tofsee | 2e3bb86704384f0a25c46a9b79a7f2ae0168709d3560d94f92acfd51bd6a7637

Analysis

max time kernel
147s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbf5e424dc90b592d06e8f30f37c1e6b.exe
Size

13.2MB
MD5

cbf5e424dc90b592d06e8f30f37c1e6b
SHA1

c036166895f21a873d666560bfd7e7fce142f260
SHA256

2e3bb86704384f0a25c46a9b79a7f2ae0168709d3560d94f92acfd51bd6a7637
SHA512

0fec8527110f2c75dc3cb6b61a97fe544596f1b1575a6ac025420fa9fdd651c3dc6c4db5dcc4e1bfb8b29d1bde34c3302f2801430a5140dc626edb4f7d0810d6
SSDEEP

6144:1KTDS3aiZOTXbKdags2FNxWUWF5zoINm/nu:QMaiZOT+dags21Wts9vu

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\fozteidv = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2600	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\fozteidv\ImagePath = "C:\\Windows\\SysWOW64\\fozteidv\\lukyznci.exe"	svchost.exe

Deletes itself 1 IoCs

pid	Process
2688	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2488	lukyznci.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2488 set thread context of 2688	2488	lukyznci.exe	41

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2220	sc.exe
2520	sc.exe
2636	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 1220	1928	cbf5e424dc90b592d06e8f30f37c1e6b.exe	28
PID 1928 wrote to memory of 1220	1928	cbf5e424dc90b592d06e8f30f37c1e6b.exe	28
PID 1928 wrote to memory of 1220	1928	cbf5e424dc90b592d06e8f30f37c1e6b.exe	28
PID 1928 wrote to memory of 1220	1928	cbf5e424dc90b592d06e8f30f37c1e6b.exe	28
PID 1928 wrote to memory of 1756	1928	cbf5e424dc90b592d06e8f30f37c1e6b.exe	30
PID 1928 wrote to memory of 1756	1928	cbf5e424dc90b592d06e8f30f37c1e6b.exe	30
PID 1928 wrote to memory of 1756	1928	cbf5e424dc90b592d06e8f30f37c1e6b.exe	30
PID 1928 wrote to memory of 1756	1928	cbf5e424dc90b592d06e8f30f37c1e6b.exe	30
PID 1928 wrote to memory of 2220	1928	cbf5e424dc90b592d06e8f30f37c1e6b.exe	32
PID 1928 wrote to memory of 2220	1928	cbf5e424dc90b592d06e8f30f37c1e6b.exe	32
PID 1928 wrote to memory of 2220	1928	cbf5e424dc90b592d06e8f30f37c1e6b.exe	32
PID 1928 wrote to memory of 2220	1928	cbf5e424dc90b592d06e8f30f37c1e6b.exe	32
PID 1928 wrote to memory of 2520	1928	cbf5e424dc90b592d06e8f30f37c1e6b.exe	34
PID 1928 wrote to memory of 2520	1928	cbf5e424dc90b592d06e8f30f37c1e6b.exe	34
PID 1928 wrote to memory of 2520	1928	cbf5e424dc90b592d06e8f30f37c1e6b.exe	34
PID 1928 wrote to memory of 2520	1928	cbf5e424dc90b592d06e8f30f37c1e6b.exe	34
PID 1928 wrote to memory of 2636	1928	cbf5e424dc90b592d06e8f30f37c1e6b.exe	36
PID 1928 wrote to memory of 2636	1928	cbf5e424dc90b592d06e8f30f37c1e6b.exe	36
PID 1928 wrote to memory of 2636	1928	cbf5e424dc90b592d06e8f30f37c1e6b.exe	36
PID 1928 wrote to memory of 2636	1928	cbf5e424dc90b592d06e8f30f37c1e6b.exe	36
PID 1928 wrote to memory of 2600	1928	cbf5e424dc90b592d06e8f30f37c1e6b.exe	39
PID 1928 wrote to memory of 2600	1928	cbf5e424dc90b592d06e8f30f37c1e6b.exe	39
PID 1928 wrote to memory of 2600	1928	cbf5e424dc90b592d06e8f30f37c1e6b.exe	39
PID 1928 wrote to memory of 2600	1928	cbf5e424dc90b592d06e8f30f37c1e6b.exe	39
PID 2488 wrote to memory of 2688	2488	lukyznci.exe	41
PID 2488 wrote to memory of 2688	2488	lukyznci.exe	41
PID 2488 wrote to memory of 2688	2488	lukyznci.exe	41
PID 2488 wrote to memory of 2688	2488	lukyznci.exe	41
PID 2488 wrote to memory of 2688	2488	lukyznci.exe	41
PID 2488 wrote to memory of 2688	2488	lukyznci.exe	41

C:\Users\Admin\AppData\Local\Temp\cbf5e424dc90b592d06e8f30f37c1e6b.exe
"C:\Users\Admin\AppData\Local\Temp\cbf5e424dc90b592d06e8f30f37c1e6b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\fozteidv\
  2⤵
  PID:1220
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lukyznci.exe" C:\Windows\SysWOW64\fozteidv\
  2⤵
  PID:1756
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create fozteidv binPath= "C:\Windows\SysWOW64\fozteidv\lukyznci.exe /d\"C:\Users\Admin\AppData\Local\Temp\cbf5e424dc90b592d06e8f30f37c1e6b.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:2220
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description fozteidv "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:2520
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start fozteidv
  2⤵
  - Launches sc.exe
  PID:2636
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2600

C:\Windows\SysWOW64\fozteidv\lukyznci.exe
C:\Windows\SysWOW64\fozteidv\lukyznci.exe /d"C:\Users\Admin\AppData\Local\Temp\cbf5e424dc90b592d06e8f30f37c1e6b.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Windows security bypass
  - Sets service image path in registry
  - Deletes itself
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lukyznci.exe

Filesize
243KB

MD5
ca2c3fd5db12144e14f868eb6eb89027

SHA1
1aa03140c724c003c3fdb38b4afe575f90da2a43

SHA256
59a5224b15b991f33e5ff606f537794c90a15048bf5f73a6b86dc568e67bf82f

SHA512
1e8600ee6302896835fcb07d858aa9dc25c2a43a64be41b99be8eec5bf206a3bbde8254538eaa7d307eec7fd7c1c3441f021e61efc4f171b7a724551c4fa9fce

Download Submit
C:\Windows\SysWOW64\fozteidv\lukyznci.exe

Filesize
20KB

MD5
40a17c63b2d4ac5b6d3f29ec1fa80848

SHA1
4c242437248c2994b42233bdcf041dda5e00afc3

SHA256
fe3f46d02c8aae045642f73487f7a81631b48cb5b8392d02b815b9d9adf89aba

SHA512
ef267261a9dc4ff30000ed93027396dd096b121eacd8360e363daf24b8eb34f48becd5aefcf56ca0fc2c20b334cd20e3c23d30631aa790d6ebc67de04d727da1

Download Submit
memory/1928-1-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download
memory/1928-2-0x00000000001B0000-0x00000000001C3000-memory.dmp

Filesize
76KB

Download
memory/1928-4-0x0000000000400000-0x000000000324F000-memory.dmp

Filesize
46.3MB

Download
memory/1928-7-0x0000000000400000-0x000000000324F000-memory.dmp

Filesize
46.3MB

Download
memory/1928-10-0x00000000001B0000-0x00000000001C3000-memory.dmp

Filesize
76KB

Download
memory/1928-9-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download
memory/2488-11-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/2488-19-0x0000000000400000-0x000000000324F000-memory.dmp

Filesize
46.3MB

Download
memory/2488-20-0x0000000000400000-0x000000000324F000-memory.dmp

Filesize
46.3MB

Download
memory/2688-12-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2688-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2688-15-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2688-18-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2688-21-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2688-22-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2688-23-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads