tofsee | 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd

General

Target

19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe
Size

288KB
MD5

ffaa945215f29ebe8b8f0c1028e5c01e
SHA1

b6f02fa269199d9fff4dbfc8f1e0914047de38f5
SHA256

19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd
SHA512

1758960ab2c5265440e4b1b02b8cdabe9de43dedd5dc16e4050be5a6b340764a83f0abc967c358f6dfc4714c8b6782592bf2ba91a0070888d62e67bca3310976

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

ttsyjxeh.exe

pid process

4792 ttsyjxeh.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2088 netsh.exe

pid	process
4792	ttsyjxeh.exe

pid	process
2088	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\inbjohvy\ImagePath = "C:\\Windows\\SysWOW64\\inbjohvy\\ttsyjxeh.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ttsyjxeh.exe

description pid process target process

PID 4792 set thread context of 2920 4792 ttsyjxeh.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

4212 sc.exe
4604 sc.exe
4228 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1836 4644 WerFault.exe 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe

description	pid	process	target process
PID 4792 set thread context of 2920	4792	ttsyjxeh.exe	svchost.exe

pid	process
4212	sc.exe
4604	sc.exe
4228	sc.exe

pid	pid_target	process	target process
1836	4644	WerFault.exe	19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exettsyjxeh.exe

description	pid	process	target process
PID 4644 wrote to memory of 4552	4644	19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe	cmd.exe
PID 4644 wrote to memory of 4552	4644	19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe	cmd.exe
PID 4644 wrote to memory of 4552	4644	19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe	cmd.exe
PID 4644 wrote to memory of 1428	4644	19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe	cmd.exe
PID 4644 wrote to memory of 1428	4644	19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe	cmd.exe
PID 4644 wrote to memory of 1428	4644	19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe	cmd.exe
PID 4644 wrote to memory of 4212	4644	19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe	sc.exe
PID 4644 wrote to memory of 4212	4644	19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe	sc.exe
PID 4644 wrote to memory of 4212	4644	19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe	sc.exe
PID 4644 wrote to memory of 4604	4644	19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe	sc.exe
PID 4644 wrote to memory of 4604	4644	19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe	sc.exe
PID 4644 wrote to memory of 4604	4644	19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe	sc.exe
PID 4644 wrote to memory of 4228	4644	19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe	sc.exe
PID 4644 wrote to memory of 4228	4644	19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe	sc.exe
PID 4644 wrote to memory of 4228	4644	19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe	sc.exe
PID 4644 wrote to memory of 2088	4644	19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe	netsh.exe
PID 4644 wrote to memory of 2088	4644	19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe	netsh.exe
PID 4644 wrote to memory of 2088	4644	19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe	netsh.exe
PID 4792 wrote to memory of 2920	4792	ttsyjxeh.exe	svchost.exe
PID 4792 wrote to memory of 2920	4792	ttsyjxeh.exe	svchost.exe
PID 4792 wrote to memory of 2920	4792	ttsyjxeh.exe	svchost.exe
PID 4792 wrote to memory of 2920	4792	ttsyjxeh.exe	svchost.exe
PID 4792 wrote to memory of 2920	4792	ttsyjxeh.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe
"C:\Users\Admin\AppData\Local\Temp\19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\inbjohvy\
2⤵
PID:4552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ttsyjxeh.exe" C:\Windows\SysWOW64\inbjohvy\
2⤵
PID:1428

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create inbjohvy binPath= "C:\Windows\SysWOW64\inbjohvy\ttsyjxeh.exe /d\"C:\Users\Admin\AppData\Local\Temp\19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:4212

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description inbjohvy "wifi internet conection"
2⤵
- Launches sc.exe
PID:4604

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start inbjohvy
2⤵
- Launches sc.exe
PID:4228

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 656
2⤵
- Program crash
PID:1836

C:\Windows\SysWOW64\inbjohvy\ttsyjxeh.exe
C:\Windows\SysWOW64\inbjohvy\ttsyjxeh.exe /d"C:\Users\Admin\AppData\Local\Temp\19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4792

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4644 -ip 4644
1⤵
PID:452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ttsyjxeh.exe
Filesize
13.6MB

MD5
5fbb58b3be376835e11c4993abfd4faa

SHA1
4325d390b94f42a97c755ce7794959d1166845d5

SHA256
e20b92e929af31c235f05c147cc486091283d21261e5db1785af550baff75a75

SHA512
6cfd497903bde3f1e27e9cbdef71fe9a58bebe67651354d2e8b36f6048615cf7706801e7ee0a642504b83e64fbdc9dfcd63a122e5117bcdc932ca047f712ca1c

Download Submit
C:\Windows\SysWOW64\inbjohvy\ttsyjxeh.exe
Filesize
13.6MB

MD5
5fbb58b3be376835e11c4993abfd4faa

SHA1
4325d390b94f42a97c755ce7794959d1166845d5

SHA256
e20b92e929af31c235f05c147cc486091283d21261e5db1785af550baff75a75

SHA512
6cfd497903bde3f1e27e9cbdef71fe9a58bebe67651354d2e8b36f6048615cf7706801e7ee0a642504b83e64fbdc9dfcd63a122e5117bcdc932ca047f712ca1c

Download Submit
memory/1428-134-0x0000000000000000-mapping.dmp

Download
memory/2088-139-0x0000000000000000-mapping.dmp

Download
memory/2920-143-0x0000000000000000-mapping.dmp

Download
memory/2920-149-0x0000000001280000-0x0000000001295000-memory.dmp

Filesize
84KB

Download
memory/2920-144-0x0000000001280000-0x0000000001295000-memory.dmp

Filesize
84KB

Download
memory/4212-136-0x0000000000000000-mapping.dmp

Download
memory/4228-138-0x0000000000000000-mapping.dmp

Download
memory/4552-133-0x0000000000000000-mapping.dmp

Download
memory/4604-137-0x0000000000000000-mapping.dmp

Download
memory/4644-132-0x0000000000400000-0x0000000000C4E000-memory.dmp

Filesize
8.3MB

Download
memory/4644-141-0x0000000000400000-0x0000000000C4E000-memory.dmp

Filesize
8.3MB

Download
memory/4644-131-0x0000000000D50000-0x0000000000D61000-memory.dmp

Filesize
68KB

Download
memory/4644-130-0x0000000000D50000-0x0000000000D61000-memory.dmp

Filesize
68KB

Download
memory/4644-151-0x0000000000400000-0x0000000000C4E000-memory.dmp

Filesize
8.3MB

Download
memory/4792-142-0x0000000000E6C000-0x0000000000E7C000-memory.dmp

Filesize
64KB

Download
memory/4792-150-0x0000000000400000-0x0000000000C4E000-memory.dmp

Filesize
8.3MB

Download
memory/4792-147-0x0000000000E6C000-0x0000000000E7C000-memory.dmp

Filesize
64KB

Download
memory/4792-148-0x0000000000400000-0x0000000000C4E000-memory.dmp

Filesize
8.3MB

Download
memory/4792-152-0x0000000000400000-0x0000000000C4E000-memory.dmp

Filesize
8.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads