tofsee | afa62a6fd9ec6720a1d9898f904ccb67e05bea02662a94f29e8c4857922ba72d

General

Target

a934ab104f9f10c9bbcea5891d59ab05.exe
Size

12.7MB
MD5

a934ab104f9f10c9bbcea5891d59ab05
SHA1

3a8abf7057597105985d2b809ed1bb5e51cc98be
SHA256

afa62a6fd9ec6720a1d9898f904ccb67e05bea02662a94f29e8c4857922ba72d
SHA512

305096ac368b73e8a29754391cb628b23b3b1f949b48a9eba0bf98ad5632493e170fdab7fe70d3322a28eca51eb850c415dd122e6137255099b12eeab131eb65

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

lqddgfva.exe

pid process

1696 lqddgfva.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

632 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

lqddgfva.exe

description pid process target process

PID 1696 set thread context of 632 1696 lqddgfva.exe svchost.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

pid	process
1696	lqddgfva.exe

pid	process
632	svchost.exe

description	pid	process	target process
PID 1696 set thread context of 632	1696	lqddgfva.exe	svchost.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

a934ab104f9f10c9bbcea5891d59ab05.exelqddgfva.exe

description	pid	process	target process
PID 612 wrote to memory of 2028	612	a934ab104f9f10c9bbcea5891d59ab05.exe	cmd.exe
PID 612 wrote to memory of 2028	612	a934ab104f9f10c9bbcea5891d59ab05.exe	cmd.exe
PID 612 wrote to memory of 2028	612	a934ab104f9f10c9bbcea5891d59ab05.exe	cmd.exe
PID 612 wrote to memory of 2028	612	a934ab104f9f10c9bbcea5891d59ab05.exe	cmd.exe
PID 612 wrote to memory of 2012	612	a934ab104f9f10c9bbcea5891d59ab05.exe	cmd.exe
PID 612 wrote to memory of 2012	612	a934ab104f9f10c9bbcea5891d59ab05.exe	cmd.exe
PID 612 wrote to memory of 2012	612	a934ab104f9f10c9bbcea5891d59ab05.exe	cmd.exe
PID 612 wrote to memory of 2012	612	a934ab104f9f10c9bbcea5891d59ab05.exe	cmd.exe
PID 612 wrote to memory of 828	612	a934ab104f9f10c9bbcea5891d59ab05.exe	sc.exe
PID 612 wrote to memory of 828	612	a934ab104f9f10c9bbcea5891d59ab05.exe	sc.exe
PID 612 wrote to memory of 828	612	a934ab104f9f10c9bbcea5891d59ab05.exe	sc.exe
PID 612 wrote to memory of 828	612	a934ab104f9f10c9bbcea5891d59ab05.exe	sc.exe
PID 612 wrote to memory of 1552	612	a934ab104f9f10c9bbcea5891d59ab05.exe	sc.exe
PID 612 wrote to memory of 1552	612	a934ab104f9f10c9bbcea5891d59ab05.exe	sc.exe
PID 612 wrote to memory of 1552	612	a934ab104f9f10c9bbcea5891d59ab05.exe	sc.exe
PID 612 wrote to memory of 1552	612	a934ab104f9f10c9bbcea5891d59ab05.exe	sc.exe
PID 612 wrote to memory of 580	612	a934ab104f9f10c9bbcea5891d59ab05.exe	sc.exe
PID 612 wrote to memory of 580	612	a934ab104f9f10c9bbcea5891d59ab05.exe	sc.exe
PID 612 wrote to memory of 580	612	a934ab104f9f10c9bbcea5891d59ab05.exe	sc.exe
PID 612 wrote to memory of 580	612	a934ab104f9f10c9bbcea5891d59ab05.exe	sc.exe
PID 612 wrote to memory of 860	612	a934ab104f9f10c9bbcea5891d59ab05.exe	netsh.exe
PID 612 wrote to memory of 860	612	a934ab104f9f10c9bbcea5891d59ab05.exe	netsh.exe
PID 612 wrote to memory of 860	612	a934ab104f9f10c9bbcea5891d59ab05.exe	netsh.exe
PID 612 wrote to memory of 860	612	a934ab104f9f10c9bbcea5891d59ab05.exe	netsh.exe
PID 1696 wrote to memory of 632	1696	lqddgfva.exe	svchost.exe
PID 1696 wrote to memory of 632	1696	lqddgfva.exe	svchost.exe
PID 1696 wrote to memory of 632	1696	lqddgfva.exe	svchost.exe
PID 1696 wrote to memory of 632	1696	lqddgfva.exe	svchost.exe
PID 1696 wrote to memory of 632	1696	lqddgfva.exe	svchost.exe
PID 1696 wrote to memory of 632	1696	lqddgfva.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\a934ab104f9f10c9bbcea5891d59ab05.exe
"C:\Users\Admin\AppData\Local\Temp\a934ab104f9f10c9bbcea5891d59ab05.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nhoypvwa\
2⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lqddgfva.exe" C:\Windows\SysWOW64\nhoypvwa\
2⤵
PID:2012

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create nhoypvwa binPath= "C:\Windows\SysWOW64\nhoypvwa\lqddgfva.exe /d\"C:\Users\Admin\AppData\Local\Temp\a934ab104f9f10c9bbcea5891d59ab05.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:828

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description nhoypvwa "wifi internet conection"
2⤵
PID:1552

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start nhoypvwa
2⤵
PID:580

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:860

C:\Windows\SysWOW64\nhoypvwa\lqddgfva.exe
C:\Windows\SysWOW64\nhoypvwa\lqddgfva.exe /d"C:\Users\Admin\AppData\Local\Temp\a934ab104f9f10c9bbcea5891d59ab05.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Deletes itself
PID:632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lqddgfva.exe
MD5
b8975a04fde464b345a193f47d772cbd

SHA1
6064013a5619b8c62fea8afd35247919d531cab6

SHA256
038e2d246fe711c99dd8fdb201f757481c73cb7a455f06b814007fd459f15466

SHA512
dfde86fcb6e2357f89234d9631b52c5ac7487340cc0df8ed0fd3c6aadf1ee9ec14c5ff76d52b9d7e74b9f49442d019a49f6d167ec8a5a7d043b6580c703742f2

Download Submit
C:\Windows\SysWOW64\nhoypvwa\lqddgfva.exe
MD5
b8975a04fde464b345a193f47d772cbd

SHA1
6064013a5619b8c62fea8afd35247919d531cab6

SHA256
038e2d246fe711c99dd8fdb201f757481c73cb7a455f06b814007fd459f15466

SHA512
dfde86fcb6e2357f89234d9631b52c5ac7487340cc0df8ed0fd3c6aadf1ee9ec14c5ff76d52b9d7e74b9f49442d019a49f6d167ec8a5a7d043b6580c703742f2

Download Submit
memory/580-7-0x0000000000000000-mapping.dmp

Download
memory/632-10-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download
memory/632-11-0x00000000000C9A6B-mapping.dmp

Download
memory/828-5-0x0000000000000000-mapping.dmp

Download
memory/860-8-0x0000000000000000-mapping.dmp

Download
memory/1552-6-0x0000000000000000-mapping.dmp

Download
memory/2012-3-0x0000000000000000-mapping.dmp

Download
memory/2028-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing