tofsee | 6080de44c1cef6654c06340ef242d9b7526563205b3c3d48ee761b2c88191e15

Analysis

max time kernel
145s
max time network
145s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

764f182af0c6ddc192250baa4a4464a0.exe
Size

10.3MB
MD5

764f182af0c6ddc192250baa4a4464a0
SHA1

29168a577f423556cad9315ca0095764015182ad
SHA256

6080de44c1cef6654c06340ef242d9b7526563205b3c3d48ee761b2c88191e15
SHA512

bdd6adbb881a3a305cc0fd56e3d7bb96d1798c4ac8f72684058cff1d2e64e1ff7693a4e9c417cbbe870d96ea2d9a2e4d67ad000d7a3b2aca3c855d01c7fd4197
SSDEEP

98304:Db+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++S:D

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\rnxdgyii = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1744	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\rnxdgyii\ImagePath = "C:\\Windows\\SysWOW64\\rnxdgyii\\bnzhhshp.exe"	svchost.exe

Deletes itself 1 IoCs

pid	Process
2328	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
576	bnzhhshp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 576 set thread context of 2328	576	bnzhhshp.exe	41

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
604	sc.exe
332	sc.exe
1504	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2996	1984	764f182af0c6ddc192250baa4a4464a0.exe	28
PID 1984 wrote to memory of 2996	1984	764f182af0c6ddc192250baa4a4464a0.exe	28
PID 1984 wrote to memory of 2996	1984	764f182af0c6ddc192250baa4a4464a0.exe	28
PID 1984 wrote to memory of 2996	1984	764f182af0c6ddc192250baa4a4464a0.exe	28
PID 1984 wrote to memory of 2060	1984	764f182af0c6ddc192250baa4a4464a0.exe	31
PID 1984 wrote to memory of 2060	1984	764f182af0c6ddc192250baa4a4464a0.exe	31
PID 1984 wrote to memory of 2060	1984	764f182af0c6ddc192250baa4a4464a0.exe	31
PID 1984 wrote to memory of 2060	1984	764f182af0c6ddc192250baa4a4464a0.exe	31
PID 1984 wrote to memory of 604	1984	764f182af0c6ddc192250baa4a4464a0.exe	33
PID 1984 wrote to memory of 604	1984	764f182af0c6ddc192250baa4a4464a0.exe	33
PID 1984 wrote to memory of 604	1984	764f182af0c6ddc192250baa4a4464a0.exe	33
PID 1984 wrote to memory of 604	1984	764f182af0c6ddc192250baa4a4464a0.exe	33
PID 1984 wrote to memory of 332	1984	764f182af0c6ddc192250baa4a4464a0.exe	35
PID 1984 wrote to memory of 332	1984	764f182af0c6ddc192250baa4a4464a0.exe	35
PID 1984 wrote to memory of 332	1984	764f182af0c6ddc192250baa4a4464a0.exe	35
PID 1984 wrote to memory of 332	1984	764f182af0c6ddc192250baa4a4464a0.exe	35
PID 1984 wrote to memory of 1504	1984	764f182af0c6ddc192250baa4a4464a0.exe	37
PID 1984 wrote to memory of 1504	1984	764f182af0c6ddc192250baa4a4464a0.exe	37
PID 1984 wrote to memory of 1504	1984	764f182af0c6ddc192250baa4a4464a0.exe	37
PID 1984 wrote to memory of 1504	1984	764f182af0c6ddc192250baa4a4464a0.exe	37
PID 1984 wrote to memory of 1744	1984	764f182af0c6ddc192250baa4a4464a0.exe	40
PID 1984 wrote to memory of 1744	1984	764f182af0c6ddc192250baa4a4464a0.exe	40
PID 1984 wrote to memory of 1744	1984	764f182af0c6ddc192250baa4a4464a0.exe	40
PID 1984 wrote to memory of 1744	1984	764f182af0c6ddc192250baa4a4464a0.exe	40
PID 576 wrote to memory of 2328	576	bnzhhshp.exe	41
PID 576 wrote to memory of 2328	576	bnzhhshp.exe	41
PID 576 wrote to memory of 2328	576	bnzhhshp.exe	41
PID 576 wrote to memory of 2328	576	bnzhhshp.exe	41
PID 576 wrote to memory of 2328	576	bnzhhshp.exe	41
PID 576 wrote to memory of 2328	576	bnzhhshp.exe	41

C:\Users\Admin\AppData\Local\Temp\764f182af0c6ddc192250baa4a4464a0.exe
"C:\Users\Admin\AppData\Local\Temp\764f182af0c6ddc192250baa4a4464a0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rnxdgyii\
  2⤵
  PID:2996
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\bnzhhshp.exe" C:\Windows\SysWOW64\rnxdgyii\
  2⤵
  PID:2060
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create rnxdgyii binPath= "C:\Windows\SysWOW64\rnxdgyii\bnzhhshp.exe /d\"C:\Users\Admin\AppData\Local\Temp\764f182af0c6ddc192250baa4a4464a0.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:604
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description rnxdgyii "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:332
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start rnxdgyii
  2⤵
  - Launches sc.exe
  PID:1504
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:1744

C:\Windows\SysWOW64\rnxdgyii\bnzhhshp.exe
C:\Windows\SysWOW64\rnxdgyii\bnzhhshp.exe /d"C:\Users\Admin\AppData\Local\Temp\764f182af0c6ddc192250baa4a4464a0.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:576
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Windows security bypass
  - Sets service image path in registry
  - Deletes itself
  PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bnzhhshp.exe

Filesize
5.7MB

MD5
d728b9f52765491c32e8f9ce15d61122

SHA1
1dd7657c9c9352038aa601f6aa20d205edcfc3e9

SHA256
ab8259e1c4ee5cb25545e7b5f4a024138bd76f5fe1f2bbbb0e0e8dd669b24efd

SHA512
f7860218b86e9df3ce82632017b5098030aa61418afb5c85bf86f145102e1f30eef71a5a41567cbfebaa9d675c6251f9fe9b6090d59d9e87d417ffefb43f3dcb

Download Submit
C:\Windows\SysWOW64\rnxdgyii\bnzhhshp.exe

Filesize
512KB

MD5
3b5969783723af25929ce33e48476f53

SHA1
dd3987c11cb000741fbaff04a1afeed0d1f7cd69

SHA256
15f2f2a45b0b2a6501159c3c4eaa89ba7ec27e71175cd7b192e009c102e3e236

SHA512
c73529c82f87ebcfb2561303a10e83b1263d72766f00eeb1402c6857793af44de4381ffbe990dc5f5c4e624733666e7d1dced0a0b02be62ce5b5d7a49e4e7332

Download Submit
memory/576-16-0x0000000000400000-0x00000000023AC000-memory.dmp

Filesize
31.7MB

Download
memory/576-9-0x00000000002D0000-0x00000000003D0000-memory.dmp

Filesize
1024KB

Download
memory/576-11-0x0000000000400000-0x00000000023AC000-memory.dmp

Filesize
31.7MB

Download
memory/576-10-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/1984-2-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/1984-4-0x0000000000400000-0x00000000023AC000-memory.dmp

Filesize
31.7MB

Download
memory/1984-8-0x0000000000400000-0x00000000023AC000-memory.dmp

Filesize
31.7MB

Download
memory/1984-1-0x0000000002420000-0x0000000002520000-memory.dmp

Filesize
1024KB

Download
memory/2328-12-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2328-15-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2328-20-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2328-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2328-21-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2328-22-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads