tofsee | 7d89ddfb70a2246032a1ed4b908f7311f2808e11299967f08af6c748d336010a

General

Target

75c5cd21845d8d6b715fb5c86b58c5c7.exe
Size

11.0MB
MD5

75c5cd21845d8d6b715fb5c86b58c5c7
SHA1

492058c37438a6b93fa3c033b0b94c62af4cf7a7
SHA256

7d89ddfb70a2246032a1ed4b908f7311f2808e11299967f08af6c748d336010a
SHA512

d48abfcfddc8ab60efd35296dab49d7f3bfad4cf11a79fd58ab0824fddbd2e6993bf2164ae70f145d69907090cc9c2b4bb6987c4942030031944fe73f5b0d7fe

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

pwjjmxpk.exe

pid process

2648 pwjjmxpk.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

984 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

pwjjmxpk.exe

description pid process target process

PID 2648 set thread context of 984 2648 pwjjmxpk.exe svchost.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

pid	process
2648	pwjjmxpk.exe

pid	process
984	svchost.exe

description	pid	process	target process
PID 2648 set thread context of 984	2648	pwjjmxpk.exe	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

75c5cd21845d8d6b715fb5c86b58c5c7.exepwjjmxpk.exe

description	pid	process	target process
PID 4020 wrote to memory of 1888	4020	75c5cd21845d8d6b715fb5c86b58c5c7.exe	cmd.exe
PID 4020 wrote to memory of 1888	4020	75c5cd21845d8d6b715fb5c86b58c5c7.exe	cmd.exe
PID 4020 wrote to memory of 1888	4020	75c5cd21845d8d6b715fb5c86b58c5c7.exe	cmd.exe
PID 4020 wrote to memory of 2628	4020	75c5cd21845d8d6b715fb5c86b58c5c7.exe	cmd.exe
PID 4020 wrote to memory of 2628	4020	75c5cd21845d8d6b715fb5c86b58c5c7.exe	cmd.exe
PID 4020 wrote to memory of 2628	4020	75c5cd21845d8d6b715fb5c86b58c5c7.exe	cmd.exe
PID 4020 wrote to memory of 3708	4020	75c5cd21845d8d6b715fb5c86b58c5c7.exe	sc.exe
PID 4020 wrote to memory of 3708	4020	75c5cd21845d8d6b715fb5c86b58c5c7.exe	sc.exe
PID 4020 wrote to memory of 3708	4020	75c5cd21845d8d6b715fb5c86b58c5c7.exe	sc.exe
PID 4020 wrote to memory of 2564	4020	75c5cd21845d8d6b715fb5c86b58c5c7.exe	sc.exe
PID 4020 wrote to memory of 2564	4020	75c5cd21845d8d6b715fb5c86b58c5c7.exe	sc.exe
PID 4020 wrote to memory of 2564	4020	75c5cd21845d8d6b715fb5c86b58c5c7.exe	sc.exe
PID 4020 wrote to memory of 3664	4020	75c5cd21845d8d6b715fb5c86b58c5c7.exe	sc.exe
PID 4020 wrote to memory of 3664	4020	75c5cd21845d8d6b715fb5c86b58c5c7.exe	sc.exe
PID 4020 wrote to memory of 3664	4020	75c5cd21845d8d6b715fb5c86b58c5c7.exe	sc.exe
PID 2648 wrote to memory of 984	2648	pwjjmxpk.exe	svchost.exe
PID 2648 wrote to memory of 984	2648	pwjjmxpk.exe	svchost.exe
PID 2648 wrote to memory of 984	2648	pwjjmxpk.exe	svchost.exe
PID 2648 wrote to memory of 984	2648	pwjjmxpk.exe	svchost.exe
PID 2648 wrote to memory of 984	2648	pwjjmxpk.exe	svchost.exe
PID 4020 wrote to memory of 1308	4020	75c5cd21845d8d6b715fb5c86b58c5c7.exe	netsh.exe
PID 4020 wrote to memory of 1308	4020	75c5cd21845d8d6b715fb5c86b58c5c7.exe	netsh.exe
PID 4020 wrote to memory of 1308	4020	75c5cd21845d8d6b715fb5c86b58c5c7.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\75c5cd21845d8d6b715fb5c86b58c5c7.exe
"C:\Users\Admin\AppData\Local\Temp\75c5cd21845d8d6b715fb5c86b58c5c7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\brfdgxcy\
2⤵
PID:1888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pwjjmxpk.exe" C:\Windows\SysWOW64\brfdgxcy\
2⤵
PID:2628

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create brfdgxcy binPath= "C:\Windows\SysWOW64\brfdgxcy\pwjjmxpk.exe /d\"C:\Users\Admin\AppData\Local\Temp\75c5cd21845d8d6b715fb5c86b58c5c7.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:3708

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description brfdgxcy "wifi internet conection"
2⤵
PID:2564

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start brfdgxcy
2⤵
PID:3664

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:1308

C:\Windows\SysWOW64\brfdgxcy\pwjjmxpk.exe
C:\Windows\SysWOW64\brfdgxcy\pwjjmxpk.exe /d"C:\Users\Admin\AppData\Local\Temp\75c5cd21845d8d6b715fb5c86b58c5c7.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Deletes itself
PID:984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pwjjmxpk.exe
MD5
74e8925459d75ce1ac7f2798bc473431

SHA1
fbeed65c1fd00ba819d01ff5e064b6145a418f90

SHA256
b3eff9eb0e602a6ae150e9e7efb1d4d5092dff052d0eb1650d01f90df9e50177

SHA512
24b3d416cbe53c87440a338aa47578a30dbe10b4c4cae50d0ecf20fa4f06f9b98efae8c60f559eebf2d742a6cd25a57fad17aaac52b243e59f2c88231f33b3b3

Download Submit
C:\Windows\SysWOW64\brfdgxcy\pwjjmxpk.exe
MD5
74e8925459d75ce1ac7f2798bc473431

SHA1
fbeed65c1fd00ba819d01ff5e064b6145a418f90

SHA256
b3eff9eb0e602a6ae150e9e7efb1d4d5092dff052d0eb1650d01f90df9e50177

SHA512
24b3d416cbe53c87440a338aa47578a30dbe10b4c4cae50d0ecf20fa4f06f9b98efae8c60f559eebf2d742a6cd25a57fad17aaac52b243e59f2c88231f33b3b3

Download Submit
memory/984-9-0x0000000000E30000-0x0000000000E45000-memory.dmp

Filesize
84KB

Download
memory/984-10-0x0000000000E39A6B-mapping.dmp

Download
memory/1308-12-0x0000000000000000-mapping.dmp

Download
memory/1888-2-0x0000000000000000-mapping.dmp

Download
memory/2564-6-0x0000000000000000-mapping.dmp

Download
memory/2628-3-0x0000000000000000-mapping.dmp

Download
memory/3664-7-0x0000000000000000-mapping.dmp

Download
memory/3708-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing