tofsee | c9257bdfd441859a65cd3d72b1f18d25f877c76d89b1402927326bf37f9f57ea

General

Target

0ba67a86a3e1555aeeaed68564e7d57b.exe
Size

12.1MB
MD5

0ba67a86a3e1555aeeaed68564e7d57b
SHA1

f1765a0967b190834da6364e6831fab65a9b730c
SHA256

c9257bdfd441859a65cd3d72b1f18d25f877c76d89b1402927326bf37f9f57ea
SHA512

9abf7f9cf07ae4a2baf8adf08449aa359b1756a8cc63cda8165926f72357a7a936e2526b46bb71a1cfe548ee8f5c48002c1eef41272f8ad6442aecd10bbfa21f

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

hjxymuwg.exe

pid process

1056 hjxymuwg.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

1248 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

hjxymuwg.exe

description pid process target process

PID 1056 set thread context of 1248 1056 hjxymuwg.exe svchost.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

pid	process
1056	hjxymuwg.exe

pid	process
1248	svchost.exe

description	pid	process	target process
PID 1056 set thread context of 1248	1056	hjxymuwg.exe	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

0ba67a86a3e1555aeeaed68564e7d57b.exehjxymuwg.exe

description	pid	process	target process
PID 1156 wrote to memory of 544	1156	0ba67a86a3e1555aeeaed68564e7d57b.exe	cmd.exe
PID 1156 wrote to memory of 544	1156	0ba67a86a3e1555aeeaed68564e7d57b.exe	cmd.exe
PID 1156 wrote to memory of 544	1156	0ba67a86a3e1555aeeaed68564e7d57b.exe	cmd.exe
PID 1156 wrote to memory of 928	1156	0ba67a86a3e1555aeeaed68564e7d57b.exe	cmd.exe
PID 1156 wrote to memory of 928	1156	0ba67a86a3e1555aeeaed68564e7d57b.exe	cmd.exe
PID 1156 wrote to memory of 928	1156	0ba67a86a3e1555aeeaed68564e7d57b.exe	cmd.exe
PID 1156 wrote to memory of 216	1156	0ba67a86a3e1555aeeaed68564e7d57b.exe	sc.exe
PID 1156 wrote to memory of 216	1156	0ba67a86a3e1555aeeaed68564e7d57b.exe	sc.exe
PID 1156 wrote to memory of 216	1156	0ba67a86a3e1555aeeaed68564e7d57b.exe	sc.exe
PID 1156 wrote to memory of 1944	1156	0ba67a86a3e1555aeeaed68564e7d57b.exe	sc.exe
PID 1156 wrote to memory of 1944	1156	0ba67a86a3e1555aeeaed68564e7d57b.exe	sc.exe
PID 1156 wrote to memory of 1944	1156	0ba67a86a3e1555aeeaed68564e7d57b.exe	sc.exe
PID 1156 wrote to memory of 3204	1156	0ba67a86a3e1555aeeaed68564e7d57b.exe	sc.exe
PID 1156 wrote to memory of 3204	1156	0ba67a86a3e1555aeeaed68564e7d57b.exe	sc.exe
PID 1156 wrote to memory of 3204	1156	0ba67a86a3e1555aeeaed68564e7d57b.exe	sc.exe
PID 1056 wrote to memory of 1248	1056	hjxymuwg.exe	svchost.exe
PID 1056 wrote to memory of 1248	1056	hjxymuwg.exe	svchost.exe
PID 1056 wrote to memory of 1248	1056	hjxymuwg.exe	svchost.exe
PID 1056 wrote to memory of 1248	1056	hjxymuwg.exe	svchost.exe
PID 1056 wrote to memory of 1248	1056	hjxymuwg.exe	svchost.exe
PID 1156 wrote to memory of 2084	1156	0ba67a86a3e1555aeeaed68564e7d57b.exe	netsh.exe
PID 1156 wrote to memory of 2084	1156	0ba67a86a3e1555aeeaed68564e7d57b.exe	netsh.exe
PID 1156 wrote to memory of 2084	1156	0ba67a86a3e1555aeeaed68564e7d57b.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\0ba67a86a3e1555aeeaed68564e7d57b.exe
"C:\Users\Admin\AppData\Local\Temp\0ba67a86a3e1555aeeaed68564e7d57b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gnefsshx\
2⤵
PID:544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hjxymuwg.exe" C:\Windows\SysWOW64\gnefsshx\
2⤵
PID:928

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create gnefsshx binPath= "C:\Windows\SysWOW64\gnefsshx\hjxymuwg.exe /d\"C:\Users\Admin\AppData\Local\Temp\0ba67a86a3e1555aeeaed68564e7d57b.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:216

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description gnefsshx "wifi internet conection"
2⤵
PID:1944

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start gnefsshx
2⤵
PID:3204

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:2084

C:\Windows\SysWOW64\gnefsshx\hjxymuwg.exe
C:\Windows\SysWOW64\gnefsshx\hjxymuwg.exe /d"C:\Users\Admin\AppData\Local\Temp\0ba67a86a3e1555aeeaed68564e7d57b.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Deletes itself
PID:1248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hjxymuwg.exe
MD5
ca0818f5681dd3670e081bd38f9a47c4

SHA1
7ceebefd09484cd29c1adadd5f420f39d863afc5

SHA256
f9c7c7a56c3dd4c49cdf0743e38ce8f4f9a183255d780b66f12aed6485985f13

SHA512
b417d3ef004626cd01956f51269aeb183ad3498b7a2e6d0f2380833cdb9d71708aa0405ae710899cf89f5d00ef6fb95cd5acedfcf26fec46da361c432dded3ea

Download Submit
C:\Windows\SysWOW64\gnefsshx\hjxymuwg.exe
MD5
ca0818f5681dd3670e081bd38f9a47c4

SHA1
7ceebefd09484cd29c1adadd5f420f39d863afc5

SHA256
f9c7c7a56c3dd4c49cdf0743e38ce8f4f9a183255d780b66f12aed6485985f13

SHA512
b417d3ef004626cd01956f51269aeb183ad3498b7a2e6d0f2380833cdb9d71708aa0405ae710899cf89f5d00ef6fb95cd5acedfcf26fec46da361c432dded3ea

Download Submit
memory/216-5-0x0000000000000000-mapping.dmp

Download
memory/544-2-0x0000000000000000-mapping.dmp

Download
memory/928-3-0x0000000000000000-mapping.dmp

Download
memory/1248-9-0x0000000002F20000-0x0000000002F35000-memory.dmp

Filesize
84KB

Download
memory/1248-10-0x0000000002F29A6B-mapping.dmp

Download
memory/1944-6-0x0000000000000000-mapping.dmp

Download
memory/2084-11-0x0000000000000000-mapping.dmp

Download
memory/3204-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing