tofsee | 216c4de57aae07cd4a677efd02183dc2709a6e096575d9b6fee861fd4217203f

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
09-03-2024 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc0db50e394ee39b57a709b77f5e280a.exe
Size

13.3MB
MD5

bc0db50e394ee39b57a709b77f5e280a
SHA1

784fc1303bafbce76bf0b02da9d814605a84e79f
SHA256

216c4de57aae07cd4a677efd02183dc2709a6e096575d9b6fee861fd4217203f
SHA512

764d067f4d1e8906b1a4f5337cd665514e0f61afb24c18c4b1593503744dd34fb6029d1182a15ed85ca906ed9da06d6dc5c1cef59eb861d4f2790c5073e43dd3
SSDEEP

49152:fj5555555555555555555555555555555555555555555555555555555555555Z:

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\sawphenj = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2448	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\sawphenj\ImagePath = "C:\\Windows\\SysWOW64\\sawphenj\\cpdgiigt.exe"	svchost.exe

Deletes itself 1 IoCs

pid	Process
1620	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2596	cpdgiigt.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2596 set thread context of 1620	2596	cpdgiigt.exe	39

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2612	sc.exe
3024	sc.exe
2548	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2084	2272	bc0db50e394ee39b57a709b77f5e280a.exe	28
PID 2272 wrote to memory of 2084	2272	bc0db50e394ee39b57a709b77f5e280a.exe	28
PID 2272 wrote to memory of 2084	2272	bc0db50e394ee39b57a709b77f5e280a.exe	28
PID 2272 wrote to memory of 2084	2272	bc0db50e394ee39b57a709b77f5e280a.exe	28
PID 2272 wrote to memory of 2872	2272	bc0db50e394ee39b57a709b77f5e280a.exe	30
PID 2272 wrote to memory of 2872	2272	bc0db50e394ee39b57a709b77f5e280a.exe	30
PID 2272 wrote to memory of 2872	2272	bc0db50e394ee39b57a709b77f5e280a.exe	30
PID 2272 wrote to memory of 2872	2272	bc0db50e394ee39b57a709b77f5e280a.exe	30
PID 2272 wrote to memory of 3024	2272	bc0db50e394ee39b57a709b77f5e280a.exe	32
PID 2272 wrote to memory of 3024	2272	bc0db50e394ee39b57a709b77f5e280a.exe	32
PID 2272 wrote to memory of 3024	2272	bc0db50e394ee39b57a709b77f5e280a.exe	32
PID 2272 wrote to memory of 3024	2272	bc0db50e394ee39b57a709b77f5e280a.exe	32
PID 2272 wrote to memory of 2548	2272	bc0db50e394ee39b57a709b77f5e280a.exe	34
PID 2272 wrote to memory of 2548	2272	bc0db50e394ee39b57a709b77f5e280a.exe	34
PID 2272 wrote to memory of 2548	2272	bc0db50e394ee39b57a709b77f5e280a.exe	34
PID 2272 wrote to memory of 2548	2272	bc0db50e394ee39b57a709b77f5e280a.exe	34
PID 2272 wrote to memory of 2612	2272	bc0db50e394ee39b57a709b77f5e280a.exe	36
PID 2272 wrote to memory of 2612	2272	bc0db50e394ee39b57a709b77f5e280a.exe	36
PID 2272 wrote to memory of 2612	2272	bc0db50e394ee39b57a709b77f5e280a.exe	36
PID 2272 wrote to memory of 2612	2272	bc0db50e394ee39b57a709b77f5e280a.exe	36
PID 2596 wrote to memory of 1620	2596	cpdgiigt.exe	39
PID 2596 wrote to memory of 1620	2596	cpdgiigt.exe	39
PID 2596 wrote to memory of 1620	2596	cpdgiigt.exe	39
PID 2596 wrote to memory of 1620	2596	cpdgiigt.exe	39
PID 2596 wrote to memory of 1620	2596	cpdgiigt.exe	39
PID 2596 wrote to memory of 1620	2596	cpdgiigt.exe	39
PID 2272 wrote to memory of 2448	2272	bc0db50e394ee39b57a709b77f5e280a.exe	40
PID 2272 wrote to memory of 2448	2272	bc0db50e394ee39b57a709b77f5e280a.exe	40
PID 2272 wrote to memory of 2448	2272	bc0db50e394ee39b57a709b77f5e280a.exe	40
PID 2272 wrote to memory of 2448	2272	bc0db50e394ee39b57a709b77f5e280a.exe	40

C:\Users\Admin\AppData\Local\Temp\bc0db50e394ee39b57a709b77f5e280a.exe
"C:\Users\Admin\AppData\Local\Temp\bc0db50e394ee39b57a709b77f5e280a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\sawphenj\
  2⤵
  PID:2084
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\cpdgiigt.exe" C:\Windows\SysWOW64\sawphenj\
  2⤵
  PID:2872
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create sawphenj binPath= "C:\Windows\SysWOW64\sawphenj\cpdgiigt.exe /d\"C:\Users\Admin\AppData\Local\Temp\bc0db50e394ee39b57a709b77f5e280a.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:3024
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description sawphenj "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:2548
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start sawphenj
  2⤵
  - Launches sc.exe
  PID:2612
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2448

C:\Windows\SysWOW64\sawphenj\cpdgiigt.exe
C:\Windows\SysWOW64\sawphenj\cpdgiigt.exe /d"C:\Users\Admin\AppData\Local\Temp\bc0db50e394ee39b57a709b77f5e280a.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Windows security bypass
  - Sets service image path in registry
  - Deletes itself
  PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cpdgiigt.exe

Filesize
14.9MB

MD5
07dfaffdce44c5210ac309a1200e293f

SHA1
2400290dfe559ce35e5a71d7538ad8092b3a74bc

SHA256
e2c4337fb1f59e904f9ba1c7f8a51a795d83c6af88c7d4b58282926973893699

SHA512
924111d0c4bc180adc525c88b669f5f4e55ef6c92c4643109610ddafc81b9017b9358dcc79e80b3a92e4e3dbf556cfaffe4f0b58b00e9fb11b706983b2448a66

Download Submit
memory/1620-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1620-17-0x00000000000D0000-0x00000000000E5000-memory.dmp

Filesize
84KB

Download
memory/1620-21-0x00000000000D0000-0x00000000000E5000-memory.dmp

Filesize
84KB

Download
memory/1620-20-0x00000000000D0000-0x00000000000E5000-memory.dmp

Filesize
84KB

Download
memory/1620-19-0x00000000000D0000-0x00000000000E5000-memory.dmp

Filesize
84KB

Download
memory/1620-13-0x00000000000D0000-0x00000000000E5000-memory.dmp

Filesize
84KB

Download
memory/1620-10-0x00000000000D0000-0x00000000000E5000-memory.dmp

Filesize
84KB

Download
memory/2272-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2272-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2272-18-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2272-2-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2272-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2596-8-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2596-15-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2596-7-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads