tofsee | edf98c8d92926d258cf70c2348ab4c68d31b377cd273b0686f12e3545089030b

Analysis

max time kernel
0s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-05-2024 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da4a56f9db3ccef32e88ad2e5c616a1a.exe
Size

99KB
MD5

da4a56f9db3ccef32e88ad2e5c616a1a
SHA1

8a6379a31a9d80614fbcb05dbbc454aec169b114
SHA256

00a857cd58005ee7f9aaa14d28852b66e833375bc18f7329f955a36d271ebdee
SHA512

2d61ebb6c2c4ef87ac9bcab3558179b58ecf2e24011841876f55765023069eb48055e5b52d007bb681658a7fcc669b24bebe31a5bf91e42366f265ae1e6bead2
SSDEEP

1536:RDCxOjokD33SiCTjvEmalf++kz2u3IT7lX6Z+Hnsi73nC:p4CdDSi+Emj+vusNsi73nC

Score

10^/10

tofsee evasion execution persistence trojan

Malware Config

Extracted

Family

tofsee

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2020 netsh.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2720 sc.exe
2592 sc.exe
2752 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2020	netsh.exe

pid	process
2720	sc.exe
2592	sc.exe
2752	sc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

da4a56f9db3ccef32e88ad2e5c616a1a.exe

description	pid	process	target process
PID 1420 wrote to memory of 2152	1420	da4a56f9db3ccef32e88ad2e5c616a1a.exe	cmd.exe
PID 1420 wrote to memory of 2152	1420	da4a56f9db3ccef32e88ad2e5c616a1a.exe	cmd.exe
PID 1420 wrote to memory of 2152	1420	da4a56f9db3ccef32e88ad2e5c616a1a.exe	cmd.exe
PID 1420 wrote to memory of 2152	1420	da4a56f9db3ccef32e88ad2e5c616a1a.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\da4a56f9db3ccef32e88ad2e5c616a1a.exe
"C:\Users\Admin\AppData\Local\Temp\da4a56f9db3ccef32e88ad2e5c616a1a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\lrjgzibj\
2⤵
PID:2152

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\uhvyaayl.exe" C:\Windows\SysWOW64\lrjgzibj\
2⤵
PID:2536

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create lrjgzibj binPath= "C:\Windows\SysWOW64\lrjgzibj\uhvyaayl.exe /d\"C:\Users\Admin\AppData\Local\Temp\da4a56f9db3ccef32e88ad2e5c616a1a.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:2720

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description lrjgzibj "wifi internet conection"
2⤵
- Launches sc.exe
PID:2592

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start lrjgzibj
2⤵
- Launches sc.exe
PID:2752

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:2020

C:\Windows\SysWOW64\lrjgzibj\uhvyaayl.exe
C:\Windows\SysWOW64\lrjgzibj\uhvyaayl.exe /d"C:\Users\Admin\AppData\Local\Temp\da4a56f9db3ccef32e88ad2e5c616a1a.exe"
1⤵
PID:2708

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:2832

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\uhvyaayl.exe
Filesize
2.1MB

MD5
6c77858188ad696bfbbc272bda1c8341

SHA1
3831507cbcb589c677b3f72b2f627a603a8f2efe

SHA256
c1f6d83ad83c1d796d8607dcd137afb3e568c7258717a06256c7af3700a9b853

SHA512
cfbdd7a54ccfd3293eeeaccc9db999c2ff8faa4190b30795d6b88076bf1934d486cf8dac42b57da9d751d0da7cb52bcf194e55a747379b3d13fe2ba2bb48bbc8

Download Submit
C:\Windows\SysWOW64\lrjgzibj\uhvyaayl.exe
Filesize
448KB

MD5
2d247fa4aac973dbcd5bb21b505f0830

SHA1
1a7054ab4c5654ef75e5434f92277ba335c367d9

SHA256
21b420d0750a6d6767a4fba1359bcc0c63e08ca554307dab358ffe7246d5e62f

SHA512
6828c7afb30041c68accea7cc5fde66287bb793aa3ecdf5794f1e49fe6ce4b9540e6482121d5351089fec0b2ae27c2176c28db3e15ba9534ad8168ab3f7585d7

Download Submit
memory/1420-13-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1420-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1420-2-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1420-1-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2708-6-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2708-12-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2832-10-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2832-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2832-7-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2832-15-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2832-14-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download