tofsee | 31e02e3b5a2080405d23e14f35aab57c675ed9e99fc813b79f9a6bc02d29dbed

General

Target

b5c0d38dbf30c0db0bab6b5e9e6830ed.exe
Size

11.6MB
MD5

b5c0d38dbf30c0db0bab6b5e9e6830ed
SHA1

73d4487644c81ac0cdc8ba59cfbe4b610d02ac4d
SHA256

31e02e3b5a2080405d23e14f35aab57c675ed9e99fc813b79f9a6bc02d29dbed
SHA512

d97ec4dec0f04aef6aa1468ecd97394d29d359e125374ac53d0733b6cfe340d5f37b67c319b61a2d8132125c587b9775ea45fb2a3acdcf2983b0dfb43a94a07e

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

b5c0d38dbf30c0db0bab6b5e9e6830ed.exe

description	pid	process	target process
PID 1204 wrote to memory of 1988	1204	b5c0d38dbf30c0db0bab6b5e9e6830ed.exe	cmd.exe
PID 1204 wrote to memory of 1988	1204	b5c0d38dbf30c0db0bab6b5e9e6830ed.exe	cmd.exe
PID 1204 wrote to memory of 1988	1204	b5c0d38dbf30c0db0bab6b5e9e6830ed.exe	cmd.exe
PID 1204 wrote to memory of 1988	1204	b5c0d38dbf30c0db0bab6b5e9e6830ed.exe	cmd.exe
PID 1204 wrote to memory of 2032	1204	b5c0d38dbf30c0db0bab6b5e9e6830ed.exe	cmd.exe
PID 1204 wrote to memory of 2032	1204	b5c0d38dbf30c0db0bab6b5e9e6830ed.exe	cmd.exe
PID 1204 wrote to memory of 2032	1204	b5c0d38dbf30c0db0bab6b5e9e6830ed.exe	cmd.exe
PID 1204 wrote to memory of 2032	1204	b5c0d38dbf30c0db0bab6b5e9e6830ed.exe	cmd.exe
PID 1204 wrote to memory of 1924	1204	b5c0d38dbf30c0db0bab6b5e9e6830ed.exe	sc.exe
PID 1204 wrote to memory of 1924	1204	b5c0d38dbf30c0db0bab6b5e9e6830ed.exe	sc.exe
PID 1204 wrote to memory of 1924	1204	b5c0d38dbf30c0db0bab6b5e9e6830ed.exe	sc.exe
PID 1204 wrote to memory of 1924	1204	b5c0d38dbf30c0db0bab6b5e9e6830ed.exe	sc.exe
PID 1204 wrote to memory of 1696	1204	b5c0d38dbf30c0db0bab6b5e9e6830ed.exe	sc.exe
PID 1204 wrote to memory of 1696	1204	b5c0d38dbf30c0db0bab6b5e9e6830ed.exe	sc.exe
PID 1204 wrote to memory of 1696	1204	b5c0d38dbf30c0db0bab6b5e9e6830ed.exe	sc.exe
PID 1204 wrote to memory of 1696	1204	b5c0d38dbf30c0db0bab6b5e9e6830ed.exe	sc.exe
PID 1204 wrote to memory of 1648	1204	b5c0d38dbf30c0db0bab6b5e9e6830ed.exe	sc.exe
PID 1204 wrote to memory of 1648	1204	b5c0d38dbf30c0db0bab6b5e9e6830ed.exe	sc.exe
PID 1204 wrote to memory of 1648	1204	b5c0d38dbf30c0db0bab6b5e9e6830ed.exe	sc.exe
PID 1204 wrote to memory of 1648	1204	b5c0d38dbf30c0db0bab6b5e9e6830ed.exe	sc.exe
PID 1204 wrote to memory of 1368	1204	b5c0d38dbf30c0db0bab6b5e9e6830ed.exe	netsh.exe
PID 1204 wrote to memory of 1368	1204	b5c0d38dbf30c0db0bab6b5e9e6830ed.exe	netsh.exe
PID 1204 wrote to memory of 1368	1204	b5c0d38dbf30c0db0bab6b5e9e6830ed.exe	netsh.exe
PID 1204 wrote to memory of 1368	1204	b5c0d38dbf30c0db0bab6b5e9e6830ed.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\b5c0d38dbf30c0db0bab6b5e9e6830ed.exe
"C:\Users\Admin\AppData\Local\Temp\b5c0d38dbf30c0db0bab6b5e9e6830ed.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rlqbwlwk\
2⤵
PID:1988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\yxnjqmr.exe" C:\Windows\SysWOW64\rlqbwlwk\
2⤵
PID:2032

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create rlqbwlwk binPath= "C:\Windows\SysWOW64\rlqbwlwk\yxnjqmr.exe /d\"C:\Users\Admin\AppData\Local\Temp\b5c0d38dbf30c0db0bab6b5e9e6830ed.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:1924

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description rlqbwlwk "wifi internet conection"
2⤵
PID:1696

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start rlqbwlwk
2⤵
PID:1648

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:1368

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Privilege Escalation

New Service

1

T1050

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yxnjqmr.exe
MD5
bf31c0085ee45716e13a8458857e5e09

SHA1
e20e9b4e91380349ca14a6b14270a3c94af2eb6a

SHA256
158c59a2e6894a1e62884cafbb86a335453b24a8c08b1f03565c848333a0395d

SHA512
29cd3ceb32e64f909f259bbcb2767499de7d24949b2b59bbf76e786e98256d52d17ec5347428a352fefc7df60f0b508b4b53beafc493920cf06b1acfd8b92d30

Download Submit
memory/1368-8-0x0000000000000000-mapping.dmp

Download
memory/1648-7-0x0000000000000000-mapping.dmp

Download
memory/1696-6-0x0000000000000000-mapping.dmp

Download
memory/1924-5-0x0000000000000000-mapping.dmp

Download
memory/1988-2-0x0000000000000000-mapping.dmp

Download
memory/2032-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing