tofsee | 84c7cf500a3f80503733ee11075b15399a1d6af01485e19c3caaecb52c2909c8

Analysis

max time kernel
146s
max time network
145s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/01/2024, 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f4ac2fafc02d4f6144c8aeee6627ec8.exe
Size

13.6MB
MD5

7f4ac2fafc02d4f6144c8aeee6627ec8
SHA1

9b97a23034cd97993b6c55d5a4ac16d4e8ac8e3b
SHA256

84c7cf500a3f80503733ee11075b15399a1d6af01485e19c3caaecb52c2909c8
SHA512

ca74d14d415f20c44a0f26975c95f0ef8618ae2cf57dd4db039e8483bae70d83074d67d1c04cbdccffdc0f6c54f998de88de6da77814b5a8bbb537b60ca17466
SSDEEP

24576:1htJbmFQuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuX:SF

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\invdprtb = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2860	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\invdprtb\ImagePath = "C:\\Windows\\SysWOW64\\invdprtb\\xqiecnb.exe"	svchost.exe

Deletes itself 1 IoCs

pid	Process
2828	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2780	xqiecnb.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2780 set thread context of 2828	2780	xqiecnb.exe	41

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2772	sc.exe
2340	sc.exe
2740	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 1724	2212	7f4ac2fafc02d4f6144c8aeee6627ec8.exe	29
PID 2212 wrote to memory of 1724	2212	7f4ac2fafc02d4f6144c8aeee6627ec8.exe	29
PID 2212 wrote to memory of 1724	2212	7f4ac2fafc02d4f6144c8aeee6627ec8.exe	29
PID 2212 wrote to memory of 1724	2212	7f4ac2fafc02d4f6144c8aeee6627ec8.exe	29
PID 2212 wrote to memory of 2044	2212	7f4ac2fafc02d4f6144c8aeee6627ec8.exe	30
PID 2212 wrote to memory of 2044	2212	7f4ac2fafc02d4f6144c8aeee6627ec8.exe	30
PID 2212 wrote to memory of 2044	2212	7f4ac2fafc02d4f6144c8aeee6627ec8.exe	30
PID 2212 wrote to memory of 2044	2212	7f4ac2fafc02d4f6144c8aeee6627ec8.exe	30
PID 2212 wrote to memory of 2772	2212	7f4ac2fafc02d4f6144c8aeee6627ec8.exe	33
PID 2212 wrote to memory of 2772	2212	7f4ac2fafc02d4f6144c8aeee6627ec8.exe	33
PID 2212 wrote to memory of 2772	2212	7f4ac2fafc02d4f6144c8aeee6627ec8.exe	33
PID 2212 wrote to memory of 2772	2212	7f4ac2fafc02d4f6144c8aeee6627ec8.exe	33
PID 2212 wrote to memory of 2340	2212	7f4ac2fafc02d4f6144c8aeee6627ec8.exe	34
PID 2212 wrote to memory of 2340	2212	7f4ac2fafc02d4f6144c8aeee6627ec8.exe	34
PID 2212 wrote to memory of 2340	2212	7f4ac2fafc02d4f6144c8aeee6627ec8.exe	34
PID 2212 wrote to memory of 2340	2212	7f4ac2fafc02d4f6144c8aeee6627ec8.exe	34
PID 2212 wrote to memory of 2740	2212	7f4ac2fafc02d4f6144c8aeee6627ec8.exe	37
PID 2212 wrote to memory of 2740	2212	7f4ac2fafc02d4f6144c8aeee6627ec8.exe	37
PID 2212 wrote to memory of 2740	2212	7f4ac2fafc02d4f6144c8aeee6627ec8.exe	37
PID 2212 wrote to memory of 2740	2212	7f4ac2fafc02d4f6144c8aeee6627ec8.exe	37
PID 2212 wrote to memory of 2860	2212	7f4ac2fafc02d4f6144c8aeee6627ec8.exe	40
PID 2212 wrote to memory of 2860	2212	7f4ac2fafc02d4f6144c8aeee6627ec8.exe	40
PID 2212 wrote to memory of 2860	2212	7f4ac2fafc02d4f6144c8aeee6627ec8.exe	40
PID 2212 wrote to memory of 2860	2212	7f4ac2fafc02d4f6144c8aeee6627ec8.exe	40
PID 2780 wrote to memory of 2828	2780	xqiecnb.exe	41
PID 2780 wrote to memory of 2828	2780	xqiecnb.exe	41
PID 2780 wrote to memory of 2828	2780	xqiecnb.exe	41
PID 2780 wrote to memory of 2828	2780	xqiecnb.exe	41
PID 2780 wrote to memory of 2828	2780	xqiecnb.exe	41
PID 2780 wrote to memory of 2828	2780	xqiecnb.exe	41

C:\Users\Admin\AppData\Local\Temp\7f4ac2fafc02d4f6144c8aeee6627ec8.exe
"C:\Users\Admin\AppData\Local\Temp\7f4ac2fafc02d4f6144c8aeee6627ec8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\invdprtb\
  2⤵
  PID:1724
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xqiecnb.exe" C:\Windows\SysWOW64\invdprtb\
  2⤵
  PID:2044
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create invdprtb binPath= "C:\Windows\SysWOW64\invdprtb\xqiecnb.exe /d\"C:\Users\Admin\AppData\Local\Temp\7f4ac2fafc02d4f6144c8aeee6627ec8.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:2772
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description invdprtb "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:2340
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start invdprtb
  2⤵
  - Launches sc.exe
  PID:2740
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2860

C:\Windows\SysWOW64\invdprtb\xqiecnb.exe
C:\Windows\SysWOW64\invdprtb\xqiecnb.exe /d"C:\Users\Admin\AppData\Local\Temp\7f4ac2fafc02d4f6144c8aeee6627ec8.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Windows security bypass
  - Sets service image path in registry
  - Deletes itself
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xqiecnb.exe

Filesize
3.9MB

MD5
8c90c2cf17a47dcf316d0b5310d68f46

SHA1
e119f3facaf36e30003a5a997d78b47c47ed7a9d

SHA256
17539ef20b031aa18233c8d2fc3d575083d241dea45bd83ddd680e3f0826e51b

SHA512
c0bb883efa1ad92ef4cbcae55c7752e41495a011237f91773320c502b317714bc18772748335bf727caa377953d67046d39c9cd761746480700410e45a07cdc8

Download Submit
C:\Windows\SysWOW64\invdprtb\xqiecnb.exe

Filesize
117KB

MD5
140367e57a90410c33e809e46d004f24

SHA1
ef3cf24b1e40f7da6640880bd6cf9e149df404e6

SHA256
b979c7ff522d1ead67d1faf8591e16a6dd428162eb4be5049222ca576a1df9eb

SHA512
343fe3053e4cf39a6c7a164a558cf4f6cf0f5314db792432c06185e1b940c8c6e37e7386949d577c6ce55c75fce083c8f35aad37d47ccbac089befe18ea9ff3a

Download Submit
memory/2212-2-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download
memory/2212-4-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2212-8-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2212-9-0x0000000000630000-0x0000000000730000-memory.dmp

Filesize
1024KB

Download
memory/2212-1-0x0000000000630000-0x0000000000730000-memory.dmp

Filesize
1024KB

Download
memory/2780-17-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2780-11-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download
memory/2780-13-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2828-15-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2828-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2828-10-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2828-19-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2828-20-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2828-21-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads