tofsee | 727386e7c254ca1d51a7bb5d02da3ea09219c4c27df4d6fb33746859d28586dd

General

Target

a4536a56947e279f4408a6929ada63a4.exe
Size

12.1MB
MD5

a4536a56947e279f4408a6929ada63a4
SHA1

e372a8d21f1d078eda4b6a630aac04076ae545c9
SHA256

727386e7c254ca1d51a7bb5d02da3ea09219c4c27df4d6fb33746859d28586dd
SHA512

b7b493ca340d0e6d4f5a8ec86345f98c4786feae91e5f9bec9295224b3bb87dd3b7cbcf8de93597f04b01aaa9c9fcf06b64d3096804246ddc437dfd40aa6bfaf

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

ikfwnhoh.exe

pid process

1544 ikfwnhoh.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

296 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

ikfwnhoh.exe

description pid process target process

PID 1544 set thread context of 296 1544 ikfwnhoh.exe svchost.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

pid	process
1544	ikfwnhoh.exe

pid	process
296	svchost.exe

description	pid	process	target process
PID 1544 set thread context of 296	1544	ikfwnhoh.exe	svchost.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

a4536a56947e279f4408a6929ada63a4.exeikfwnhoh.exe

description	pid	process	target process
PID 1048 wrote to memory of 2024	1048	a4536a56947e279f4408a6929ada63a4.exe	cmd.exe
PID 1048 wrote to memory of 2024	1048	a4536a56947e279f4408a6929ada63a4.exe	cmd.exe
PID 1048 wrote to memory of 2024	1048	a4536a56947e279f4408a6929ada63a4.exe	cmd.exe
PID 1048 wrote to memory of 2024	1048	a4536a56947e279f4408a6929ada63a4.exe	cmd.exe
PID 1048 wrote to memory of 1116	1048	a4536a56947e279f4408a6929ada63a4.exe	cmd.exe
PID 1048 wrote to memory of 1116	1048	a4536a56947e279f4408a6929ada63a4.exe	cmd.exe
PID 1048 wrote to memory of 1116	1048	a4536a56947e279f4408a6929ada63a4.exe	cmd.exe
PID 1048 wrote to memory of 1116	1048	a4536a56947e279f4408a6929ada63a4.exe	cmd.exe
PID 1048 wrote to memory of 1684	1048	a4536a56947e279f4408a6929ada63a4.exe	sc.exe
PID 1048 wrote to memory of 1684	1048	a4536a56947e279f4408a6929ada63a4.exe	sc.exe
PID 1048 wrote to memory of 1684	1048	a4536a56947e279f4408a6929ada63a4.exe	sc.exe
PID 1048 wrote to memory of 1684	1048	a4536a56947e279f4408a6929ada63a4.exe	sc.exe
PID 1048 wrote to memory of 1564	1048	a4536a56947e279f4408a6929ada63a4.exe	sc.exe
PID 1048 wrote to memory of 1564	1048	a4536a56947e279f4408a6929ada63a4.exe	sc.exe
PID 1048 wrote to memory of 1564	1048	a4536a56947e279f4408a6929ada63a4.exe	sc.exe
PID 1048 wrote to memory of 1564	1048	a4536a56947e279f4408a6929ada63a4.exe	sc.exe
PID 1048 wrote to memory of 964	1048	a4536a56947e279f4408a6929ada63a4.exe	sc.exe
PID 1048 wrote to memory of 964	1048	a4536a56947e279f4408a6929ada63a4.exe	sc.exe
PID 1048 wrote to memory of 964	1048	a4536a56947e279f4408a6929ada63a4.exe	sc.exe
PID 1048 wrote to memory of 964	1048	a4536a56947e279f4408a6929ada63a4.exe	sc.exe
PID 1048 wrote to memory of 1092	1048	a4536a56947e279f4408a6929ada63a4.exe	netsh.exe
PID 1048 wrote to memory of 1092	1048	a4536a56947e279f4408a6929ada63a4.exe	netsh.exe
PID 1048 wrote to memory of 1092	1048	a4536a56947e279f4408a6929ada63a4.exe	netsh.exe
PID 1048 wrote to memory of 1092	1048	a4536a56947e279f4408a6929ada63a4.exe	netsh.exe
PID 1544 wrote to memory of 296	1544	ikfwnhoh.exe	svchost.exe
PID 1544 wrote to memory of 296	1544	ikfwnhoh.exe	svchost.exe
PID 1544 wrote to memory of 296	1544	ikfwnhoh.exe	svchost.exe
PID 1544 wrote to memory of 296	1544	ikfwnhoh.exe	svchost.exe
PID 1544 wrote to memory of 296	1544	ikfwnhoh.exe	svchost.exe
PID 1544 wrote to memory of 296	1544	ikfwnhoh.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\a4536a56947e279f4408a6929ada63a4.exe
"C:\Users\Admin\AppData\Local\Temp\a4536a56947e279f4408a6929ada63a4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\txiazdzj\
2⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ikfwnhoh.exe" C:\Windows\SysWOW64\txiazdzj\
2⤵
PID:1116

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create txiazdzj binPath= "C:\Windows\SysWOW64\txiazdzj\ikfwnhoh.exe /d\"C:\Users\Admin\AppData\Local\Temp\a4536a56947e279f4408a6929ada63a4.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:1684

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description txiazdzj "wifi internet conection"
2⤵
PID:1564

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start txiazdzj
2⤵
PID:964

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:1092

C:\Windows\SysWOW64\txiazdzj\ikfwnhoh.exe
C:\Windows\SysWOW64\txiazdzj\ikfwnhoh.exe /d"C:\Users\Admin\AppData\Local\Temp\a4536a56947e279f4408a6929ada63a4.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Deletes itself
PID:296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ikfwnhoh.exe
MD5
6ecf1952cc1b3fce8b56e93c097f0cc9

SHA1
800504db7ad39cf8417ec75ada99db835050d085

SHA256
551ac2422b4319de869ca51e5994d300c1f5da5726a3a748245af12693c27d7f

SHA512
4a5738464041c1052b699dc9c586173cf1fbfd1d257019b62b65f2a8bead66b3b5685068e2e46b57db8c1dd558e47fbf6b058a7d612c86cdd8040ce20ec2377a

Download Submit
C:\Windows\SysWOW64\txiazdzj\ikfwnhoh.exe
MD5
6ecf1952cc1b3fce8b56e93c097f0cc9

SHA1
800504db7ad39cf8417ec75ada99db835050d085

SHA256
551ac2422b4319de869ca51e5994d300c1f5da5726a3a748245af12693c27d7f

SHA512
4a5738464041c1052b699dc9c586173cf1fbfd1d257019b62b65f2a8bead66b3b5685068e2e46b57db8c1dd558e47fbf6b058a7d612c86cdd8040ce20ec2377a

Download Submit
memory/296-10-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/296-11-0x0000000000089A6B-mapping.dmp

Download
memory/964-7-0x0000000000000000-mapping.dmp

Download
memory/1092-8-0x0000000000000000-mapping.dmp

Download
memory/1116-3-0x0000000000000000-mapping.dmp

Download
memory/1564-6-0x0000000000000000-mapping.dmp

Download
memory/1684-5-0x0000000000000000-mapping.dmp

Download
memory/2024-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing