tofsee | 09519dcbbda00e527d6e23fa992978426938709819a7dd9cd9bd114ecdb915c9

General

Target

b0ef9fcbeb328309d351e64c5a9d9b28.exe
Size

12.6MB
MD5

b0ef9fcbeb328309d351e64c5a9d9b28
SHA1

300fd154888d07410f05d93617af4ea2087ff7d3
SHA256

09519dcbbda00e527d6e23fa992978426938709819a7dd9cd9bd114ecdb915c9
SHA512

a10b85f67fc87e579420141436195d91288b58fa105552f5d8abe670248d583f7ec18999238662ea267b03dd2b38e322b41cac8344b498fa1556c903563fd2a6

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

lgnkjgcd.exe

pid process

884 lgnkjgcd.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

3848 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

lgnkjgcd.exe

description pid process target process

PID 884 set thread context of 3848 884 lgnkjgcd.exe svchost.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

pid	process
884	lgnkjgcd.exe

pid	process
3848	svchost.exe

description	pid	process	target process
PID 884 set thread context of 3848	884	lgnkjgcd.exe	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

b0ef9fcbeb328309d351e64c5a9d9b28.exelgnkjgcd.exe

description	pid	process	target process
PID 1176 wrote to memory of 2960	1176	b0ef9fcbeb328309d351e64c5a9d9b28.exe	cmd.exe
PID 1176 wrote to memory of 2960	1176	b0ef9fcbeb328309d351e64c5a9d9b28.exe	cmd.exe
PID 1176 wrote to memory of 2960	1176	b0ef9fcbeb328309d351e64c5a9d9b28.exe	cmd.exe
PID 1176 wrote to memory of 988	1176	b0ef9fcbeb328309d351e64c5a9d9b28.exe	cmd.exe
PID 1176 wrote to memory of 988	1176	b0ef9fcbeb328309d351e64c5a9d9b28.exe	cmd.exe
PID 1176 wrote to memory of 988	1176	b0ef9fcbeb328309d351e64c5a9d9b28.exe	cmd.exe
PID 1176 wrote to memory of 196	1176	b0ef9fcbeb328309d351e64c5a9d9b28.exe	sc.exe
PID 1176 wrote to memory of 196	1176	b0ef9fcbeb328309d351e64c5a9d9b28.exe	sc.exe
PID 1176 wrote to memory of 196	1176	b0ef9fcbeb328309d351e64c5a9d9b28.exe	sc.exe
PID 1176 wrote to memory of 3700	1176	b0ef9fcbeb328309d351e64c5a9d9b28.exe	sc.exe
PID 1176 wrote to memory of 3700	1176	b0ef9fcbeb328309d351e64c5a9d9b28.exe	sc.exe
PID 1176 wrote to memory of 3700	1176	b0ef9fcbeb328309d351e64c5a9d9b28.exe	sc.exe
PID 1176 wrote to memory of 4076	1176	b0ef9fcbeb328309d351e64c5a9d9b28.exe	sc.exe
PID 1176 wrote to memory of 4076	1176	b0ef9fcbeb328309d351e64c5a9d9b28.exe	sc.exe
PID 1176 wrote to memory of 4076	1176	b0ef9fcbeb328309d351e64c5a9d9b28.exe	sc.exe
PID 1176 wrote to memory of 1484	1176	b0ef9fcbeb328309d351e64c5a9d9b28.exe	netsh.exe
PID 1176 wrote to memory of 1484	1176	b0ef9fcbeb328309d351e64c5a9d9b28.exe	netsh.exe
PID 1176 wrote to memory of 1484	1176	b0ef9fcbeb328309d351e64c5a9d9b28.exe	netsh.exe
PID 884 wrote to memory of 3848	884	lgnkjgcd.exe	svchost.exe
PID 884 wrote to memory of 3848	884	lgnkjgcd.exe	svchost.exe
PID 884 wrote to memory of 3848	884	lgnkjgcd.exe	svchost.exe
PID 884 wrote to memory of 3848	884	lgnkjgcd.exe	svchost.exe
PID 884 wrote to memory of 3848	884	lgnkjgcd.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\b0ef9fcbeb328309d351e64c5a9d9b28.exe
"C:\Users\Admin\AppData\Local\Temp\b0ef9fcbeb328309d351e64c5a9d9b28.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\esvwqtct\
2⤵
PID:2960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lgnkjgcd.exe" C:\Windows\SysWOW64\esvwqtct\
2⤵
PID:988

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create esvwqtct binPath= "C:\Windows\SysWOW64\esvwqtct\lgnkjgcd.exe /d\"C:\Users\Admin\AppData\Local\Temp\b0ef9fcbeb328309d351e64c5a9d9b28.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:196

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description esvwqtct "wifi internet conection"
2⤵
PID:3700

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start esvwqtct
2⤵
PID:4076

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:1484

C:\Windows\SysWOW64\esvwqtct\lgnkjgcd.exe
C:\Windows\SysWOW64\esvwqtct\lgnkjgcd.exe /d"C:\Users\Admin\AppData\Local\Temp\b0ef9fcbeb328309d351e64c5a9d9b28.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Deletes itself
PID:3848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lgnkjgcd.exe
MD5
fd64dfaa5f2a481e94f984e258a6dd80

SHA1
49c06901cc7506339ceadd2351f073f8da6e769a

SHA256
41d63dd382ef7cc9208058f27c77ccd923ef2ef1087695b40a9c69aaf932a5ee

SHA512
2480f6810474909b748efc2a9ed8d29ef6ba19d5a5f4af25127e4d31307d943729c837791fec9fa87d4846d44eb8f58b624cbdc73ad629a6e9fb634fc4d69e74

Download Submit
C:\Windows\SysWOW64\esvwqtct\lgnkjgcd.exe
MD5
fd64dfaa5f2a481e94f984e258a6dd80

SHA1
49c06901cc7506339ceadd2351f073f8da6e769a

SHA256
41d63dd382ef7cc9208058f27c77ccd923ef2ef1087695b40a9c69aaf932a5ee

SHA512
2480f6810474909b748efc2a9ed8d29ef6ba19d5a5f4af25127e4d31307d943729c837791fec9fa87d4846d44eb8f58b624cbdc73ad629a6e9fb634fc4d69e74

Download Submit
memory/196-5-0x0000000000000000-mapping.dmp

Download
memory/988-3-0x0000000000000000-mapping.dmp

Download
memory/1484-8-0x0000000000000000-mapping.dmp

Download
memory/2960-2-0x0000000000000000-mapping.dmp

Download
memory/3700-6-0x0000000000000000-mapping.dmp

Download
memory/3848-10-0x0000000000A90000-0x0000000000AA5000-memory.dmp

Filesize
84KB

Download
memory/3848-11-0x0000000000A99A6B-mapping.dmp

Download
memory/4076-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing