tofsee | aa95f8cd1b28d2d1065ac290edc78f0ac8d00b3863f52c084a06155202d96c0a

General

Target

bbb0a4f942a2b080cdf71bc38a8518a8.exe
Size

12.2MB
MD5

bbb0a4f942a2b080cdf71bc38a8518a8
SHA1

70b3fc91640e9f9867adf924ead9290023cfae4c
SHA256

aa95f8cd1b28d2d1065ac290edc78f0ac8d00b3863f52c084a06155202d96c0a
SHA512

3cea9d0a723ed744d6fe5afb1c7c4f745efe9565ebc1acf532eba983feab25ce2b9940d980b1e7a8d67d15c0142e3b74cb57344dd95e561ce3d8b7d465a7e470

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

ajbajvzq.exe

pid process

1568 ajbajvzq.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

468 svchost.exe
Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

ajbajvzq.exe

description pid process target process

PID 1568 set thread context of 468 1568 ajbajvzq.exe svchost.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

pid	process
1568	ajbajvzq.exe

pid	process
468	svchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

description	pid	process	target process
PID 1568 set thread context of 468	1568	ajbajvzq.exe	svchost.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Buses	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = e43b033da1b2c50524edb47d450dd49d084297dce82e72baa49f3dfd9c7e5d1d31b22c3286cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda5691cdc834e723dedab644490bdb77b20e5945f04c9f38d3c74bbc4103d29ffac651dd88d4f733cd4f10b4c90d8f6127db9a45f3494b48d662fd69a430f32fea05d579fc2223064b9f8641fc58db27422eb96590dfda8e2377c88f2005469a8946c10d5854a773be5ad552d109d894db2a2f53534fdc48d551de4ad035276a6cb2e569bb47d440dd49d642dfc0a322251dda46d34fe089f571de4ad750531e3a56c10c3854e7023eca5642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad74da05cd94	svchost.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

bbb0a4f942a2b080cdf71bc38a8518a8.exeajbajvzq.exe

description	pid	process	target process
PID 1204 wrote to memory of 2016	1204	bbb0a4f942a2b080cdf71bc38a8518a8.exe	cmd.exe
PID 1204 wrote to memory of 2016	1204	bbb0a4f942a2b080cdf71bc38a8518a8.exe	cmd.exe
PID 1204 wrote to memory of 2016	1204	bbb0a4f942a2b080cdf71bc38a8518a8.exe	cmd.exe
PID 1204 wrote to memory of 2016	1204	bbb0a4f942a2b080cdf71bc38a8518a8.exe	cmd.exe
PID 1204 wrote to memory of 1484	1204	bbb0a4f942a2b080cdf71bc38a8518a8.exe	cmd.exe
PID 1204 wrote to memory of 1484	1204	bbb0a4f942a2b080cdf71bc38a8518a8.exe	cmd.exe
PID 1204 wrote to memory of 1484	1204	bbb0a4f942a2b080cdf71bc38a8518a8.exe	cmd.exe
PID 1204 wrote to memory of 1484	1204	bbb0a4f942a2b080cdf71bc38a8518a8.exe	cmd.exe
PID 1204 wrote to memory of 1844	1204	bbb0a4f942a2b080cdf71bc38a8518a8.exe	sc.exe
PID 1204 wrote to memory of 1844	1204	bbb0a4f942a2b080cdf71bc38a8518a8.exe	sc.exe
PID 1204 wrote to memory of 1844	1204	bbb0a4f942a2b080cdf71bc38a8518a8.exe	sc.exe
PID 1204 wrote to memory of 1844	1204	bbb0a4f942a2b080cdf71bc38a8518a8.exe	sc.exe
PID 1204 wrote to memory of 1424	1204	bbb0a4f942a2b080cdf71bc38a8518a8.exe	sc.exe
PID 1204 wrote to memory of 1424	1204	bbb0a4f942a2b080cdf71bc38a8518a8.exe	sc.exe
PID 1204 wrote to memory of 1424	1204	bbb0a4f942a2b080cdf71bc38a8518a8.exe	sc.exe
PID 1204 wrote to memory of 1424	1204	bbb0a4f942a2b080cdf71bc38a8518a8.exe	sc.exe
PID 1204 wrote to memory of 1300	1204	bbb0a4f942a2b080cdf71bc38a8518a8.exe	sc.exe
PID 1204 wrote to memory of 1300	1204	bbb0a4f942a2b080cdf71bc38a8518a8.exe	sc.exe
PID 1204 wrote to memory of 1300	1204	bbb0a4f942a2b080cdf71bc38a8518a8.exe	sc.exe
PID 1204 wrote to memory of 1300	1204	bbb0a4f942a2b080cdf71bc38a8518a8.exe	sc.exe
PID 1204 wrote to memory of 1540	1204	bbb0a4f942a2b080cdf71bc38a8518a8.exe	netsh.exe
PID 1204 wrote to memory of 1540	1204	bbb0a4f942a2b080cdf71bc38a8518a8.exe	netsh.exe
PID 1204 wrote to memory of 1540	1204	bbb0a4f942a2b080cdf71bc38a8518a8.exe	netsh.exe
PID 1204 wrote to memory of 1540	1204	bbb0a4f942a2b080cdf71bc38a8518a8.exe	netsh.exe
PID 1568 wrote to memory of 468	1568	ajbajvzq.exe	svchost.exe
PID 1568 wrote to memory of 468	1568	ajbajvzq.exe	svchost.exe
PID 1568 wrote to memory of 468	1568	ajbajvzq.exe	svchost.exe
PID 1568 wrote to memory of 468	1568	ajbajvzq.exe	svchost.exe
PID 1568 wrote to memory of 468	1568	ajbajvzq.exe	svchost.exe
PID 1568 wrote to memory of 468	1568	ajbajvzq.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\bbb0a4f942a2b080cdf71bc38a8518a8.exe
"C:\Users\Admin\AppData\Local\Temp\bbb0a4f942a2b080cdf71bc38a8518a8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\unbukcop\
2⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ajbajvzq.exe" C:\Windows\SysWOW64\unbukcop\
2⤵
PID:1484

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create unbukcop binPath= "C:\Windows\SysWOW64\unbukcop\ajbajvzq.exe /d\"C:\Users\Admin\AppData\Local\Temp\bbb0a4f942a2b080cdf71bc38a8518a8.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:1844

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description unbukcop "wifi internet conection"
2⤵
PID:1424

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start unbukcop
2⤵
PID:1300

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:1540

C:\Windows\SysWOW64\unbukcop\ajbajvzq.exe
C:\Windows\SysWOW64\unbukcop\ajbajvzq.exe /d"C:\Users\Admin\AppData\Local\Temp\bbb0a4f942a2b080cdf71bc38a8518a8.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Deletes itself
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ajbajvzq.exe
MD5
a3968b48cfb2f8ecd7a9b793c3849d2d

SHA1
ad05a7af3bdfc4e0132598a0a9c494292b3e92cf

SHA256
7539ad9e6d167a66e9e41211068edcb1ac67bca0f920a8b489b346f197aad017

SHA512
bdbdf2632d763d9ec77159d917eb2fc9684571d69cb10e4119d86bc5d942528d9e5899f50079578f54e0f460595a675eb1f281574e7b78f0be3d41b2e2d56ddd

Download Submit
C:\Windows\SysWOW64\unbukcop\ajbajvzq.exe
MD5
a3968b48cfb2f8ecd7a9b793c3849d2d

SHA1
ad05a7af3bdfc4e0132598a0a9c494292b3e92cf

SHA256
7539ad9e6d167a66e9e41211068edcb1ac67bca0f920a8b489b346f197aad017

SHA512
bdbdf2632d763d9ec77159d917eb2fc9684571d69cb10e4119d86bc5d942528d9e5899f50079578f54e0f460595a675eb1f281574e7b78f0be3d41b2e2d56ddd

Download Submit
memory/468-10-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download
memory/468-11-0x00000000000C9A6B-mapping.dmp

Download
memory/1300-7-0x0000000000000000-mapping.dmp

Download
memory/1424-6-0x0000000000000000-mapping.dmp

Download
memory/1484-3-0x0000000000000000-mapping.dmp

Download
memory/1540-8-0x0000000000000000-mapping.dmp

Download
memory/1844-5-0x0000000000000000-mapping.dmp

Download
memory/2016-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing