tofsee | 6f398436671f162e6674ddaa035640a7c913cd7aae3b6c33673a94fe9b937c1d

General

Target

6f398436671f162e6674ddaa035640a7c913cd7aae3b6c33673a94fe9b937c1d.exe
Size

11.0MB
MD5

8ece3688f9d0bbcaf5c1d427b248d3aa
SHA1

6de52e16bfae27cd9ae1165f06de75dff5ff6a75
SHA256

6f398436671f162e6674ddaa035640a7c913cd7aae3b6c33673a94fe9b937c1d
SHA512

8d74bda26ed73fa2d37d12fedd41f8ad86dcfa166fcb85d2b604fde5697ea48afa67ae5039c4092b6e99fd76aa458b43a609ff4628e0f0b7257afc4611baabf9

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\nvajumib = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

zubyxuqr.exe

pid process

1616 zubyxuqr.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

776 netsh.exe

pid	process
1616	zubyxuqr.exe

pid	process
776	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\nvajumib\ImagePath = "C:\\Windows\\SysWOW64\\nvajumib\\zubyxuqr.exe"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

1700 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

zubyxuqr.exe

description pid process target process

PID 1616 set thread context of 1700 1616 zubyxuqr.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

1948 sc.exe
568 sc.exe
992 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1700	svchost.exe

description	pid	process	target process
PID 1616 set thread context of 1700	1616	zubyxuqr.exe	svchost.exe

pid	process
1948	sc.exe
568	sc.exe
992	sc.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

6f398436671f162e6674ddaa035640a7c913cd7aae3b6c33673a94fe9b937c1d.exezubyxuqr.exe

description	pid	process	target process
PID 1664 wrote to memory of 1404	1664	6f398436671f162e6674ddaa035640a7c913cd7aae3b6c33673a94fe9b937c1d.exe	cmd.exe
PID 1664 wrote to memory of 1404	1664	6f398436671f162e6674ddaa035640a7c913cd7aae3b6c33673a94fe9b937c1d.exe	cmd.exe
PID 1664 wrote to memory of 1404	1664	6f398436671f162e6674ddaa035640a7c913cd7aae3b6c33673a94fe9b937c1d.exe	cmd.exe
PID 1664 wrote to memory of 1404	1664	6f398436671f162e6674ddaa035640a7c913cd7aae3b6c33673a94fe9b937c1d.exe	cmd.exe
PID 1664 wrote to memory of 832	1664	6f398436671f162e6674ddaa035640a7c913cd7aae3b6c33673a94fe9b937c1d.exe	cmd.exe
PID 1664 wrote to memory of 832	1664	6f398436671f162e6674ddaa035640a7c913cd7aae3b6c33673a94fe9b937c1d.exe	cmd.exe
PID 1664 wrote to memory of 832	1664	6f398436671f162e6674ddaa035640a7c913cd7aae3b6c33673a94fe9b937c1d.exe	cmd.exe
PID 1664 wrote to memory of 832	1664	6f398436671f162e6674ddaa035640a7c913cd7aae3b6c33673a94fe9b937c1d.exe	cmd.exe
PID 1664 wrote to memory of 992	1664	6f398436671f162e6674ddaa035640a7c913cd7aae3b6c33673a94fe9b937c1d.exe	sc.exe
PID 1664 wrote to memory of 992	1664	6f398436671f162e6674ddaa035640a7c913cd7aae3b6c33673a94fe9b937c1d.exe	sc.exe
PID 1664 wrote to memory of 992	1664	6f398436671f162e6674ddaa035640a7c913cd7aae3b6c33673a94fe9b937c1d.exe	sc.exe
PID 1664 wrote to memory of 992	1664	6f398436671f162e6674ddaa035640a7c913cd7aae3b6c33673a94fe9b937c1d.exe	sc.exe
PID 1664 wrote to memory of 1948	1664	6f398436671f162e6674ddaa035640a7c913cd7aae3b6c33673a94fe9b937c1d.exe	sc.exe
PID 1664 wrote to memory of 1948	1664	6f398436671f162e6674ddaa035640a7c913cd7aae3b6c33673a94fe9b937c1d.exe	sc.exe
PID 1664 wrote to memory of 1948	1664	6f398436671f162e6674ddaa035640a7c913cd7aae3b6c33673a94fe9b937c1d.exe	sc.exe
PID 1664 wrote to memory of 1948	1664	6f398436671f162e6674ddaa035640a7c913cd7aae3b6c33673a94fe9b937c1d.exe	sc.exe
PID 1664 wrote to memory of 568	1664	6f398436671f162e6674ddaa035640a7c913cd7aae3b6c33673a94fe9b937c1d.exe	sc.exe
PID 1664 wrote to memory of 568	1664	6f398436671f162e6674ddaa035640a7c913cd7aae3b6c33673a94fe9b937c1d.exe	sc.exe
PID 1664 wrote to memory of 568	1664	6f398436671f162e6674ddaa035640a7c913cd7aae3b6c33673a94fe9b937c1d.exe	sc.exe
PID 1664 wrote to memory of 568	1664	6f398436671f162e6674ddaa035640a7c913cd7aae3b6c33673a94fe9b937c1d.exe	sc.exe
PID 1616 wrote to memory of 1700	1616	zubyxuqr.exe	svchost.exe
PID 1616 wrote to memory of 1700	1616	zubyxuqr.exe	svchost.exe
PID 1616 wrote to memory of 1700	1616	zubyxuqr.exe	svchost.exe
PID 1616 wrote to memory of 1700	1616	zubyxuqr.exe	svchost.exe
PID 1616 wrote to memory of 1700	1616	zubyxuqr.exe	svchost.exe
PID 1616 wrote to memory of 1700	1616	zubyxuqr.exe	svchost.exe
PID 1664 wrote to memory of 776	1664	6f398436671f162e6674ddaa035640a7c913cd7aae3b6c33673a94fe9b937c1d.exe	netsh.exe
PID 1664 wrote to memory of 776	1664	6f398436671f162e6674ddaa035640a7c913cd7aae3b6c33673a94fe9b937c1d.exe	netsh.exe
PID 1664 wrote to memory of 776	1664	6f398436671f162e6674ddaa035640a7c913cd7aae3b6c33673a94fe9b937c1d.exe	netsh.exe
PID 1664 wrote to memory of 776	1664	6f398436671f162e6674ddaa035640a7c913cd7aae3b6c33673a94fe9b937c1d.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\6f398436671f162e6674ddaa035640a7c913cd7aae3b6c33673a94fe9b937c1d.exe
"C:\Users\Admin\AppData\Local\Temp\6f398436671f162e6674ddaa035640a7c913cd7aae3b6c33673a94fe9b937c1d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nvajumib\
2⤵
PID:1404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zubyxuqr.exe" C:\Windows\SysWOW64\nvajumib\
2⤵
PID:832

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create nvajumib binPath= "C:\Windows\SysWOW64\nvajumib\zubyxuqr.exe /d\"C:\Users\Admin\AppData\Local\Temp\6f398436671f162e6674ddaa035640a7c913cd7aae3b6c33673a94fe9b937c1d.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:992

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description nvajumib "wifi internet conection"
2⤵
- Launches sc.exe
PID:1948

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start nvajumib
2⤵
- Launches sc.exe
PID:568

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:776

C:\Windows\SysWOW64\nvajumib\zubyxuqr.exe
C:\Windows\SysWOW64\nvajumib\zubyxuqr.exe /d"C:\Users\Admin\AppData\Local\Temp\6f398436671f162e6674ddaa035640a7c913cd7aae3b6c33673a94fe9b937c1d.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:1700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zubyxuqr.exe
Filesize
10.9MB

MD5
1be72bf24a464d3604276510d8c3243f

SHA1
3676526a8802811b76e74a302698a9ffcff2113b

SHA256
b3c2cd7255b24fff6ff8bd5403e438327c21fb32ea09710217d0cb4ce1ad4468

SHA512
a01d3010f3594251388e62b06416c43c4e01383c2edcea64586415769d10e56844d6c733df99815f255cabf87cffe3e6738cfa084e1bb2ee491e4176baf8ff97

Download Submit
C:\Windows\SysWOW64\nvajumib\zubyxuqr.exe
Filesize
10.9MB

MD5
1be72bf24a464d3604276510d8c3243f

SHA1
3676526a8802811b76e74a302698a9ffcff2113b

SHA256
b3c2cd7255b24fff6ff8bd5403e438327c21fb32ea09710217d0cb4ce1ad4468

SHA512
a01d3010f3594251388e62b06416c43c4e01383c2edcea64586415769d10e56844d6c733df99815f255cabf87cffe3e6738cfa084e1bb2ee491e4176baf8ff97

Download Submit
memory/568-62-0x0000000000000000-mapping.dmp

Download
memory/776-74-0x0000000000000000-mapping.dmp

Download
memory/832-58-0x0000000000000000-mapping.dmp

Download
memory/992-60-0x0000000000000000-mapping.dmp

Download
memory/1404-56-0x0000000000000000-mapping.dmp

Download
memory/1616-70-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1664-55-0x0000000076011000-0x0000000076013000-memory.dmp

Filesize
8KB

Download
memory/1664-57-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1664-54-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1664-75-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1700-66-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1700-68-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1700-69-0x0000000000089A6B-mapping.dmp

Download
memory/1700-77-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1700-78-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1948-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads