tofsee | 6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525

General

Target

6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe
Size

13.9MB
MD5

3aaa4aecbe1e2646394602569e6cac7d
SHA1

191a54ac2bc0b727669fd08bb804fc7fd17601d5
SHA256

6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525
SHA512

7a36b8a7c2fd9189a3987e0ad1d109d3e81072546784d99719104f2359042285aaa2f9f0b4173effd6713b291813d9f08ae8804a87fb89bb0baea3b1fb20e86a

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\vqhkfxk = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

oiizktkm.exe

pid process

680 oiizktkm.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

584 netsh.exe

pid	process
680	oiizktkm.exe

pid	process
584	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\vqhkfxk\ImagePath = "C:\\Windows\\SysWOW64\\vqhkfxk\\oiizktkm.exe"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

928 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

oiizktkm.exe

description pid process target process

PID 680 set thread context of 928 680 oiizktkm.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

1288 sc.exe
964 sc.exe
664 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
928	svchost.exe

description	pid	process	target process
PID 680 set thread context of 928	680	oiizktkm.exe	svchost.exe

pid	process
1288	sc.exe
964	sc.exe
664	sc.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exeoiizktkm.exe

description	pid	process	target process
PID 800 wrote to memory of 1972	800	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	cmd.exe
PID 800 wrote to memory of 1972	800	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	cmd.exe
PID 800 wrote to memory of 1972	800	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	cmd.exe
PID 800 wrote to memory of 1972	800	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	cmd.exe
PID 800 wrote to memory of 1796	800	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	cmd.exe
PID 800 wrote to memory of 1796	800	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	cmd.exe
PID 800 wrote to memory of 1796	800	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	cmd.exe
PID 800 wrote to memory of 1796	800	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	cmd.exe
PID 800 wrote to memory of 1288	800	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	sc.exe
PID 800 wrote to memory of 1288	800	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	sc.exe
PID 800 wrote to memory of 1288	800	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	sc.exe
PID 800 wrote to memory of 1288	800	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	sc.exe
PID 800 wrote to memory of 964	800	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	sc.exe
PID 800 wrote to memory of 964	800	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	sc.exe
PID 800 wrote to memory of 964	800	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	sc.exe
PID 800 wrote to memory of 964	800	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	sc.exe
PID 800 wrote to memory of 664	800	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	sc.exe
PID 800 wrote to memory of 664	800	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	sc.exe
PID 800 wrote to memory of 664	800	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	sc.exe
PID 800 wrote to memory of 664	800	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	sc.exe
PID 800 wrote to memory of 584	800	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	netsh.exe
PID 800 wrote to memory of 584	800	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	netsh.exe
PID 800 wrote to memory of 584	800	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	netsh.exe
PID 800 wrote to memory of 584	800	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	netsh.exe
PID 680 wrote to memory of 928	680	oiizktkm.exe	svchost.exe
PID 680 wrote to memory of 928	680	oiizktkm.exe	svchost.exe
PID 680 wrote to memory of 928	680	oiizktkm.exe	svchost.exe
PID 680 wrote to memory of 928	680	oiizktkm.exe	svchost.exe
PID 680 wrote to memory of 928	680	oiizktkm.exe	svchost.exe
PID 680 wrote to memory of 928	680	oiizktkm.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe
"C:\Users\Admin\AppData\Local\Temp\6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\vqhkfxk\
2⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\oiizktkm.exe" C:\Windows\SysWOW64\vqhkfxk\
2⤵
PID:1796

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create vqhkfxk binPath= "C:\Windows\SysWOW64\vqhkfxk\oiizktkm.exe /d\"C:\Users\Admin\AppData\Local\Temp\6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:1288

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description vqhkfxk "wifi internet conection"
2⤵
- Launches sc.exe
PID:964

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start vqhkfxk
2⤵
- Launches sc.exe
PID:664

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:584

C:\Windows\SysWOW64\vqhkfxk\oiizktkm.exe
C:\Windows\SysWOW64\vqhkfxk\oiizktkm.exe /d"C:\Users\Admin\AppData\Local\Temp\6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\oiizktkm.exe
Filesize
14.7MB

MD5
bde9e61449b78098dfd0d351d361b5e3

SHA1
6a38d0dec4d48fe791b1f7a8393837e68ebb5dfb

SHA256
5510628aa83f28a2d43fb02b78e4c3b5d430d8a845fc9205d911231441979530

SHA512
1dbf25157e907e0885238d0539d84732116ba02740ccd2d34a90e7e9c8c1812b8ea02475eb1a67f6bd255515414372f11344845b8a3b5ecee25c9d9303c6c4d7

Download Submit
C:\Windows\SysWOW64\vqhkfxk\oiizktkm.exe
Filesize
14.7MB

MD5
bde9e61449b78098dfd0d351d361b5e3

SHA1
6a38d0dec4d48fe791b1f7a8393837e68ebb5dfb

SHA256
5510628aa83f28a2d43fb02b78e4c3b5d430d8a845fc9205d911231441979530

SHA512
1dbf25157e907e0885238d0539d84732116ba02740ccd2d34a90e7e9c8c1812b8ea02475eb1a67f6bd255515414372f11344845b8a3b5ecee25c9d9303c6c4d7

Download Submit
memory/584-65-0x0000000000000000-mapping.dmp

Download
memory/664-63-0x0000000000000000-mapping.dmp

Download
memory/680-74-0x000000000059D000-0x00000000005AB000-memory.dmp

Filesize
56KB

Download
memory/680-77-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/800-66-0x00000000002ED000-0x00000000002FB000-memory.dmp

Filesize
56KB

Download
memory/800-56-0x00000000002ED000-0x00000000002FB000-memory.dmp

Filesize
56KB

Download
memory/800-57-0x00000000001B0000-0x00000000001C3000-memory.dmp

Filesize
76KB

Download
memory/800-58-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/800-54-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download
memory/800-67-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/928-72-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download
memory/928-70-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download
memory/928-73-0x00000000000C9A6B-mapping.dmp

Download
memory/928-79-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download
memory/928-80-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download
memory/964-62-0x0000000000000000-mapping.dmp

Download
memory/1288-61-0x0000000000000000-mapping.dmp

Download
memory/1796-59-0x0000000000000000-mapping.dmp

Download
memory/1972-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads