tofsee | 6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525

General

Target

6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe
Size

13.9MB
MD5

3aaa4aecbe1e2646394602569e6cac7d
SHA1

191a54ac2bc0b727669fd08bb804fc7fd17601d5
SHA256

6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525
SHA512

7a36b8a7c2fd9189a3987e0ad1d109d3e81072546784d99719104f2359042285aaa2f9f0b4173effd6713b291813d9f08ae8804a87fb89bb0baea3b1fb20e86a

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

pnwxgcrn.exe

pid process

4532 pnwxgcrn.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4196 netsh.exe

pid	process
4532	pnwxgcrn.exe

pid	process
4196	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\akmbnsiy\ImagePath = "C:\\Windows\\SysWOW64\\akmbnsiy\\pnwxgcrn.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

pnwxgcrn.exe

description pid process target process

PID 4532 set thread context of 2944 4532 pnwxgcrn.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2180 sc.exe
4452 sc.exe
4400 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 4532 set thread context of 2944	4532	pnwxgcrn.exe	svchost.exe

pid	process
2180	sc.exe
4452	sc.exe
4400	sc.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
556	3524	WerFault.exe	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe
2432	4532	WerFault.exe	pnwxgcrn.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exepnwxgcrn.exe

description	pid	process	target process
PID 3524 wrote to memory of 2004	3524	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	cmd.exe
PID 3524 wrote to memory of 2004	3524	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	cmd.exe
PID 3524 wrote to memory of 2004	3524	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	cmd.exe
PID 3524 wrote to memory of 4932	3524	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	cmd.exe
PID 3524 wrote to memory of 4932	3524	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	cmd.exe
PID 3524 wrote to memory of 4932	3524	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	cmd.exe
PID 3524 wrote to memory of 2180	3524	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	sc.exe
PID 3524 wrote to memory of 2180	3524	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	sc.exe
PID 3524 wrote to memory of 2180	3524	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	sc.exe
PID 3524 wrote to memory of 4452	3524	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	sc.exe
PID 3524 wrote to memory of 4452	3524	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	sc.exe
PID 3524 wrote to memory of 4452	3524	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	sc.exe
PID 3524 wrote to memory of 4400	3524	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	sc.exe
PID 3524 wrote to memory of 4400	3524	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	sc.exe
PID 3524 wrote to memory of 4400	3524	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	sc.exe
PID 3524 wrote to memory of 4196	3524	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	netsh.exe
PID 3524 wrote to memory of 4196	3524	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	netsh.exe
PID 3524 wrote to memory of 4196	3524	6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe	netsh.exe
PID 4532 wrote to memory of 2944	4532	pnwxgcrn.exe	svchost.exe
PID 4532 wrote to memory of 2944	4532	pnwxgcrn.exe	svchost.exe
PID 4532 wrote to memory of 2944	4532	pnwxgcrn.exe	svchost.exe
PID 4532 wrote to memory of 2944	4532	pnwxgcrn.exe	svchost.exe
PID 4532 wrote to memory of 2944	4532	pnwxgcrn.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe
"C:\Users\Admin\AppData\Local\Temp\6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\akmbnsiy\
2⤵
PID:2004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pnwxgcrn.exe" C:\Windows\SysWOW64\akmbnsiy\
2⤵
PID:4932

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create akmbnsiy binPath= "C:\Windows\SysWOW64\akmbnsiy\pnwxgcrn.exe /d\"C:\Users\Admin\AppData\Local\Temp\6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:2180

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description akmbnsiy "wifi internet conection"
2⤵
- Launches sc.exe
PID:4452

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start akmbnsiy
2⤵
- Launches sc.exe
PID:4400

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 788
2⤵
- Program crash
PID:556

C:\Windows\SysWOW64\akmbnsiy\pnwxgcrn.exe
C:\Windows\SysWOW64\akmbnsiy\pnwxgcrn.exe /d"C:\Users\Admin\AppData\Local\Temp\6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4532

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 512
2⤵
- Program crash
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3524 -ip 3524
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4532 -ip 4532
1⤵
PID:3296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pnwxgcrn.exe
Filesize
11.5MB

MD5
a607e1d55186df482ffaea7bb93e21a5

SHA1
7a03cbc36e29da2198d3e4c51e2642676ede5f15

SHA256
7837cc59ce2aba333c0867713f6a3a3e420f3cd76e5ecf250ddff871c1f8c35a

SHA512
7a79f1730abf33a861465075bdec3d57792e7451f2205c6e212fc709b13627b6fa83603d4b8327247ea11b56c787aaa628467688b86e017c4eaba5b3ab53bdb6

Download Submit
C:\Windows\SysWOW64\akmbnsiy\pnwxgcrn.exe
Filesize
11.5MB

MD5
a607e1d55186df482ffaea7bb93e21a5

SHA1
7a03cbc36e29da2198d3e4c51e2642676ede5f15

SHA256
7837cc59ce2aba333c0867713f6a3a3e420f3cd76e5ecf250ddff871c1f8c35a

SHA512
7a79f1730abf33a861465075bdec3d57792e7451f2205c6e212fc709b13627b6fa83603d4b8327247ea11b56c787aaa628467688b86e017c4eaba5b3ab53bdb6

Download Submit
memory/2004-132-0x0000000000000000-mapping.dmp

Download
memory/2180-136-0x0000000000000000-mapping.dmp

Download
memory/2944-152-0x0000000000800000-0x0000000000815000-memory.dmp

Filesize
84KB

Download
memory/2944-146-0x0000000000000000-mapping.dmp

Download
memory/2944-151-0x0000000000800000-0x0000000000815000-memory.dmp

Filesize
84KB

Download
memory/2944-147-0x0000000000800000-0x0000000000815000-memory.dmp

Filesize
84KB

Download
memory/3524-133-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3524-131-0x0000000002230000-0x0000000002243000-memory.dmp

Filesize
76KB

Download
memory/3524-130-0x00000000005CE000-0x00000000005DC000-memory.dmp

Filesize
56KB

Download
memory/3524-142-0x0000000002230000-0x0000000002243000-memory.dmp

Filesize
76KB

Download
memory/3524-141-0x00000000005CE000-0x00000000005DC000-memory.dmp

Filesize
56KB

Download
memory/3524-143-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4196-140-0x0000000000000000-mapping.dmp

Download
memory/4400-138-0x0000000000000000-mapping.dmp

Download
memory/4452-137-0x0000000000000000-mapping.dmp

Download
memory/4532-145-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4532-144-0x00000000007BA000-0x00000000007C8000-memory.dmp

Filesize
56KB

Download
memory/4532-150-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4932-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads