tofsee | 00d2de40ab21c023cf7f8bba0707492e9500dc80c94a45855463b4c5c39ac563

Analysis

max time kernel
148s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/03/2024, 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b71016f0a0d06dec97931344d33e03fa.exe
Size

13.7MB
MD5

b71016f0a0d06dec97931344d33e03fa
SHA1

d67939051d1a7f9225da1c0a0237122f68e2b91b
SHA256

00d2de40ab21c023cf7f8bba0707492e9500dc80c94a45855463b4c5c39ac563
SHA512

9d802af5bd7e302d2eea368c0eafa689e3f1a7adcc3ad19a1fc393c945684efb18ee4e4f62834c1ae966d1ddc657fa2817743243a494d12169cad4b8a29820a5
SSDEEP

49152:dR8888888888888888888888888888888888888888888888888888888888888n:

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

43.231.4.6

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\fpytitbd = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2760	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\fpytitbd\ImagePath = "C:\\Windows\\SysWOW64\\fpytitbd\\olduqhdb.exe"	svchost.exe

Deletes itself 1 IoCs

pid	Process
2740	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2744	olduqhdb.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2744 set thread context of 2740	2744	olduqhdb.exe	41

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2276	sc.exe
2720	sc.exe
2576	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 1740	2792	b71016f0a0d06dec97931344d33e03fa.exe	28
PID 2792 wrote to memory of 1740	2792	b71016f0a0d06dec97931344d33e03fa.exe	28
PID 2792 wrote to memory of 1740	2792	b71016f0a0d06dec97931344d33e03fa.exe	28
PID 2792 wrote to memory of 1740	2792	b71016f0a0d06dec97931344d33e03fa.exe	28
PID 2792 wrote to memory of 2268	2792	b71016f0a0d06dec97931344d33e03fa.exe	30
PID 2792 wrote to memory of 2268	2792	b71016f0a0d06dec97931344d33e03fa.exe	30
PID 2792 wrote to memory of 2268	2792	b71016f0a0d06dec97931344d33e03fa.exe	30
PID 2792 wrote to memory of 2268	2792	b71016f0a0d06dec97931344d33e03fa.exe	30
PID 2792 wrote to memory of 2276	2792	b71016f0a0d06dec97931344d33e03fa.exe	32
PID 2792 wrote to memory of 2276	2792	b71016f0a0d06dec97931344d33e03fa.exe	32
PID 2792 wrote to memory of 2276	2792	b71016f0a0d06dec97931344d33e03fa.exe	32
PID 2792 wrote to memory of 2276	2792	b71016f0a0d06dec97931344d33e03fa.exe	32
PID 2792 wrote to memory of 2720	2792	b71016f0a0d06dec97931344d33e03fa.exe	34
PID 2792 wrote to memory of 2720	2792	b71016f0a0d06dec97931344d33e03fa.exe	34
PID 2792 wrote to memory of 2720	2792	b71016f0a0d06dec97931344d33e03fa.exe	34
PID 2792 wrote to memory of 2720	2792	b71016f0a0d06dec97931344d33e03fa.exe	34
PID 2792 wrote to memory of 2576	2792	b71016f0a0d06dec97931344d33e03fa.exe	36
PID 2792 wrote to memory of 2576	2792	b71016f0a0d06dec97931344d33e03fa.exe	36
PID 2792 wrote to memory of 2576	2792	b71016f0a0d06dec97931344d33e03fa.exe	36
PID 2792 wrote to memory of 2576	2792	b71016f0a0d06dec97931344d33e03fa.exe	36
PID 2792 wrote to memory of 2760	2792	b71016f0a0d06dec97931344d33e03fa.exe	39
PID 2792 wrote to memory of 2760	2792	b71016f0a0d06dec97931344d33e03fa.exe	39
PID 2792 wrote to memory of 2760	2792	b71016f0a0d06dec97931344d33e03fa.exe	39
PID 2792 wrote to memory of 2760	2792	b71016f0a0d06dec97931344d33e03fa.exe	39
PID 2744 wrote to memory of 2740	2744	olduqhdb.exe	41
PID 2744 wrote to memory of 2740	2744	olduqhdb.exe	41
PID 2744 wrote to memory of 2740	2744	olduqhdb.exe	41
PID 2744 wrote to memory of 2740	2744	olduqhdb.exe	41
PID 2744 wrote to memory of 2740	2744	olduqhdb.exe	41
PID 2744 wrote to memory of 2740	2744	olduqhdb.exe	41

C:\Users\Admin\AppData\Local\Temp\b71016f0a0d06dec97931344d33e03fa.exe
"C:\Users\Admin\AppData\Local\Temp\b71016f0a0d06dec97931344d33e03fa.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\fpytitbd\
  2⤵
  PID:1740
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\olduqhdb.exe" C:\Windows\SysWOW64\fpytitbd\
  2⤵
  PID:2268
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create fpytitbd binPath= "C:\Windows\SysWOW64\fpytitbd\olduqhdb.exe /d\"C:\Users\Admin\AppData\Local\Temp\b71016f0a0d06dec97931344d33e03fa.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:2276
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description fpytitbd "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:2720
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start fpytitbd
  2⤵
  - Launches sc.exe
  PID:2576
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2760

C:\Windows\SysWOW64\fpytitbd\olduqhdb.exe
C:\Windows\SysWOW64\fpytitbd\olduqhdb.exe /d"C:\Users\Admin\AppData\Local\Temp\b71016f0a0d06dec97931344d33e03fa.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Windows security bypass
  - Sets service image path in registry
  - Deletes itself
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\olduqhdb.exe

Filesize
14.6MB

MD5
72f5281135c40e6260db203a5779b1c7

SHA1
be455f002a5e81f028124f6ecbca855ac788e69f

SHA256
6765bc579270d68e4829bb837715817515c34356cff8e228fa665a96b44db954

SHA512
ef86fada14097ed1162085d47ccc7859bf5bd06bca36b8b053e6bd08e2eb7bf9730fa2f8dc7f0e8f0490cece2337d79e4914f4dd55b71e3082ca5217462b6762

Download Submit
C:\Windows\SysWOW64\fpytitbd\olduqhdb.exe

Filesize
13.8MB

MD5
011daa95f4956a3abcce64634622a9d3

SHA1
002b9313d4bb40802ae8edabe51255ec74f1efe1

SHA256
d0a4ac0d5040b734f643a68f8b64988abd3c2ad4371724730d994850620299fe

SHA512
a1eee9b1183d7fb96513f33e9e1ea6225f64a5f064cc83538969ad3c878e4b6e483e237e3c394b7d8445771c79c124bd408b32ca98e22e7c6f2c68ec8306f7bd

Download Submit
memory/2740-10-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download
memory/2740-22-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download
memory/2740-21-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download
memory/2740-20-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download
memory/2740-13-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download
memory/2740-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2744-15-0x0000000003320000-0x0000000003420000-memory.dmp

Filesize
1024KB

Download
memory/2744-18-0x0000000000400000-0x000000000323C000-memory.dmp

Filesize
46.2MB

Download
memory/2792-1-0x00000000032D0000-0x00000000033D0000-memory.dmp

Filesize
1024KB

Download
memory/2792-8-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download
memory/2792-7-0x0000000000400000-0x000000000323C000-memory.dmp

Filesize
46.2MB

Download
memory/2792-4-0x0000000000400000-0x000000000323C000-memory.dmp

Filesize
46.2MB

Download
memory/2792-2-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads