tofsee | cd0838375b76d23ee905b240e836d66d63840a788b019cff3ef68a7691dbc2fe

General

Target

2768749b68bcc2a0d4aa791246d1d12e.exe
Size

12.3MB
MD5

2768749b68bcc2a0d4aa791246d1d12e
SHA1

8d8d43003be29ed3f02e44913227871a2dfa7d8d
SHA256

cd0838375b76d23ee905b240e836d66d63840a788b019cff3ef68a7691dbc2fe
SHA512

90553c7e6d24e338db0f6088d77a48b5992dfaa6eb9134c33367041526048b9207ead757b5b7ed876ac4512661b451049228c776e19e39a376e9dea57c4a2b5c

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

bvxuokuz.exe

pid process

844 bvxuokuz.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

1556 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

bvxuokuz.exe

description pid process target process

PID 844 set thread context of 1556 844 bvxuokuz.exe svchost.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

pid	process
844	bvxuokuz.exe

pid	process
1556	svchost.exe

description	pid	process	target process
PID 844 set thread context of 1556	844	bvxuokuz.exe	svchost.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

2768749b68bcc2a0d4aa791246d1d12e.exebvxuokuz.exe

description	pid	process	target process
PID 2024 wrote to memory of 1692	2024	2768749b68bcc2a0d4aa791246d1d12e.exe	cmd.exe
PID 2024 wrote to memory of 1692	2024	2768749b68bcc2a0d4aa791246d1d12e.exe	cmd.exe
PID 2024 wrote to memory of 1692	2024	2768749b68bcc2a0d4aa791246d1d12e.exe	cmd.exe
PID 2024 wrote to memory of 1692	2024	2768749b68bcc2a0d4aa791246d1d12e.exe	cmd.exe
PID 2024 wrote to memory of 1112	2024	2768749b68bcc2a0d4aa791246d1d12e.exe	cmd.exe
PID 2024 wrote to memory of 1112	2024	2768749b68bcc2a0d4aa791246d1d12e.exe	cmd.exe
PID 2024 wrote to memory of 1112	2024	2768749b68bcc2a0d4aa791246d1d12e.exe	cmd.exe
PID 2024 wrote to memory of 1112	2024	2768749b68bcc2a0d4aa791246d1d12e.exe	cmd.exe
PID 2024 wrote to memory of 800	2024	2768749b68bcc2a0d4aa791246d1d12e.exe	sc.exe
PID 2024 wrote to memory of 800	2024	2768749b68bcc2a0d4aa791246d1d12e.exe	sc.exe
PID 2024 wrote to memory of 800	2024	2768749b68bcc2a0d4aa791246d1d12e.exe	sc.exe
PID 2024 wrote to memory of 800	2024	2768749b68bcc2a0d4aa791246d1d12e.exe	sc.exe
PID 2024 wrote to memory of 2000	2024	2768749b68bcc2a0d4aa791246d1d12e.exe	sc.exe
PID 2024 wrote to memory of 2000	2024	2768749b68bcc2a0d4aa791246d1d12e.exe	sc.exe
PID 2024 wrote to memory of 2000	2024	2768749b68bcc2a0d4aa791246d1d12e.exe	sc.exe
PID 2024 wrote to memory of 2000	2024	2768749b68bcc2a0d4aa791246d1d12e.exe	sc.exe
PID 2024 wrote to memory of 1848	2024	2768749b68bcc2a0d4aa791246d1d12e.exe	sc.exe
PID 2024 wrote to memory of 1848	2024	2768749b68bcc2a0d4aa791246d1d12e.exe	sc.exe
PID 2024 wrote to memory of 1848	2024	2768749b68bcc2a0d4aa791246d1d12e.exe	sc.exe
PID 2024 wrote to memory of 1848	2024	2768749b68bcc2a0d4aa791246d1d12e.exe	sc.exe
PID 844 wrote to memory of 1556	844	bvxuokuz.exe	svchost.exe
PID 844 wrote to memory of 1556	844	bvxuokuz.exe	svchost.exe
PID 844 wrote to memory of 1556	844	bvxuokuz.exe	svchost.exe
PID 844 wrote to memory of 1556	844	bvxuokuz.exe	svchost.exe
PID 844 wrote to memory of 1556	844	bvxuokuz.exe	svchost.exe
PID 844 wrote to memory of 1556	844	bvxuokuz.exe	svchost.exe
PID 2024 wrote to memory of 1192	2024	2768749b68bcc2a0d4aa791246d1d12e.exe	netsh.exe
PID 2024 wrote to memory of 1192	2024	2768749b68bcc2a0d4aa791246d1d12e.exe	netsh.exe
PID 2024 wrote to memory of 1192	2024	2768749b68bcc2a0d4aa791246d1d12e.exe	netsh.exe
PID 2024 wrote to memory of 1192	2024	2768749b68bcc2a0d4aa791246d1d12e.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\2768749b68bcc2a0d4aa791246d1d12e.exe
"C:\Users\Admin\AppData\Local\Temp\2768749b68bcc2a0d4aa791246d1d12e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dazomwvv\
2⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\bvxuokuz.exe" C:\Windows\SysWOW64\dazomwvv\
2⤵
PID:1112

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create dazomwvv binPath= "C:\Windows\SysWOW64\dazomwvv\bvxuokuz.exe /d\"C:\Users\Admin\AppData\Local\Temp\2768749b68bcc2a0d4aa791246d1d12e.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:800

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description dazomwvv "wifi internet conection"
2⤵
PID:2000

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start dazomwvv
2⤵
PID:1848

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:1192

C:\Windows\SysWOW64\dazomwvv\bvxuokuz.exe
C:\Windows\SysWOW64\dazomwvv\bvxuokuz.exe /d"C:\Users\Admin\AppData\Local\Temp\2768749b68bcc2a0d4aa791246d1d12e.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Deletes itself
PID:1556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bvxuokuz.exe

MD5
ba5f62c7b5e4fda8e828e66e138e3469

SHA1
010cfb38ed33e7e65361a41e563dd2c2fcf2d81b

SHA256
4b186446c968a27a9db3c580807f4e0fc327a1cb2e172c4efc4f8d31540aadfe

SHA512
e2ab36becb2e830eb742b1435af1f65f25479cc77faaf42a7d801d139d84006c7bdbb15033fde5fe1ebf512428330e16d8a73854ccad749dffb1861b0aa9b38d

Download Submit
C:\Windows\SysWOW64\dazomwvv\bvxuokuz.exe

MD5
ba5f62c7b5e4fda8e828e66e138e3469

SHA1
010cfb38ed33e7e65361a41e563dd2c2fcf2d81b

SHA256
4b186446c968a27a9db3c580807f4e0fc327a1cb2e172c4efc4f8d31540aadfe

SHA512
e2ab36becb2e830eb742b1435af1f65f25479cc77faaf42a7d801d139d84006c7bdbb15033fde5fe1ebf512428330e16d8a73854ccad749dffb1861b0aa9b38d

Download Submit
memory/800-5-0x0000000000000000-mapping.dmp

Download
memory/1112-3-0x0000000000000000-mapping.dmp

Download
memory/1192-12-0x0000000000000000-mapping.dmp

Download
memory/1556-9-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1556-10-0x0000000000089A6B-mapping.dmp

Download
memory/1692-2-0x0000000000000000-mapping.dmp

Download
memory/1848-7-0x0000000000000000-mapping.dmp

Download
memory/2000-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing