tofsee | 52a0608d226a649ccb30988a282089b8fd97e3542dce93bfcac50846f2e318fc

General

Target

52a0608d226a649ccb30988a282089b8fd97e3542dce93bfcac50846f2e318fc.exe
Size

10.6MB
MD5

c17c2659957ae4094d32ae28df21361d
SHA1

0e51169e7914e136270f9af8b0a6afa62f81a7b1
SHA256

52a0608d226a649ccb30988a282089b8fd97e3542dce93bfcac50846f2e318fc
SHA512

1af79bfb17b659287108f772e14ea2444301ba3e7f069c72d3bd97b3940c445d03ed0ef49e7d13f52c159dc22e6802543363c3facb7b76e469e77a2214653271

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\jjkuufkd = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

vcppsdvq.exe

pid process

764 vcppsdvq.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1672 netsh.exe

pid	process
764	vcppsdvq.exe

pid	process
1672	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\jjkuufkd\ImagePath = "C:\\Windows\\SysWOW64\\jjkuufkd\\vcppsdvq.exe"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

1532 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

vcppsdvq.exe

description pid process target process

PID 764 set thread context of 1532 764 vcppsdvq.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

980 sc.exe
1296 sc.exe
2044 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1532	svchost.exe

description	pid	process	target process
PID 764 set thread context of 1532	764	vcppsdvq.exe	svchost.exe

pid	process
980	sc.exe
1296	sc.exe
2044	sc.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

52a0608d226a649ccb30988a282089b8fd97e3542dce93bfcac50846f2e318fc.exevcppsdvq.exe

description	pid	process	target process
PID 1984 wrote to memory of 1160	1984	52a0608d226a649ccb30988a282089b8fd97e3542dce93bfcac50846f2e318fc.exe	cmd.exe
PID 1984 wrote to memory of 1160	1984	52a0608d226a649ccb30988a282089b8fd97e3542dce93bfcac50846f2e318fc.exe	cmd.exe
PID 1984 wrote to memory of 1160	1984	52a0608d226a649ccb30988a282089b8fd97e3542dce93bfcac50846f2e318fc.exe	cmd.exe
PID 1984 wrote to memory of 1160	1984	52a0608d226a649ccb30988a282089b8fd97e3542dce93bfcac50846f2e318fc.exe	cmd.exe
PID 1984 wrote to memory of 1988	1984	52a0608d226a649ccb30988a282089b8fd97e3542dce93bfcac50846f2e318fc.exe	cmd.exe
PID 1984 wrote to memory of 1988	1984	52a0608d226a649ccb30988a282089b8fd97e3542dce93bfcac50846f2e318fc.exe	cmd.exe
PID 1984 wrote to memory of 1988	1984	52a0608d226a649ccb30988a282089b8fd97e3542dce93bfcac50846f2e318fc.exe	cmd.exe
PID 1984 wrote to memory of 1988	1984	52a0608d226a649ccb30988a282089b8fd97e3542dce93bfcac50846f2e318fc.exe	cmd.exe
PID 1984 wrote to memory of 2044	1984	52a0608d226a649ccb30988a282089b8fd97e3542dce93bfcac50846f2e318fc.exe	sc.exe
PID 1984 wrote to memory of 2044	1984	52a0608d226a649ccb30988a282089b8fd97e3542dce93bfcac50846f2e318fc.exe	sc.exe
PID 1984 wrote to memory of 2044	1984	52a0608d226a649ccb30988a282089b8fd97e3542dce93bfcac50846f2e318fc.exe	sc.exe
PID 1984 wrote to memory of 2044	1984	52a0608d226a649ccb30988a282089b8fd97e3542dce93bfcac50846f2e318fc.exe	sc.exe
PID 1984 wrote to memory of 980	1984	52a0608d226a649ccb30988a282089b8fd97e3542dce93bfcac50846f2e318fc.exe	sc.exe
PID 1984 wrote to memory of 980	1984	52a0608d226a649ccb30988a282089b8fd97e3542dce93bfcac50846f2e318fc.exe	sc.exe
PID 1984 wrote to memory of 980	1984	52a0608d226a649ccb30988a282089b8fd97e3542dce93bfcac50846f2e318fc.exe	sc.exe
PID 1984 wrote to memory of 980	1984	52a0608d226a649ccb30988a282089b8fd97e3542dce93bfcac50846f2e318fc.exe	sc.exe
PID 1984 wrote to memory of 1296	1984	52a0608d226a649ccb30988a282089b8fd97e3542dce93bfcac50846f2e318fc.exe	sc.exe
PID 1984 wrote to memory of 1296	1984	52a0608d226a649ccb30988a282089b8fd97e3542dce93bfcac50846f2e318fc.exe	sc.exe
PID 1984 wrote to memory of 1296	1984	52a0608d226a649ccb30988a282089b8fd97e3542dce93bfcac50846f2e318fc.exe	sc.exe
PID 1984 wrote to memory of 1296	1984	52a0608d226a649ccb30988a282089b8fd97e3542dce93bfcac50846f2e318fc.exe	sc.exe
PID 764 wrote to memory of 1532	764	vcppsdvq.exe	svchost.exe
PID 764 wrote to memory of 1532	764	vcppsdvq.exe	svchost.exe
PID 764 wrote to memory of 1532	764	vcppsdvq.exe	svchost.exe
PID 764 wrote to memory of 1532	764	vcppsdvq.exe	svchost.exe
PID 764 wrote to memory of 1532	764	vcppsdvq.exe	svchost.exe
PID 764 wrote to memory of 1532	764	vcppsdvq.exe	svchost.exe
PID 1984 wrote to memory of 1672	1984	52a0608d226a649ccb30988a282089b8fd97e3542dce93bfcac50846f2e318fc.exe	netsh.exe
PID 1984 wrote to memory of 1672	1984	52a0608d226a649ccb30988a282089b8fd97e3542dce93bfcac50846f2e318fc.exe	netsh.exe
PID 1984 wrote to memory of 1672	1984	52a0608d226a649ccb30988a282089b8fd97e3542dce93bfcac50846f2e318fc.exe	netsh.exe
PID 1984 wrote to memory of 1672	1984	52a0608d226a649ccb30988a282089b8fd97e3542dce93bfcac50846f2e318fc.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\52a0608d226a649ccb30988a282089b8fd97e3542dce93bfcac50846f2e318fc.exe
"C:\Users\Admin\AppData\Local\Temp\52a0608d226a649ccb30988a282089b8fd97e3542dce93bfcac50846f2e318fc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jjkuufkd\
2⤵
PID:1160

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vcppsdvq.exe" C:\Windows\SysWOW64\jjkuufkd\
2⤵
PID:1988

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create jjkuufkd binPath= "C:\Windows\SysWOW64\jjkuufkd\vcppsdvq.exe /d\"C:\Users\Admin\AppData\Local\Temp\52a0608d226a649ccb30988a282089b8fd97e3542dce93bfcac50846f2e318fc.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:2044

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description jjkuufkd "wifi internet conection"
2⤵
- Launches sc.exe
PID:980

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start jjkuufkd
2⤵
- Launches sc.exe
PID:1296

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:1672

C:\Windows\SysWOW64\jjkuufkd\vcppsdvq.exe
C:\Windows\SysWOW64\jjkuufkd\vcppsdvq.exe /d"C:\Users\Admin\AppData\Local\Temp\52a0608d226a649ccb30988a282089b8fd97e3542dce93bfcac50846f2e318fc.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vcppsdvq.exe
Filesize
13.4MB

MD5
cda6a200a9d3f33984adc707d536fb49

SHA1
c32a04500097ef7581d0882529e8f409c5a2e4f6

SHA256
05c96ee42cb69dd13e31ff1827e0e4283c231e24da796d6941296018d160d0c5

SHA512
efd75f136d345628346cff1f125dd93fa176368853de7943a522225b70f5233c372e5316542c7a09055828e98db177fd95d722d4ba8d9197d8bc457c494eee07

Download Submit
C:\Windows\SysWOW64\jjkuufkd\vcppsdvq.exe
Filesize
13.4MB

MD5
cda6a200a9d3f33984adc707d536fb49

SHA1
c32a04500097ef7581d0882529e8f409c5a2e4f6

SHA256
05c96ee42cb69dd13e31ff1827e0e4283c231e24da796d6941296018d160d0c5

SHA512
efd75f136d345628346cff1f125dd93fa176368853de7943a522225b70f5233c372e5316542c7a09055828e98db177fd95d722d4ba8d9197d8bc457c494eee07

Download Submit
memory/764-71-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/764-66-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/980-61-0x0000000000000000-mapping.dmp

Download
memory/1160-56-0x0000000000000000-mapping.dmp

Download
memory/1296-62-0x0000000000000000-mapping.dmp

Download
memory/1532-69-0x0000000000110000-0x0000000000125000-memory.dmp

Filesize
84KB

Download
memory/1532-67-0x0000000000110000-0x0000000000125000-memory.dmp

Filesize
84KB

Download
memory/1532-70-0x0000000000119A6B-mapping.dmp

Download
memory/1532-78-0x0000000000110000-0x0000000000125000-memory.dmp

Filesize
84KB

Download
memory/1532-79-0x0000000000110000-0x0000000000125000-memory.dmp

Filesize
84KB

Download
memory/1672-75-0x0000000000000000-mapping.dmp

Download
memory/1984-57-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1984-54-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1984-55-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/1984-76-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1988-58-0x0000000000000000-mapping.dmp

Download
memory/2044-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads