tofsee | d3a5a7bd70448e907398655362e916a9de3c8e80f9af2582e6bacdb01b0b502a

General

Target

0886900e6ab222d3c07748d15656ac31.exe
Size

10.6MB
MD5

0886900e6ab222d3c07748d15656ac31
SHA1

09d03036d44c671692f1127c9f5b4a0d402b3774
SHA256

d3a5a7bd70448e907398655362e916a9de3c8e80f9af2582e6bacdb01b0b502a
SHA512

6520f0aa808539930f88c8f1f372f46de75c8ec12cee9774cbe3f885c78fe98a8c6a2c07171bb5d6aecef620e34fc9ef90e23451c166f7f7753107e914adb55f

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

vhicxtur.exe

pid process

1060 vhicxtur.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

524 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

vhicxtur.exe

description pid process target process

PID 1060 set thread context of 524 1060 vhicxtur.exe svchost.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

pid	process
1060	vhicxtur.exe

pid	process
524	svchost.exe

description	pid	process	target process
PID 1060 set thread context of 524	1060	vhicxtur.exe	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

0886900e6ab222d3c07748d15656ac31.exevhicxtur.exe

description	pid	process	target process
PID 988 wrote to memory of 2412	988	0886900e6ab222d3c07748d15656ac31.exe	cmd.exe
PID 988 wrote to memory of 2412	988	0886900e6ab222d3c07748d15656ac31.exe	cmd.exe
PID 988 wrote to memory of 2412	988	0886900e6ab222d3c07748d15656ac31.exe	cmd.exe
PID 988 wrote to memory of 2768	988	0886900e6ab222d3c07748d15656ac31.exe	cmd.exe
PID 988 wrote to memory of 2768	988	0886900e6ab222d3c07748d15656ac31.exe	cmd.exe
PID 988 wrote to memory of 2768	988	0886900e6ab222d3c07748d15656ac31.exe	cmd.exe
PID 988 wrote to memory of 3332	988	0886900e6ab222d3c07748d15656ac31.exe	sc.exe
PID 988 wrote to memory of 3332	988	0886900e6ab222d3c07748d15656ac31.exe	sc.exe
PID 988 wrote to memory of 3332	988	0886900e6ab222d3c07748d15656ac31.exe	sc.exe
PID 988 wrote to memory of 200	988	0886900e6ab222d3c07748d15656ac31.exe	sc.exe
PID 988 wrote to memory of 200	988	0886900e6ab222d3c07748d15656ac31.exe	sc.exe
PID 988 wrote to memory of 200	988	0886900e6ab222d3c07748d15656ac31.exe	sc.exe
PID 988 wrote to memory of 760	988	0886900e6ab222d3c07748d15656ac31.exe	sc.exe
PID 988 wrote to memory of 760	988	0886900e6ab222d3c07748d15656ac31.exe	sc.exe
PID 988 wrote to memory of 760	988	0886900e6ab222d3c07748d15656ac31.exe	sc.exe
PID 1060 wrote to memory of 524	1060	vhicxtur.exe	svchost.exe
PID 1060 wrote to memory of 524	1060	vhicxtur.exe	svchost.exe
PID 1060 wrote to memory of 524	1060	vhicxtur.exe	svchost.exe
PID 1060 wrote to memory of 524	1060	vhicxtur.exe	svchost.exe
PID 1060 wrote to memory of 524	1060	vhicxtur.exe	svchost.exe
PID 988 wrote to memory of 2144	988	0886900e6ab222d3c07748d15656ac31.exe	netsh.exe
PID 988 wrote to memory of 2144	988	0886900e6ab222d3c07748d15656ac31.exe	netsh.exe
PID 988 wrote to memory of 2144	988	0886900e6ab222d3c07748d15656ac31.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\0886900e6ab222d3c07748d15656ac31.exe
"C:\Users\Admin\AppData\Local\Temp\0886900e6ab222d3c07748d15656ac31.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xmohyhyp\
2⤵
PID:2412

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vhicxtur.exe" C:\Windows\SysWOW64\xmohyhyp\
2⤵
PID:2768

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create xmohyhyp binPath= "C:\Windows\SysWOW64\xmohyhyp\vhicxtur.exe /d\"C:\Users\Admin\AppData\Local\Temp\0886900e6ab222d3c07748d15656ac31.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:3332

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description xmohyhyp "wifi internet conection"
2⤵
PID:200

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start xmohyhyp
2⤵
PID:760

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:2144

C:\Windows\SysWOW64\xmohyhyp\vhicxtur.exe
C:\Windows\SysWOW64\xmohyhyp\vhicxtur.exe /d"C:\Users\Admin\AppData\Local\Temp\0886900e6ab222d3c07748d15656ac31.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Deletes itself
PID:524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vhicxtur.exe
MD5
90d20a2d5e6e3178a716a6456258599f

SHA1
26f84fbbf7940433bee655fb04d49b904b3f9398

SHA256
f709d751f0968acf78f86f9cfd9c37b31d8a4660dc14cbed17a62a2cc526faaf

SHA512
2f74975c04e6673da87f4df916a39e2929ef38256872488994c6e3b536ce84ba99aced3b85175d38e16d415d466fe3f8de4ab24c3214055436e219004ff075ea

Download Submit
C:\Windows\SysWOW64\xmohyhyp\vhicxtur.exe
MD5
90d20a2d5e6e3178a716a6456258599f

SHA1
26f84fbbf7940433bee655fb04d49b904b3f9398

SHA256
f709d751f0968acf78f86f9cfd9c37b31d8a4660dc14cbed17a62a2cc526faaf

SHA512
2f74975c04e6673da87f4df916a39e2929ef38256872488994c6e3b536ce84ba99aced3b85175d38e16d415d466fe3f8de4ab24c3214055436e219004ff075ea

Download Submit
memory/200-6-0x0000000000000000-mapping.dmp

Download
memory/524-9-0x0000000003200000-0x0000000003215000-memory.dmp

Filesize
84KB

Download
memory/524-10-0x0000000003209A6B-mapping.dmp

Download
memory/760-7-0x0000000000000000-mapping.dmp

Download
memory/2144-12-0x0000000000000000-mapping.dmp

Download
memory/2412-2-0x0000000000000000-mapping.dmp

Download
memory/2768-3-0x0000000000000000-mapping.dmp

Download
memory/3332-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing