tofsee | dca28026972104cfee2366df490b5a82637b0821f4245f0f333ebbd25c6e04bb

Analysis

max time kernel
150s
max time network
159s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/03/2024, 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2352e8e0a3f774f51b903571b63ca03.exe
Size

12.6MB
MD5

e2352e8e0a3f774f51b903571b63ca03
SHA1

aa70b74cda6fbd0eb60b84c439d079252485cf50
SHA256

dca28026972104cfee2366df490b5a82637b0821f4245f0f333ebbd25c6e04bb
SHA512

ee9a220a8e80bbeb303cf7068da24e7615d92f13891b9d46164995f50eab1691d445f8cfacfd6b4bf3cc401d05e20c6ed06781fb56ba3903c4b9c4ef5f1a060f
SSDEEP

12288:CS5xuP/rZh5sMqGHo7ywSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSH:WP/rZd87

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\hraxsjjz = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2544	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\hraxsjjz\ImagePath = "C:\\Windows\\SysWOW64\\hraxsjjz\\hzeeldxb.exe"	svchost.exe

Deletes itself 1 IoCs

pid	Process
2928	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2436	hzeeldxb.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2436 set thread context of 2928	2436	hzeeldxb.exe	41

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2724	sc.exe
2568	sc.exe
2612	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 3004	2084	e2352e8e0a3f774f51b903571b63ca03.exe	28
PID 2084 wrote to memory of 3004	2084	e2352e8e0a3f774f51b903571b63ca03.exe	28
PID 2084 wrote to memory of 3004	2084	e2352e8e0a3f774f51b903571b63ca03.exe	28
PID 2084 wrote to memory of 3004	2084	e2352e8e0a3f774f51b903571b63ca03.exe	28
PID 2084 wrote to memory of 2516	2084	e2352e8e0a3f774f51b903571b63ca03.exe	30
PID 2084 wrote to memory of 2516	2084	e2352e8e0a3f774f51b903571b63ca03.exe	30
PID 2084 wrote to memory of 2516	2084	e2352e8e0a3f774f51b903571b63ca03.exe	30
PID 2084 wrote to memory of 2516	2084	e2352e8e0a3f774f51b903571b63ca03.exe	30
PID 2084 wrote to memory of 2612	2084	e2352e8e0a3f774f51b903571b63ca03.exe	32
PID 2084 wrote to memory of 2612	2084	e2352e8e0a3f774f51b903571b63ca03.exe	32
PID 2084 wrote to memory of 2612	2084	e2352e8e0a3f774f51b903571b63ca03.exe	32
PID 2084 wrote to memory of 2612	2084	e2352e8e0a3f774f51b903571b63ca03.exe	32
PID 2084 wrote to memory of 2724	2084	e2352e8e0a3f774f51b903571b63ca03.exe	34
PID 2084 wrote to memory of 2724	2084	e2352e8e0a3f774f51b903571b63ca03.exe	34
PID 2084 wrote to memory of 2724	2084	e2352e8e0a3f774f51b903571b63ca03.exe	34
PID 2084 wrote to memory of 2724	2084	e2352e8e0a3f774f51b903571b63ca03.exe	34
PID 2084 wrote to memory of 2568	2084	e2352e8e0a3f774f51b903571b63ca03.exe	36
PID 2084 wrote to memory of 2568	2084	e2352e8e0a3f774f51b903571b63ca03.exe	36
PID 2084 wrote to memory of 2568	2084	e2352e8e0a3f774f51b903571b63ca03.exe	36
PID 2084 wrote to memory of 2568	2084	e2352e8e0a3f774f51b903571b63ca03.exe	36
PID 2084 wrote to memory of 2544	2084	e2352e8e0a3f774f51b903571b63ca03.exe	39
PID 2084 wrote to memory of 2544	2084	e2352e8e0a3f774f51b903571b63ca03.exe	39
PID 2084 wrote to memory of 2544	2084	e2352e8e0a3f774f51b903571b63ca03.exe	39
PID 2084 wrote to memory of 2544	2084	e2352e8e0a3f774f51b903571b63ca03.exe	39
PID 2436 wrote to memory of 2928	2436	hzeeldxb.exe	41
PID 2436 wrote to memory of 2928	2436	hzeeldxb.exe	41
PID 2436 wrote to memory of 2928	2436	hzeeldxb.exe	41
PID 2436 wrote to memory of 2928	2436	hzeeldxb.exe	41
PID 2436 wrote to memory of 2928	2436	hzeeldxb.exe	41
PID 2436 wrote to memory of 2928	2436	hzeeldxb.exe	41

C:\Users\Admin\AppData\Local\Temp\e2352e8e0a3f774f51b903571b63ca03.exe
"C:\Users\Admin\AppData\Local\Temp\e2352e8e0a3f774f51b903571b63ca03.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hraxsjjz\
  2⤵
  PID:3004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hzeeldxb.exe" C:\Windows\SysWOW64\hraxsjjz\
  2⤵
  PID:2516
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create hraxsjjz binPath= "C:\Windows\SysWOW64\hraxsjjz\hzeeldxb.exe /d\"C:\Users\Admin\AppData\Local\Temp\e2352e8e0a3f774f51b903571b63ca03.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:2612
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description hraxsjjz "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:2724
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start hraxsjjz
  2⤵
  - Launches sc.exe
  PID:2568
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2544

C:\Windows\SysWOW64\hraxsjjz\hzeeldxb.exe
C:\Windows\SysWOW64\hraxsjjz\hzeeldxb.exe /d"C:\Users\Admin\AppData\Local\Temp\e2352e8e0a3f774f51b903571b63ca03.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Windows security bypass
  - Sets service image path in registry
  - Deletes itself
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hzeeldxb.exe

Filesize
6.9MB

MD5
bc2840dc818da03ed03cf0b7a96b9713

SHA1
22942a1d563320480af0fbfbc56b13362df680a8

SHA256
cbb74d1d0c9ed9ee2d712cb5c52cea9cfe62b6e2e31a96a001ba25c2f56267b9

SHA512
b076d399f93f312c98e4e9087468abce14c5a204083fa28f58902e0721b838c77478c9555b8e69e54586e52b9e26cc9841e5a079dcb3e9d228c5910a9ffd0558

Download Submit
C:\Windows\SysWOW64\hraxsjjz\hzeeldxb.exe

Filesize
1.1MB

MD5
8a651e720aa0b5dbdf366cc51841a302

SHA1
4e56659fe6a2990606da1996cafab306e7cfd501

SHA256
b3a80b6a57b31c2b171f5be0d16ff52e0b85cfcb31765a62ace5473d10901a21

SHA512
789d9ffd870d6bbe4d634f7ba2883a90611bca7ca6b4bb3ec36b03c63064161e7b1ef44586834a12abda2066fb21ac46793974f70b88068c842ebd85c0961eda

Download Submit
memory/2084-1-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2084-2-0x00000000002B0000-0x00000000002C3000-memory.dmp

Filesize
76KB

Download
memory/2084-3-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2084-8-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2084-10-0x00000000002B0000-0x00000000002C3000-memory.dmp

Filesize
76KB

Download
memory/2084-9-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2436-11-0x0000000000580000-0x0000000000680000-memory.dmp

Filesize
1024KB

Download
memory/2436-12-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2436-18-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2928-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2928-13-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2928-16-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2928-21-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2928-22-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2928-23-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads