000-memory.dmp

Filesize
8.1MB

Download
memory/2684-2-0x00000000002B0000-0x00000000002C3000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads