tofsee | 19b21277c1084248de6760e9de78f99db5519cf8561afe606e30ca4230134115

General

Target

19b21277c1084248de6760e9de78f99db5519cf8561afe606e30ca4230134115.exe
Size

14.0MB
MD5

6ffdeca48480ac86795b6f9c26f2d0ca
SHA1

a8eb2514ef334e9fb8622a9eea1b8c2b8b7c024e
SHA256

19b21277c1084248de6760e9de78f99db5519cf8561afe606e30ca4230134115
SHA512

1528b11f286b8ffa40470c8681caa215bd2425b4cadeab8537392fa1e7c3853b2f3150a3668401c0523ebea44bd6a629f691c70b53f55883f7c36cf8694df2f6

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

lxysnjkh.exe

pid process

2772 lxysnjkh.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

3728 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

lxysnjkh.exe

description pid process target process

PID 2772 set thread context of 3728 2772 lxysnjkh.exe svchost.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2772	lxysnjkh.exe

pid	process
3728	svchost.exe

description	pid	process	target process
PID 2772 set thread context of 3728	2772	lxysnjkh.exe	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

19b21277c1084248de6760e9de78f99db5519cf8561afe606e30ca4230134115.exelxysnjkh.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	19b21277c1084248de6760e9de78f99db5519cf8561afe606e30ca4230134115.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	lxysnjkh.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

19b21277c1084248de6760e9de78f99db5519cf8561afe606e30ca4230134115.exelxysnjkh.exe

description	pid	process	target process
PID 3260 wrote to memory of 3028	3260	19b21277c1084248de6760e9de78f99db5519cf8561afe606e30ca4230134115.exe	cmd.exe
PID 3260 wrote to memory of 3028	3260	19b21277c1084248de6760e9de78f99db5519cf8561afe606e30ca4230134115.exe	cmd.exe
PID 3260 wrote to memory of 3028	3260	19b21277c1084248de6760e9de78f99db5519cf8561afe606e30ca4230134115.exe	cmd.exe
PID 3260 wrote to memory of 4040	3260	19b21277c1084248de6760e9de78f99db5519cf8561afe606e30ca4230134115.exe	cmd.exe
PID 3260 wrote to memory of 4040	3260	19b21277c1084248de6760e9de78f99db5519cf8561afe606e30ca4230134115.exe	cmd.exe
PID 3260 wrote to memory of 4040	3260	19b21277c1084248de6760e9de78f99db5519cf8561afe606e30ca4230134115.exe	cmd.exe
PID 3260 wrote to memory of 2204	3260	19b21277c1084248de6760e9de78f99db5519cf8561afe606e30ca4230134115.exe	sc.exe
PID 3260 wrote to memory of 2204	3260	19b21277c1084248de6760e9de78f99db5519cf8561afe606e30ca4230134115.exe	sc.exe
PID 3260 wrote to memory of 2204	3260	19b21277c1084248de6760e9de78f99db5519cf8561afe606e30ca4230134115.exe	sc.exe
PID 3260 wrote to memory of 3772	3260	19b21277c1084248de6760e9de78f99db5519cf8561afe606e30ca4230134115.exe	sc.exe
PID 3260 wrote to memory of 3772	3260	19b21277c1084248de6760e9de78f99db5519cf8561afe606e30ca4230134115.exe	sc.exe
PID 3260 wrote to memory of 3772	3260	19b21277c1084248de6760e9de78f99db5519cf8561afe606e30ca4230134115.exe	sc.exe
PID 3260 wrote to memory of 2268	3260	19b21277c1084248de6760e9de78f99db5519cf8561afe606e30ca4230134115.exe	sc.exe
PID 3260 wrote to memory of 2268	3260	19b21277c1084248de6760e9de78f99db5519cf8561afe606e30ca4230134115.exe	sc.exe
PID 3260 wrote to memory of 2268	3260	19b21277c1084248de6760e9de78f99db5519cf8561afe606e30ca4230134115.exe	sc.exe
PID 3260 wrote to memory of 1188	3260	19b21277c1084248de6760e9de78f99db5519cf8561afe606e30ca4230134115.exe	netsh.exe
PID 3260 wrote to memory of 1188	3260	19b21277c1084248de6760e9de78f99db5519cf8561afe606e30ca4230134115.exe	netsh.exe
PID 3260 wrote to memory of 1188	3260	19b21277c1084248de6760e9de78f99db5519cf8561afe606e30ca4230134115.exe	netsh.exe
PID 2772 wrote to memory of 3728	2772	lxysnjkh.exe	svchost.exe
PID 2772 wrote to memory of 3728	2772	lxysnjkh.exe	svchost.exe
PID 2772 wrote to memory of 3728	2772	lxysnjkh.exe	svchost.exe
PID 2772 wrote to memory of 3728	2772	lxysnjkh.exe	svchost.exe
PID 2772 wrote to memory of 3728	2772	lxysnjkh.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\19b21277c1084248de6760e9de78f99db5519cf8561afe606e30ca4230134115.exe
"C:\Users\Admin\AppData\Local\Temp\19b21277c1084248de6760e9de78f99db5519cf8561afe606e30ca4230134115.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:3260

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\srvgoqkp\
2⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lxysnjkh.exe" C:\Windows\SysWOW64\srvgoqkp\
2⤵
PID:4040

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create srvgoqkp binPath= "C:\Windows\SysWOW64\srvgoqkp\lxysnjkh.exe /d\"C:\Users\Admin\AppData\Local\Temp\19b21277c1084248de6760e9de78f99db5519cf8561afe606e30ca4230134115.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:2204

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description srvgoqkp "wifi internet conection"
2⤵
PID:3772

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start srvgoqkp
2⤵
PID:2268

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:1188

C:\Windows\SysWOW64\srvgoqkp\lxysnjkh.exe
C:\Windows\SysWOW64\srvgoqkp\lxysnjkh.exe /d"C:\Users\Admin\AppData\Local\Temp\19b21277c1084248de6760e9de78f99db5519cf8561afe606e30ca4230134115.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Deletes itself
PID:3728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lxysnjkh.exe
MD5
3879e02719238cc75bf94ac7049a438d

SHA1
054ab9e2399e899c4f0d07632ea07d5d9cdff1c6

SHA256
42ea1e424681a808265055417fdb97dfc0d02c91038ff5b7b3ed3451cbe0fe8d

SHA512
a2a91c947b7be4b8d74e26104514e35f5a24a198c09397133a772fd9acb5abf15b6fb53eb5e62cf9329eb6f4f7c478a1042bd7dfad3df3440b6f2279d2040b3e

Download Submit
C:\Windows\SysWOW64\srvgoqkp\lxysnjkh.exe
MD5
3879e02719238cc75bf94ac7049a438d

SHA1
054ab9e2399e899c4f0d07632ea07d5d9cdff1c6

SHA256
42ea1e424681a808265055417fdb97dfc0d02c91038ff5b7b3ed3451cbe0fe8d

SHA512
a2a91c947b7be4b8d74e26104514e35f5a24a198c09397133a772fd9acb5abf15b6fb53eb5e62cf9329eb6f4f7c478a1042bd7dfad3df3440b6f2279d2040b3e

Download Submit
memory/1188-125-0x0000000000000000-mapping.dmp

Download
memory/2204-120-0x0000000000000000-mapping.dmp

Download
memory/2268-122-0x0000000000000000-mapping.dmp

Download
memory/2772-130-0x0000000000530000-0x000000000067A000-memory.dmp

Filesize
1.3MB

Download
memory/3028-117-0x0000000000000000-mapping.dmp

Download
memory/3260-114-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3260-116-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/3260-115-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/3728-126-0x0000000000E10000-0x0000000000E25000-memory.dmp

Filesize
84KB

Download
memory/3728-127-0x0000000000E19A6B-mapping.dmp

Download
memory/3772-121-0x0000000000000000-mapping.dmp

Download
memory/4040-118-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing