tofsee | 47ce762a85469542401e2cdede7e409f236cca6d8c2f77337bdc31a31ad9f6c8

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

751d870aa39047bca3a7e6cca0e11303.exe
Size

11.4MB
MD5

751d870aa39047bca3a7e6cca0e11303
SHA1

6220cacde3e1f98a5a1813ae7324ba951bcbe895
SHA256

47ce762a85469542401e2cdede7e409f236cca6d8c2f77337bdc31a31ad9f6c8
SHA512

5e553ba1c774731d30a79f406a9f21a6a7af393ac7a7cdc0598e4e672ebb4b9b88f716a9ecef86252aaa615df256ba37f874bf7f2eb6c2413be9b45a8e54a487
SSDEEP

12288:hTAazcHzcHzcHzcHzcHzcHzcHzcHzcHzcHzcHzcHzcHzcHzcHzcHzcHzcHzcHzcn:9

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\agjqfwds = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2840	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\agjqfwds\ImagePath = "C:\\Windows\\SysWOW64\\agjqfwds\\xatbzbjt.exe"	svchost.exe

Deletes itself 1 IoCs

pid	Process
2560	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1632	xatbzbjt.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1632 set thread context of 2560	1632	xatbzbjt.exe	41

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2856	sc.exe
2680	sc.exe
3032	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2396	2144	751d870aa39047bca3a7e6cca0e11303.exe	28
PID 2144 wrote to memory of 2396	2144	751d870aa39047bca3a7e6cca0e11303.exe	28
PID 2144 wrote to memory of 2396	2144	751d870aa39047bca3a7e6cca0e11303.exe	28
PID 2144 wrote to memory of 2396	2144	751d870aa39047bca3a7e6cca0e11303.exe	28
PID 2144 wrote to memory of 2300	2144	751d870aa39047bca3a7e6cca0e11303.exe	30
PID 2144 wrote to memory of 2300	2144	751d870aa39047bca3a7e6cca0e11303.exe	30
PID 2144 wrote to memory of 2300	2144	751d870aa39047bca3a7e6cca0e11303.exe	30
PID 2144 wrote to memory of 2300	2144	751d870aa39047bca3a7e6cca0e11303.exe	30
PID 2144 wrote to memory of 2856	2144	751d870aa39047bca3a7e6cca0e11303.exe	32
PID 2144 wrote to memory of 2856	2144	751d870aa39047bca3a7e6cca0e11303.exe	32
PID 2144 wrote to memory of 2856	2144	751d870aa39047bca3a7e6cca0e11303.exe	32
PID 2144 wrote to memory of 2856	2144	751d870aa39047bca3a7e6cca0e11303.exe	32
PID 2144 wrote to memory of 2680	2144	751d870aa39047bca3a7e6cca0e11303.exe	34
PID 2144 wrote to memory of 2680	2144	751d870aa39047bca3a7e6cca0e11303.exe	34
PID 2144 wrote to memory of 2680	2144	751d870aa39047bca3a7e6cca0e11303.exe	34
PID 2144 wrote to memory of 2680	2144	751d870aa39047bca3a7e6cca0e11303.exe	34
PID 2144 wrote to memory of 3032	2144	751d870aa39047bca3a7e6cca0e11303.exe	36
PID 2144 wrote to memory of 3032	2144	751d870aa39047bca3a7e6cca0e11303.exe	36
PID 2144 wrote to memory of 3032	2144	751d870aa39047bca3a7e6cca0e11303.exe	36
PID 2144 wrote to memory of 3032	2144	751d870aa39047bca3a7e6cca0e11303.exe	36
PID 2144 wrote to memory of 2840	2144	751d870aa39047bca3a7e6cca0e11303.exe	38
PID 2144 wrote to memory of 2840	2144	751d870aa39047bca3a7e6cca0e11303.exe	38
PID 2144 wrote to memory of 2840	2144	751d870aa39047bca3a7e6cca0e11303.exe	38
PID 2144 wrote to memory of 2840	2144	751d870aa39047bca3a7e6cca0e11303.exe	38
PID 1632 wrote to memory of 2560	1632	xatbzbjt.exe	41
PID 1632 wrote to memory of 2560	1632	xatbzbjt.exe	41
PID 1632 wrote to memory of 2560	1632	xatbzbjt.exe	41
PID 1632 wrote to memory of 2560	1632	xatbzbjt.exe	41
PID 1632 wrote to memory of 2560	1632	xatbzbjt.exe	41
PID 1632 wrote to memory of 2560	1632	xatbzbjt.exe	41

C:\Users\Admin\AppData\Local\Temp\751d870aa39047bca3a7e6cca0e11303.exe
"C:\Users\Admin\AppData\Local\Temp\751d870aa39047bca3a7e6cca0e11303.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\agjqfwds\
  2⤵
  PID:2396
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xatbzbjt.exe" C:\Windows\SysWOW64\agjqfwds\
  2⤵
  PID:2300
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create agjqfwds binPath= "C:\Windows\SysWOW64\agjqfwds\xatbzbjt.exe /d\"C:\Users\Admin\AppData\Local\Temp\751d870aa39047bca3a7e6cca0e11303.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:2856
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description agjqfwds "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:2680
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start agjqfwds
  2⤵
  - Launches sc.exe
  PID:3032
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2840

C:\Windows\SysWOW64\agjqfwds\xatbzbjt.exe
C:\Windows\SysWOW64\agjqfwds\xatbzbjt.exe /d"C:\Users\Admin\AppData\Local\Temp\751d870aa39047bca3a7e6cca0e11303.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Windows security bypass
  - Sets service image path in registry
  - Deletes itself
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xatbzbjt.exe

Filesize
10.5MB

MD5
fd65d80876f4dd37dda8e21f8595aaa5

SHA1
45ff9a8aa4cbf1a8b123ceb40fed4030264b8243

SHA256
3e4adbbc991a1048b0f57b9ddbff840f931348f196cb73ab7bd9cd8e97c7db2d

SHA512
b69bb136cc1ed4f8687ca5e1fa745a31e42e5472887b265f8729fc752c2718dca5b5e12c69f21875fc10c0a62c0590c2abe7a92e93945fd736b2112fb8142efd

Download Submit
C:\Windows\SysWOW64\agjqfwds\xatbzbjt.exe

Filesize
9.4MB

MD5
f8b10b69f7721d514fc80dde11e6f49a

SHA1
5fb120bf0e3946b0f2cfc55db1e2f4fdb58845e9

SHA256
11bf9030971f60d6a9eea4185b378b63059814ec2944e98640de168fdd16d577

SHA512
fe2bbb2282577f1a4d94eee6dfd9dea70c90345ad18e94320b4a1870ef8874367b84878a5c6cfce18ae26910bf65de2ba06b7daa16bf25cf497e9891ffbb6873

Download Submit
memory/1632-15-0x0000000000400000-0x0000000001D73000-memory.dmp

Filesize
25.4MB

Download
memory/1632-9-0x0000000001E10000-0x0000000001F10000-memory.dmp

Filesize
1024KB

Download
memory/1632-11-0x0000000000400000-0x0000000001D73000-memory.dmp

Filesize
25.4MB

Download
memory/2144-2-0x0000000000230000-0x0000000000243000-memory.dmp

Filesize
76KB

Download
memory/2144-4-0x0000000000400000-0x0000000001D73000-memory.dmp

Filesize
25.4MB

Download
memory/2144-6-0x0000000000400000-0x0000000001D73000-memory.dmp

Filesize
25.4MB

Download
memory/2144-1-0x0000000001EF0000-0x0000000001FF0000-memory.dmp

Filesize
1024KB

Download
memory/2560-10-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2560-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2560-19-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2560-18-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2560-14-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2560-20-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2560-21-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads