tofsee | 95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb

General

Target

95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe
Size

10.4MB
MD5

7b00e136ab113f2f4efcbdd546eea644
SHA1

46932915dd309e69152fd2e855c8c546d7f7c517
SHA256

95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb
SHA512

2510d7236b22d1084335c11731a55cb049fae0fe7a6278b0c23a03174f125701ec1a6bed713b0d659b9178e4a9974c1a96fe4237c28e7f66a6937207afa363d9

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

bdyexku.exe

pid process

1372 bdyexku.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Suspicious use of SetThreadContext 1 IoCs

Processes:

bdyexku.exe

description pid process target process

PID 1372 set thread context of 1140 1372 bdyexku.exe svchost.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1372	bdyexku.exe

description	pid	process	target process
PID 1372 set thread context of 1140	1372	bdyexku.exe	svchost.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exebdyexku.exe

description	pid	process	target process
PID 1640 wrote to memory of 1932	1640	95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe	cmd.exe
PID 1640 wrote to memory of 1932	1640	95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe	cmd.exe
PID 1640 wrote to memory of 1932	1640	95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe	cmd.exe
PID 1640 wrote to memory of 1932	1640	95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe	cmd.exe
PID 1640 wrote to memory of 1688	1640	95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe	cmd.exe
PID 1640 wrote to memory of 1688	1640	95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe	cmd.exe
PID 1640 wrote to memory of 1688	1640	95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe	cmd.exe
PID 1640 wrote to memory of 1688	1640	95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe	cmd.exe
PID 1640 wrote to memory of 1620	1640	95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe	sc.exe
PID 1640 wrote to memory of 1620	1640	95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe	sc.exe
PID 1640 wrote to memory of 1620	1640	95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe	sc.exe
PID 1640 wrote to memory of 1620	1640	95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe	sc.exe
PID 1640 wrote to memory of 2024	1640	95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe	sc.exe
PID 1640 wrote to memory of 2024	1640	95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe	sc.exe
PID 1640 wrote to memory of 2024	1640	95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe	sc.exe
PID 1640 wrote to memory of 2024	1640	95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe	sc.exe
PID 1640 wrote to memory of 1008	1640	95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe	sc.exe
PID 1640 wrote to memory of 1008	1640	95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe	sc.exe
PID 1640 wrote to memory of 1008	1640	95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe	sc.exe
PID 1640 wrote to memory of 1008	1640	95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe	sc.exe
PID 1640 wrote to memory of 952	1640	95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe	netsh.exe
PID 1640 wrote to memory of 952	1640	95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe	netsh.exe
PID 1640 wrote to memory of 952	1640	95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe	netsh.exe
PID 1640 wrote to memory of 952	1640	95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe	netsh.exe
PID 1372 wrote to memory of 1140	1372	bdyexku.exe	svchost.exe
PID 1372 wrote to memory of 1140	1372	bdyexku.exe	svchost.exe
PID 1372 wrote to memory of 1140	1372	bdyexku.exe	svchost.exe
PID 1372 wrote to memory of 1140	1372	bdyexku.exe	svchost.exe
PID 1372 wrote to memory of 1140	1372	bdyexku.exe	svchost.exe
PID 1372 wrote to memory of 1140	1372	bdyexku.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe
"C:\Users\Admin\AppData\Local\Temp\95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\vozydsur\
2⤵
PID:1932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\bdyexku.exe" C:\Windows\SysWOW64\vozydsur\
2⤵
PID:1688

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create vozydsur binPath= "C:\Windows\SysWOW64\vozydsur\bdyexku.exe /d\"C:\Users\Admin\AppData\Local\Temp\95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:1620

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description vozydsur "wifi internet conection"
2⤵
PID:2024

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start vozydsur
2⤵
PID:1008

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:952

C:\Windows\SysWOW64\vozydsur\bdyexku.exe
C:\Windows\SysWOW64\vozydsur\bdyexku.exe /d"C:\Users\Admin\AppData\Local\Temp\95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:1140

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Privilege Escalation

New Service

1

T1050

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bdyexku.exe
MD5
5c3dd0eae3e26f18a3b9eb627fbe8620

SHA1
742e59d6a89bf719080df5f49a552622e93774f3

SHA256
db786081c6891ed638485186c74e21eab1633fbf47c18356f2a46a797c9c0f24

SHA512
ac0b3314d452c0d57902bacd291cfdd7cfc3ad0bb724bc123d1e0ca01591cbcb1d8eb64ea2abfc84f920a507762b7f5b7f683192d8f202e8d7a3b6d3e228b20c

Download Submit
C:\Windows\SysWOW64\vozydsur\bdyexku.exe
MD5
5c3dd0eae3e26f18a3b9eb627fbe8620

SHA1
742e59d6a89bf719080df5f49a552622e93774f3

SHA256
db786081c6891ed638485186c74e21eab1633fbf47c18356f2a46a797c9c0f24

SHA512
ac0b3314d452c0d57902bacd291cfdd7cfc3ad0bb724bc123d1e0ca01591cbcb1d8eb64ea2abfc84f920a507762b7f5b7f683192d8f202e8d7a3b6d3e228b20c

Download Submit
memory/952-70-0x0000000000000000-mapping.dmp

Download
memory/1008-68-0x0000000000000000-mapping.dmp

Download
memory/1140-73-0x00000000000D9A6B-mapping.dmp

Download
memory/1140-72-0x00000000000D0000-0x00000000000E5000-memory.dmp

Filesize
84KB

Download
memory/1372-76-0x0000000000400000-0x0000000002DE9000-memory.dmp

Filesize
41.9MB

Download
memory/1620-66-0x0000000000000000-mapping.dmp

Download
memory/1640-60-0x00000000769B1000-0x00000000769B3000-memory.dmp

Filesize
8KB

Download
memory/1640-62-0x0000000000400000-0x0000000002DE9000-memory.dmp

Filesize
41.9MB

Download
memory/1640-61-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/1688-64-0x0000000000000000-mapping.dmp

Download
memory/1932-63-0x0000000000000000-mapping.dmp

Download
memory/2024-67-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing