tofsee | b6768d16dbabafc1d9d07cdd065c875522cce0b6ee493187ba984e3e87b0aece

Analysis

max time kernel
141s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/03/2024, 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6202f30b837ad0025da86ecf9f5f1c9.exe
Size

12.6MB
MD5

b6202f30b837ad0025da86ecf9f5f1c9
SHA1

ac922759c8dde66341dd92f557c828b894aa0cfb
SHA256

b6768d16dbabafc1d9d07cdd065c875522cce0b6ee493187ba984e3e87b0aece
SHA512

ddf185d38b0ad7b7c8a69c27830c388ef3d20a3430cea4aecdeeae857b5d9209be4fda62d06b91b2018cd1d9f52f521fc95c5f9989ba4c54bd6f21bc4ebac527
SSDEEP

12288:ZRXQK44fy6111111111111111111111111111111111111111111111111111111:ZRx2

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\ahwlndfr = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2804	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ahwlndfr\ImagePath = "C:\\Windows\\SysWOW64\\ahwlndfr\\rielcbfj.exe"	svchost.exe

Deletes itself 1 IoCs

pid	Process
512	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1624	rielcbfj.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1624 set thread context of 512	1624	rielcbfj.exe	43

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1304	sc.exe
2548	sc.exe
2664	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2508	2972	b6202f30b837ad0025da86ecf9f5f1c9.exe	28
PID 2972 wrote to memory of 2508	2972	b6202f30b837ad0025da86ecf9f5f1c9.exe	28
PID 2972 wrote to memory of 2508	2972	b6202f30b837ad0025da86ecf9f5f1c9.exe	28
PID 2972 wrote to memory of 2508	2972	b6202f30b837ad0025da86ecf9f5f1c9.exe	28
PID 2972 wrote to memory of 2720	2972	b6202f30b837ad0025da86ecf9f5f1c9.exe	30
PID 2972 wrote to memory of 2720	2972	b6202f30b837ad0025da86ecf9f5f1c9.exe	30
PID 2972 wrote to memory of 2720	2972	b6202f30b837ad0025da86ecf9f5f1c9.exe	30
PID 2972 wrote to memory of 2720	2972	b6202f30b837ad0025da86ecf9f5f1c9.exe	30
PID 2972 wrote to memory of 1304	2972	b6202f30b837ad0025da86ecf9f5f1c9.exe	32
PID 2972 wrote to memory of 1304	2972	b6202f30b837ad0025da86ecf9f5f1c9.exe	32
PID 2972 wrote to memory of 1304	2972	b6202f30b837ad0025da86ecf9f5f1c9.exe	32
PID 2972 wrote to memory of 1304	2972	b6202f30b837ad0025da86ecf9f5f1c9.exe	32
PID 2972 wrote to memory of 2548	2972	b6202f30b837ad0025da86ecf9f5f1c9.exe	34
PID 2972 wrote to memory of 2548	2972	b6202f30b837ad0025da86ecf9f5f1c9.exe	34
PID 2972 wrote to memory of 2548	2972	b6202f30b837ad0025da86ecf9f5f1c9.exe	34
PID 2972 wrote to memory of 2548	2972	b6202f30b837ad0025da86ecf9f5f1c9.exe	34
PID 2972 wrote to memory of 2664	2972	b6202f30b837ad0025da86ecf9f5f1c9.exe	36
PID 2972 wrote to memory of 2664	2972	b6202f30b837ad0025da86ecf9f5f1c9.exe	36
PID 2972 wrote to memory of 2664	2972	b6202f30b837ad0025da86ecf9f5f1c9.exe	36
PID 2972 wrote to memory of 2664	2972	b6202f30b837ad0025da86ecf9f5f1c9.exe	36
PID 2972 wrote to memory of 2804	2972	b6202f30b837ad0025da86ecf9f5f1c9.exe	38
PID 2972 wrote to memory of 2804	2972	b6202f30b837ad0025da86ecf9f5f1c9.exe	38
PID 2972 wrote to memory of 2804	2972	b6202f30b837ad0025da86ecf9f5f1c9.exe	38
PID 2972 wrote to memory of 2804	2972	b6202f30b837ad0025da86ecf9f5f1c9.exe	38
PID 1624 wrote to memory of 512	1624	rielcbfj.exe	43
PID 1624 wrote to memory of 512	1624	rielcbfj.exe	43
PID 1624 wrote to memory of 512	1624	rielcbfj.exe	43
PID 1624 wrote to memory of 512	1624	rielcbfj.exe	43
PID 1624 wrote to memory of 512	1624	rielcbfj.exe	43
PID 1624 wrote to memory of 512	1624	rielcbfj.exe	43

C:\Users\Admin\AppData\Local\Temp\b6202f30b837ad0025da86ecf9f5f1c9.exe
"C:\Users\Admin\AppData\Local\Temp\b6202f30b837ad0025da86ecf9f5f1c9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ahwlndfr\
  2⤵
  PID:2508
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rielcbfj.exe" C:\Windows\SysWOW64\ahwlndfr\
  2⤵
  PID:2720
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create ahwlndfr binPath= "C:\Windows\SysWOW64\ahwlndfr\rielcbfj.exe /d\"C:\Users\Admin\AppData\Local\Temp\b6202f30b837ad0025da86ecf9f5f1c9.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:1304
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description ahwlndfr "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:2548
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start ahwlndfr
  2⤵
  - Launches sc.exe
  PID:2664
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2804

C:\Windows\SysWOW64\ahwlndfr\rielcbfj.exe
C:\Windows\SysWOW64\ahwlndfr\rielcbfj.exe /d"C:\Users\Admin\AppData\Local\Temp\b6202f30b837ad0025da86ecf9f5f1c9.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Windows security bypass
  - Sets service image path in registry
  - Deletes itself
  PID:512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rielcbfj.exe

Filesize
5.9MB

MD5
cc4ad4e090e49892609c9f05e0c21c36

SHA1
481a46393ed5c8e4c2e2633add328f962f07d2c8

SHA256
d4e363255fb30fe319515fb5fe40d46a2ea3d786c44a0b4da35ec65ff6a9e47c

SHA512
8e2d5f1d71f70edbf02f858d3ee0b79d86f93342550429630fb3993433bc4811622ababab612aee8ab308611358c2421cb833bf99f352913e1b7514ac3cbab80

Download Submit
C:\Windows\SysWOW64\ahwlndfr\rielcbfj.exe

Filesize
3.3MB

MD5
d3044a59ce94fc11370394835fa8905a

SHA1
652359d33c4bf1323d0ed20d63d6aa04ca506cbc

SHA256
555a080dbd3cae755eff959095ec6a961251ae8ad45e07317e12554a05fa49ea

SHA512
17e6dce8b66d94f7311bae985e81498de43d5f0b9ab0e56d1355c54d3b73cae44fb111c8db7617e2178d96e014409064ecac85c5a48e6638c0365a71b6fd3196

Download Submit
memory/512-19-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/512-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/512-22-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/512-21-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/512-20-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/512-15-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/512-11-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1624-9-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/1624-10-0x0000000000400000-0x0000000003359000-memory.dmp

Filesize
47.3MB

Download
memory/1624-12-0x0000000000400000-0x0000000003359000-memory.dmp

Filesize
47.3MB

Download
memory/1624-16-0x0000000000400000-0x0000000003359000-memory.dmp

Filesize
47.3MB

Download
memory/2972-1-0x0000000003520000-0x0000000003620000-memory.dmp

Filesize
1024KB

Download
memory/2972-4-0x0000000000400000-0x0000000003359000-memory.dmp

Filesize
47.3MB

Download
memory/2972-2-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/2972-6-0x0000000000400000-0x0000000003359000-memory.dmp

Filesize
47.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads