tofsee | 871f464151aa1ce0e53ea6ecad18bf3c45745d3279f9cd850557f064677daa80

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97f029181740b467acc797ec6eb2be3b.exe
Size

14.1MB
MD5

97f029181740b467acc797ec6eb2be3b
SHA1

6221b864f9ce0954a623d8a5a8329787b5e33e97
SHA256

871f464151aa1ce0e53ea6ecad18bf3c45745d3279f9cd850557f064677daa80
SHA512

6822e5a2973a3ae1a950a3b863ea93f8c96de24b7b75d5b5ed3850396e0c9430d2515f514d83a9a156f9f0de239f74dc472ce3c06a65f64f6426d9cf86779713
SSDEEP

12288:hRXQK44fy6111111111111111111111111111111111111111111111111111111:hRx2

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\dkiiuxja = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2928	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\dkiiuxja\ImagePath = "C:\\Windows\\SysWOW64\\dkiiuxja\\fkupjvsu.exe"	svchost.exe

Deletes itself 1 IoCs

pid	Process
2636	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2868	fkupjvsu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2868 set thread context of 2636	2868	fkupjvsu.exe	41

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1952	sc.exe
2684	sc.exe
2960	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2020	2060	97f029181740b467acc797ec6eb2be3b.exe	28
PID 2060 wrote to memory of 2020	2060	97f029181740b467acc797ec6eb2be3b.exe	28
PID 2060 wrote to memory of 2020	2060	97f029181740b467acc797ec6eb2be3b.exe	28
PID 2060 wrote to memory of 2020	2060	97f029181740b467acc797ec6eb2be3b.exe	28
PID 2060 wrote to memory of 2328	2060	97f029181740b467acc797ec6eb2be3b.exe	30
PID 2060 wrote to memory of 2328	2060	97f029181740b467acc797ec6eb2be3b.exe	30
PID 2060 wrote to memory of 2328	2060	97f029181740b467acc797ec6eb2be3b.exe	30
PID 2060 wrote to memory of 2328	2060	97f029181740b467acc797ec6eb2be3b.exe	30
PID 2060 wrote to memory of 1952	2060	97f029181740b467acc797ec6eb2be3b.exe	32
PID 2060 wrote to memory of 1952	2060	97f029181740b467acc797ec6eb2be3b.exe	32
PID 2060 wrote to memory of 1952	2060	97f029181740b467acc797ec6eb2be3b.exe	32
PID 2060 wrote to memory of 1952	2060	97f029181740b467acc797ec6eb2be3b.exe	32
PID 2060 wrote to memory of 2684	2060	97f029181740b467acc797ec6eb2be3b.exe	34
PID 2060 wrote to memory of 2684	2060	97f029181740b467acc797ec6eb2be3b.exe	34
PID 2060 wrote to memory of 2684	2060	97f029181740b467acc797ec6eb2be3b.exe	34
PID 2060 wrote to memory of 2684	2060	97f029181740b467acc797ec6eb2be3b.exe	34
PID 2060 wrote to memory of 2960	2060	97f029181740b467acc797ec6eb2be3b.exe	36
PID 2060 wrote to memory of 2960	2060	97f029181740b467acc797ec6eb2be3b.exe	36
PID 2060 wrote to memory of 2960	2060	97f029181740b467acc797ec6eb2be3b.exe	36
PID 2060 wrote to memory of 2960	2060	97f029181740b467acc797ec6eb2be3b.exe	36
PID 2060 wrote to memory of 2928	2060	97f029181740b467acc797ec6eb2be3b.exe	39
PID 2060 wrote to memory of 2928	2060	97f029181740b467acc797ec6eb2be3b.exe	39
PID 2060 wrote to memory of 2928	2060	97f029181740b467acc797ec6eb2be3b.exe	39
PID 2060 wrote to memory of 2928	2060	97f029181740b467acc797ec6eb2be3b.exe	39
PID 2868 wrote to memory of 2636	2868	fkupjvsu.exe	41
PID 2868 wrote to memory of 2636	2868	fkupjvsu.exe	41
PID 2868 wrote to memory of 2636	2868	fkupjvsu.exe	41
PID 2868 wrote to memory of 2636	2868	fkupjvsu.exe	41
PID 2868 wrote to memory of 2636	2868	fkupjvsu.exe	41
PID 2868 wrote to memory of 2636	2868	fkupjvsu.exe	41

C:\Users\Admin\AppData\Local\Temp\97f029181740b467acc797ec6eb2be3b.exe
"C:\Users\Admin\AppData\Local\Temp\97f029181740b467acc797ec6eb2be3b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dkiiuxja\
  2⤵
  PID:2020
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\fkupjvsu.exe" C:\Windows\SysWOW64\dkiiuxja\
  2⤵
  PID:2328
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create dkiiuxja binPath= "C:\Windows\SysWOW64\dkiiuxja\fkupjvsu.exe /d\"C:\Users\Admin\AppData\Local\Temp\97f029181740b467acc797ec6eb2be3b.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:1952
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description dkiiuxja "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:2684
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start dkiiuxja
  2⤵
  - Launches sc.exe
  PID:2960
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2928

C:\Windows\SysWOW64\dkiiuxja\fkupjvsu.exe
C:\Windows\SysWOW64\dkiiuxja\fkupjvsu.exe /d"C:\Users\Admin\AppData\Local\Temp\97f029181740b467acc797ec6eb2be3b.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Windows security bypass
  - Sets service image path in registry
  - Deletes itself
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fkupjvsu.exe

Filesize
10.4MB

MD5
699c660889b57dc806149119e3edb014

SHA1
4ffc4dc2ef04d0ba1bb0eb69771607d8e0650b49

SHA256
4b12912b3324d194ea69100e237a35ffe2f8630e6586b4fcd9a0b1ee187f62e5

SHA512
83ba4ad9bb9698c37fd66b8d4e7c9829553e21d18458cd0b03ca3969f022fe4d9b84d0675f0e216987b8709e7308bcdbeef7de3dbf508442086dc2eb43c5ec5a

Download Submit
memory/2060-2-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/2060-1-0x0000000003450000-0x0000000003550000-memory.dmp

Filesize
1024KB

Download
memory/2060-4-0x0000000000400000-0x0000000003359000-memory.dmp

Filesize
47.3MB

Download
memory/2060-7-0x0000000000400000-0x0000000003359000-memory.dmp

Filesize
47.3MB

Download
memory/2636-10-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2636-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2636-13-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2636-19-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2636-21-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2636-22-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2868-9-0x0000000003420000-0x0000000003520000-memory.dmp

Filesize
1024KB

Download
memory/2868-15-0x0000000000400000-0x0000000003359000-memory.dmp

Filesize
47.3MB

Download
memory/2868-16-0x0000000000400000-0x0000000003359000-memory.dmp

Filesize
47.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads