tofsee | 19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf

General

Target

19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe
Size

142KB
MD5

70780b64e4a6d98605af8971d4c087ea
SHA1

862b12cfea6bf1c5e636f58e8bcdaf89482c94af
SHA256

19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf
SHA512

cbdfdf35c0f31aaf4870709aa07c3c93edf8c5b504d39f44838e9ffc4d7eeee3483e9c3a6c98a92d1fcdbb3e0e585127f0635c535575faa2509f9dbd54ac3950

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

pfjxnjem.exe

pid process

1948 pfjxnjem.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1096 netsh.exe

pid	process
1948	pfjxnjem.exe

pid	process
1096	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\healfpvy\ImagePath = "C:\\Windows\\SysWOW64\\healfpvy\\pfjxnjem.exe"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

1448 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

pfjxnjem.exe

description pid process target process

PID 1948 set thread context of 1448 1948 pfjxnjem.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

524 sc.exe
872 sc.exe
1540 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1448	svchost.exe

description	pid	process	target process
PID 1948 set thread context of 1448	1948	pfjxnjem.exe	svchost.exe

pid	process
524	sc.exe
872	sc.exe
1540	sc.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exepfjxnjem.exe

description	pid	process	target process
PID 1648 wrote to memory of 1532	1648	19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe	cmd.exe
PID 1648 wrote to memory of 1532	1648	19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe	cmd.exe
PID 1648 wrote to memory of 1532	1648	19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe	cmd.exe
PID 1648 wrote to memory of 1532	1648	19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe	cmd.exe
PID 1648 wrote to memory of 1324	1648	19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe	cmd.exe
PID 1648 wrote to memory of 1324	1648	19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe	cmd.exe
PID 1648 wrote to memory of 1324	1648	19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe	cmd.exe
PID 1648 wrote to memory of 1324	1648	19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe	cmd.exe
PID 1648 wrote to memory of 1540	1648	19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe	sc.exe
PID 1648 wrote to memory of 1540	1648	19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe	sc.exe
PID 1648 wrote to memory of 1540	1648	19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe	sc.exe
PID 1648 wrote to memory of 1540	1648	19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe	sc.exe
PID 1648 wrote to memory of 524	1648	19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe	sc.exe
PID 1648 wrote to memory of 524	1648	19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe	sc.exe
PID 1648 wrote to memory of 524	1648	19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe	sc.exe
PID 1648 wrote to memory of 524	1648	19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe	sc.exe
PID 1648 wrote to memory of 872	1648	19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe	sc.exe
PID 1648 wrote to memory of 872	1648	19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe	sc.exe
PID 1648 wrote to memory of 872	1648	19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe	sc.exe
PID 1648 wrote to memory of 872	1648	19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe	sc.exe
PID 1648 wrote to memory of 1096	1648	19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe	netsh.exe
PID 1648 wrote to memory of 1096	1648	19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe	netsh.exe
PID 1648 wrote to memory of 1096	1648	19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe	netsh.exe
PID 1648 wrote to memory of 1096	1648	19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe	netsh.exe
PID 1948 wrote to memory of 1448	1948	pfjxnjem.exe	svchost.exe
PID 1948 wrote to memory of 1448	1948	pfjxnjem.exe	svchost.exe
PID 1948 wrote to memory of 1448	1948	pfjxnjem.exe	svchost.exe
PID 1948 wrote to memory of 1448	1948	pfjxnjem.exe	svchost.exe
PID 1948 wrote to memory of 1448	1948	pfjxnjem.exe	svchost.exe
PID 1948 wrote to memory of 1448	1948	pfjxnjem.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe
"C:\Users\Admin\AppData\Local\Temp\19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\healfpvy\
2⤵
PID:1532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pfjxnjem.exe" C:\Windows\SysWOW64\healfpvy\
2⤵
PID:1324

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create healfpvy binPath= "C:\Windows\SysWOW64\healfpvy\pfjxnjem.exe /d\"C:\Users\Admin\AppData\Local\Temp\19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:1540

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description healfpvy "wifi internet conection"
2⤵
- Launches sc.exe
PID:524

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start healfpvy
2⤵
- Launches sc.exe
PID:872

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:1096

C:\Windows\SysWOW64\healfpvy\pfjxnjem.exe
C:\Windows\SysWOW64\healfpvy\pfjxnjem.exe /d"C:\Users\Admin\AppData\Local\Temp\19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
- Deletes itself
PID:1448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pfjxnjem.exe
Filesize
11.7MB

MD5
6da79deee61f0fc7f4d21dbb15ca1163

SHA1
cd225a4f7cb3df3069664d18bc21011b630f6c61

SHA256
f22435044d6a5f90d08e8f1c3a65b35759784f376d3c4617b6b2b9bdae42d2a4

SHA512
b2108ce7070f79e04f68c43f2b336c81c4809ff0970d6d1bcd91f675962794f50fb3ae88fb8ee1027b1845256a170969b71331b6bc412c95f11bffcca6f50917

Download Submit
C:\Windows\SysWOW64\healfpvy\pfjxnjem.exe
Filesize
11.7MB

MD5
6da79deee61f0fc7f4d21dbb15ca1163

SHA1
cd225a4f7cb3df3069664d18bc21011b630f6c61

SHA256
f22435044d6a5f90d08e8f1c3a65b35759784f376d3c4617b6b2b9bdae42d2a4

SHA512
b2108ce7070f79e04f68c43f2b336c81c4809ff0970d6d1bcd91f675962794f50fb3ae88fb8ee1027b1845256a170969b71331b6bc412c95f11bffcca6f50917

Download Submit
memory/524-60-0x0000000000000000-mapping.dmp

Download
memory/872-61-0x0000000000000000-mapping.dmp

Download
memory/1096-63-0x0000000000000000-mapping.dmp

Download
memory/1324-57-0x0000000000000000-mapping.dmp

Download
memory/1448-67-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1448-69-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1448-70-0x0000000000089A6B-mapping.dmp

Download
memory/1448-74-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1448-75-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1532-56-0x0000000000000000-mapping.dmp

Download
memory/1540-59-0x0000000000000000-mapping.dmp

Download
memory/1648-55-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1648-54-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1948-65-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing