tofsee | 901a6e2c22ea76188dde3daca9e06098efe263395d8fe3e7040b13a0b426da7c

General

Target

adf0aa260fb8907a875b917311d03d43.exe
Size

11.1MB
MD5

adf0aa260fb8907a875b917311d03d43
SHA1

a60c140529e592bac90323e9a59d667627298681
SHA256

901a6e2c22ea76188dde3daca9e06098efe263395d8fe3e7040b13a0b426da7c
SHA512

02f6e7418eec00809df60ed650cb20674cb263cbe9d37edb0dfc94db93077f30ab98baf4415ba5c69c5a8bb86080055faa42d1bd91787cffd859d18281929c29

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

sqxtsbzq.exe

pid process

576 sqxtsbzq.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

1176 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

sqxtsbzq.exe

description pid process target process

PID 576 set thread context of 1176 576 sqxtsbzq.exe svchost.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

pid	process
576	sqxtsbzq.exe

pid	process
1176	svchost.exe

description	pid	process	target process
PID 576 set thread context of 1176	576	sqxtsbzq.exe	svchost.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

adf0aa260fb8907a875b917311d03d43.exesqxtsbzq.exe

description	pid	process	target process
PID 1080 wrote to memory of 1228	1080	adf0aa260fb8907a875b917311d03d43.exe	cmd.exe
PID 1080 wrote to memory of 1228	1080	adf0aa260fb8907a875b917311d03d43.exe	cmd.exe
PID 1080 wrote to memory of 1228	1080	adf0aa260fb8907a875b917311d03d43.exe	cmd.exe
PID 1080 wrote to memory of 1228	1080	adf0aa260fb8907a875b917311d03d43.exe	cmd.exe
PID 1080 wrote to memory of 1972	1080	adf0aa260fb8907a875b917311d03d43.exe	cmd.exe
PID 1080 wrote to memory of 1972	1080	adf0aa260fb8907a875b917311d03d43.exe	cmd.exe
PID 1080 wrote to memory of 1972	1080	adf0aa260fb8907a875b917311d03d43.exe	cmd.exe
PID 1080 wrote to memory of 1972	1080	adf0aa260fb8907a875b917311d03d43.exe	cmd.exe
PID 1080 wrote to memory of 1248	1080	adf0aa260fb8907a875b917311d03d43.exe	sc.exe
PID 1080 wrote to memory of 1248	1080	adf0aa260fb8907a875b917311d03d43.exe	sc.exe
PID 1080 wrote to memory of 1248	1080	adf0aa260fb8907a875b917311d03d43.exe	sc.exe
PID 1080 wrote to memory of 1248	1080	adf0aa260fb8907a875b917311d03d43.exe	sc.exe
PID 1080 wrote to memory of 1212	1080	adf0aa260fb8907a875b917311d03d43.exe	sc.exe
PID 1080 wrote to memory of 1212	1080	adf0aa260fb8907a875b917311d03d43.exe	sc.exe
PID 1080 wrote to memory of 1212	1080	adf0aa260fb8907a875b917311d03d43.exe	sc.exe
PID 1080 wrote to memory of 1212	1080	adf0aa260fb8907a875b917311d03d43.exe	sc.exe
PID 1080 wrote to memory of 268	1080	adf0aa260fb8907a875b917311d03d43.exe	sc.exe
PID 1080 wrote to memory of 268	1080	adf0aa260fb8907a875b917311d03d43.exe	sc.exe
PID 1080 wrote to memory of 268	1080	adf0aa260fb8907a875b917311d03d43.exe	sc.exe
PID 1080 wrote to memory of 268	1080	adf0aa260fb8907a875b917311d03d43.exe	sc.exe
PID 576 wrote to memory of 1176	576	sqxtsbzq.exe	svchost.exe
PID 576 wrote to memory of 1176	576	sqxtsbzq.exe	svchost.exe
PID 576 wrote to memory of 1176	576	sqxtsbzq.exe	svchost.exe
PID 576 wrote to memory of 1176	576	sqxtsbzq.exe	svchost.exe
PID 576 wrote to memory of 1176	576	sqxtsbzq.exe	svchost.exe
PID 576 wrote to memory of 1176	576	sqxtsbzq.exe	svchost.exe
PID 1080 wrote to memory of 968	1080	adf0aa260fb8907a875b917311d03d43.exe	netsh.exe
PID 1080 wrote to memory of 968	1080	adf0aa260fb8907a875b917311d03d43.exe	netsh.exe
PID 1080 wrote to memory of 968	1080	adf0aa260fb8907a875b917311d03d43.exe	netsh.exe
PID 1080 wrote to memory of 968	1080	adf0aa260fb8907a875b917311d03d43.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\adf0aa260fb8907a875b917311d03d43.exe
"C:\Users\Admin\AppData\Local\Temp\adf0aa260fb8907a875b917311d03d43.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jbgkkhxc\
2⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\sqxtsbzq.exe" C:\Windows\SysWOW64\jbgkkhxc\
2⤵
PID:1972

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create jbgkkhxc binPath= "C:\Windows\SysWOW64\jbgkkhxc\sqxtsbzq.exe /d\"C:\Users\Admin\AppData\Local\Temp\adf0aa260fb8907a875b917311d03d43.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:1248

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description jbgkkhxc "wifi internet conection"
2⤵
PID:1212

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start jbgkkhxc
2⤵
PID:268

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:968

C:\Windows\SysWOW64\jbgkkhxc\sqxtsbzq.exe
C:\Windows\SysWOW64\jbgkkhxc\sqxtsbzq.exe /d"C:\Users\Admin\AppData\Local\Temp\adf0aa260fb8907a875b917311d03d43.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Deletes itself
PID:1176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sqxtsbzq.exe
MD5
d7113127426131f6962584d1dcf15db4

SHA1
4a48642ab1d0271a855fdf52181f0d657c73ab9e

SHA256
6379d402d51cb6d7906fcd7dc7d56f94eba4e1ba312ee035ec7e39b718da1715

SHA512
c8f9f495eacc86c1e79a08d1784e0b592024d61501695d5b207790a372c8ab0c87fa28daba37bdeac680850cc25a6a8651d321c895c384fc18903c126d61172a

Download Submit
C:\Windows\SysWOW64\jbgkkhxc\sqxtsbzq.exe
MD5
d7113127426131f6962584d1dcf15db4

SHA1
4a48642ab1d0271a855fdf52181f0d657c73ab9e

SHA256
6379d402d51cb6d7906fcd7dc7d56f94eba4e1ba312ee035ec7e39b718da1715

SHA512
c8f9f495eacc86c1e79a08d1784e0b592024d61501695d5b207790a372c8ab0c87fa28daba37bdeac680850cc25a6a8651d321c895c384fc18903c126d61172a

Download Submit
memory/268-7-0x0000000000000000-mapping.dmp

Download
memory/968-12-0x0000000000000000-mapping.dmp

Download
memory/1176-9-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1176-10-0x0000000000089A6B-mapping.dmp

Download
memory/1212-6-0x0000000000000000-mapping.dmp

Download
memory/1228-2-0x0000000000000000-mapping.dmp

Download
memory/1248-5-0x0000000000000000-mapping.dmp

Download
memory/1972-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing