Overview

overview

10

Static

static

10

76ede4f29d...e6.exe

windows7-x64

10

76ede4f29d...e6.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6a894de8a5d3285bbefc44ddf433b6a57b6199e649263204eed0d928de401ce2

  • Size

    105KB

  • Sample

    240706-qhatsayenm

  • MD5

    78040c6f58b5477433f5686fc36a3fc5

  • SHA1

    08ab725e3abdb3967d2b6034bbd0b2e12168a5fe

  • SHA256

    6a894de8a5d3285bbefc44ddf433b6a57b6199e649263204eed0d928de401ce2

  • SHA512

    b64cbf0c9a3a8f70953daa5af2feb28b65c15320c005c426fa5023e505c49362b70085f5ce331cd6f5f888129fd41fc2dc3a0609f6284dcaf4405bef6f1ab927

  • SSDEEP

    3072:LmCePnwEtOnRRo4sh80QPoNR5qpe9ZLsny:LTGQRRo5haSR0w7Qy

Score
10/10
tofseeevasionexecutionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      76ede4f29dbd8a75b643e46cabd369ac888b8012630b8b244e08e0baac8535e6

    • Size

      10.3MB

    • MD5

      81f79ce05d962b7d8b0d4977aead32df

    • SHA1

      e24b156a6ab8da34f07f67256cfacf1495a5eaec

    • SHA256

      76ede4f29dbd8a75b643e46cabd369ac888b8012630b8b244e08e0baac8535e6

    • SHA512

      710719709d2a5b78b862981cc186b2b8ad7d0654f000e5af41ad7a61af438f3be4ac8cd752740fd4ccb1bf146cf1975beb00aadd921054ce367ee87db099c0b1

    • SSDEEP

      6144:+5VCb4QuzF2tpIozzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz7:48NKF6p

    Score
    10/10
    tofseeevasionexecutionpersistenceprivilege_escalationtrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Windows security bypass

      evasiontrojan

    • Creates new service(s)

      persistenceexecution

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks