tofsee | cd0838375b76d23ee905b240e836d66d63840a788b019cff3ef68a7691dbc2fe

General

Target

2768749b68bcc2a0d4aa791246d1d12e.exe
Size

12.3MB
MD5

2768749b68bcc2a0d4aa791246d1d12e
SHA1

8d8d43003be29ed3f02e44913227871a2dfa7d8d
SHA256

cd0838375b76d23ee905b240e836d66d63840a788b019cff3ef68a7691dbc2fe
SHA512

90553c7e6d24e338db0f6088d77a48b5992dfaa6eb9134c33367041526048b9207ead757b5b7ed876ac4512661b451049228c776e19e39a376e9dea57c4a2b5c

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

dbiedmkb.exe

pid process

1288 dbiedmkb.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

2296 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

dbiedmkb.exe

description pid process target process

PID 1288 set thread context of 2296 1288 dbiedmkb.exe svchost.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

pid	process
1288	dbiedmkb.exe

pid	process
2296	svchost.exe

description	pid	process	target process
PID 1288 set thread context of 2296	1288	dbiedmkb.exe	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

2768749b68bcc2a0d4aa791246d1d12e.exedbiedmkb.exe

description	pid	process	target process
PID 1140 wrote to memory of 2632	1140	2768749b68bcc2a0d4aa791246d1d12e.exe	cmd.exe
PID 1140 wrote to memory of 2632	1140	2768749b68bcc2a0d4aa791246d1d12e.exe	cmd.exe
PID 1140 wrote to memory of 2632	1140	2768749b68bcc2a0d4aa791246d1d12e.exe	cmd.exe
PID 1140 wrote to memory of 2836	1140	2768749b68bcc2a0d4aa791246d1d12e.exe	cmd.exe
PID 1140 wrote to memory of 2836	1140	2768749b68bcc2a0d4aa791246d1d12e.exe	cmd.exe
PID 1140 wrote to memory of 2836	1140	2768749b68bcc2a0d4aa791246d1d12e.exe	cmd.exe
PID 1140 wrote to memory of 184	1140	2768749b68bcc2a0d4aa791246d1d12e.exe	sc.exe
PID 1140 wrote to memory of 184	1140	2768749b68bcc2a0d4aa791246d1d12e.exe	sc.exe
PID 1140 wrote to memory of 184	1140	2768749b68bcc2a0d4aa791246d1d12e.exe	sc.exe
PID 1140 wrote to memory of 1468	1140	2768749b68bcc2a0d4aa791246d1d12e.exe	sc.exe
PID 1140 wrote to memory of 1468	1140	2768749b68bcc2a0d4aa791246d1d12e.exe	sc.exe
PID 1140 wrote to memory of 1468	1140	2768749b68bcc2a0d4aa791246d1d12e.exe	sc.exe
PID 1140 wrote to memory of 684	1140	2768749b68bcc2a0d4aa791246d1d12e.exe	sc.exe
PID 1140 wrote to memory of 684	1140	2768749b68bcc2a0d4aa791246d1d12e.exe	sc.exe
PID 1140 wrote to memory of 684	1140	2768749b68bcc2a0d4aa791246d1d12e.exe	sc.exe
PID 1288 wrote to memory of 2296	1288	dbiedmkb.exe	svchost.exe
PID 1288 wrote to memory of 2296	1288	dbiedmkb.exe	svchost.exe
PID 1288 wrote to memory of 2296	1288	dbiedmkb.exe	svchost.exe
PID 1288 wrote to memory of 2296	1288	dbiedmkb.exe	svchost.exe
PID 1288 wrote to memory of 2296	1288	dbiedmkb.exe	svchost.exe
PID 1140 wrote to memory of 488	1140	2768749b68bcc2a0d4aa791246d1d12e.exe	netsh.exe
PID 1140 wrote to memory of 488	1140	2768749b68bcc2a0d4aa791246d1d12e.exe	netsh.exe
PID 1140 wrote to memory of 488	1140	2768749b68bcc2a0d4aa791246d1d12e.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\2768749b68bcc2a0d4aa791246d1d12e.exe
"C:\Users\Admin\AppData\Local\Temp\2768749b68bcc2a0d4aa791246d1d12e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\syhpwoti\
2⤵
PID:2632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\dbiedmkb.exe" C:\Windows\SysWOW64\syhpwoti\
2⤵
PID:2836

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create syhpwoti binPath= "C:\Windows\SysWOW64\syhpwoti\dbiedmkb.exe /d\"C:\Users\Admin\AppData\Local\Temp\2768749b68bcc2a0d4aa791246d1d12e.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:184

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description syhpwoti "wifi internet conection"
2⤵
PID:1468

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start syhpwoti
2⤵
PID:684

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:488

C:\Windows\SysWOW64\syhpwoti\dbiedmkb.exe
C:\Windows\SysWOW64\syhpwoti\dbiedmkb.exe /d"C:\Users\Admin\AppData\Local\Temp\2768749b68bcc2a0d4aa791246d1d12e.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Deletes itself
PID:2296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dbiedmkb.exe
MD5
5cdbfdda0c94eb4ad5538f90ba0a8434

SHA1
c8f6f23bfae18396c522e6c360728e10fabed2fa

SHA256
07ac6aa84e77f5c334d625fdd1ab4e952aceb18a7f6e36f7a87330f219ebdf75

SHA512
2302453e862172a265e56bc1e8800e4bb7e5c7a4e473ef9f39ff5e24d79b6702218cf5212443f6f6c688e2a07a58cee598880aefe3943b0960d1e21ddf189ceb

Download Submit
C:\Windows\SysWOW64\syhpwoti\dbiedmkb.exe
MD5
5cdbfdda0c94eb4ad5538f90ba0a8434

SHA1
c8f6f23bfae18396c522e6c360728e10fabed2fa

SHA256
07ac6aa84e77f5c334d625fdd1ab4e952aceb18a7f6e36f7a87330f219ebdf75

SHA512
2302453e862172a265e56bc1e8800e4bb7e5c7a4e473ef9f39ff5e24d79b6702218cf5212443f6f6c688e2a07a58cee598880aefe3943b0960d1e21ddf189ceb

Download Submit
memory/184-5-0x0000000000000000-mapping.dmp

Download
memory/488-12-0x0000000000000000-mapping.dmp

Download
memory/684-7-0x0000000000000000-mapping.dmp

Download
memory/1468-6-0x0000000000000000-mapping.dmp

Download
memory/2296-9-0x0000000000E20000-0x0000000000E35000-memory.dmp

Filesize
84KB

Download
memory/2296-10-0x0000000000E29A6B-mapping.dmp

Download
memory/2632-2-0x0000000000000000-mapping.dmp

Download
memory/2836-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing