tofsee | 24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916

General

Target

24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe
Size

137KB
MD5

911c4ae779e7af73f21e1afdfeb951f1
SHA1

bc95d722e615b2862ffbd745944ac1dafa189943
SHA256

24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916
SHA512

97901a6f794124dd67ffcc1e0e97c4639b8b35ab8ed15ad249a35a8eb82491bc50283c58e94dad8d5efd6550f0ac0364b89c34ad1a91c4e90f5755956dd04cbd

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

ycjtthrn.exe

pid process

1488 ycjtthrn.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1620 netsh.exe

pid	process
1488	ycjtthrn.exe

pid	process
1620	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\gwbsdvmy\ImagePath = "C:\\Windows\\SysWOW64\\gwbsdvmy\\ycjtthrn.exe"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

472 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

ycjtthrn.exe

description pid process target process

PID 1488 set thread context of 472 1488 ycjtthrn.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

108 sc.exe
524 sc.exe
1888 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
472	svchost.exe

description	pid	process	target process
PID 1488 set thread context of 472	1488	ycjtthrn.exe	svchost.exe

pid	process
108	sc.exe
524	sc.exe
1888	sc.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exeycjtthrn.exe

description	pid	process	target process
PID 964 wrote to memory of 1060	964	24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe	cmd.exe
PID 964 wrote to memory of 1060	964	24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe	cmd.exe
PID 964 wrote to memory of 1060	964	24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe	cmd.exe
PID 964 wrote to memory of 1060	964	24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe	cmd.exe
PID 964 wrote to memory of 2028	964	24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe	cmd.exe
PID 964 wrote to memory of 2028	964	24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe	cmd.exe
PID 964 wrote to memory of 2028	964	24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe	cmd.exe
PID 964 wrote to memory of 2028	964	24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe	cmd.exe
PID 964 wrote to memory of 108	964	24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe	sc.exe
PID 964 wrote to memory of 108	964	24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe	sc.exe
PID 964 wrote to memory of 108	964	24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe	sc.exe
PID 964 wrote to memory of 108	964	24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe	sc.exe
PID 964 wrote to memory of 524	964	24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe	sc.exe
PID 964 wrote to memory of 524	964	24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe	sc.exe
PID 964 wrote to memory of 524	964	24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe	sc.exe
PID 964 wrote to memory of 524	964	24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe	sc.exe
PID 964 wrote to memory of 1888	964	24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe	sc.exe
PID 964 wrote to memory of 1888	964	24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe	sc.exe
PID 964 wrote to memory of 1888	964	24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe	sc.exe
PID 964 wrote to memory of 1888	964	24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe	sc.exe
PID 964 wrote to memory of 1620	964	24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe	netsh.exe
PID 964 wrote to memory of 1620	964	24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe	netsh.exe
PID 964 wrote to memory of 1620	964	24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe	netsh.exe
PID 964 wrote to memory of 1620	964	24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe	netsh.exe
PID 1488 wrote to memory of 472	1488	ycjtthrn.exe	svchost.exe
PID 1488 wrote to memory of 472	1488	ycjtthrn.exe	svchost.exe
PID 1488 wrote to memory of 472	1488	ycjtthrn.exe	svchost.exe
PID 1488 wrote to memory of 472	1488	ycjtthrn.exe	svchost.exe
PID 1488 wrote to memory of 472	1488	ycjtthrn.exe	svchost.exe
PID 1488 wrote to memory of 472	1488	ycjtthrn.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe
"C:\Users\Admin\AppData\Local\Temp\24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:964
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gwbsdvmy\
  2⤵
  PID:1060
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ycjtthrn.exe" C:\Windows\SysWOW64\gwbsdvmy\
  2⤵
  PID:2028
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create gwbsdvmy binPath= "C:\Windows\SysWOW64\gwbsdvmy\ycjtthrn.exe /d\"C:\Users\Admin\AppData\Local\Temp\24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:108
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description gwbsdvmy "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:524
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start gwbsdvmy
  2⤵
  - Launches sc.exe
  PID:1888
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:1620

C:\Windows\SysWOW64\gwbsdvmy\ycjtthrn.exe
C:\Windows\SysWOW64\gwbsdvmy\ycjtthrn.exe /d"C:\Users\Admin\AppData\Local\Temp\24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Deletes itself
  PID:472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ycjtthrn.exe

Filesize
11.2MB

MD5
7bbe4241abdc00cd7c7d9189e86f8e94

SHA1
561000dbd19900b4247def2472d8ed01f89d2c9a

SHA256
e086890594754cb4f2d882500b26f3098cd202b6a26fb25bfdef4eb6dcd272b7

SHA512
193178663774627d4f684c1946dd80b1d8fe32b0c2712bc33df8d8af355b26ece8545935efc65ce9c4673486a4e9963ecd5c13da4de88a59143206ed208e6cc6

Download Submit
C:\Windows\SysWOW64\gwbsdvmy\ycjtthrn.exe

Filesize
11.2MB

MD5
7bbe4241abdc00cd7c7d9189e86f8e94

SHA1
561000dbd19900b4247def2472d8ed01f89d2c9a

SHA256
e086890594754cb4f2d882500b26f3098cd202b6a26fb25bfdef4eb6dcd272b7

SHA512
193178663774627d4f684c1946dd80b1d8fe32b0c2712bc33df8d8af355b26ece8545935efc65ce9c4673486a4e9963ecd5c13da4de88a59143206ed208e6cc6

Download Submit
memory/108-59-0x0000000000000000-mapping.dmp

Download
memory/472-69-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/472-70-0x0000000000089A6B-mapping.dmp

Download
memory/472-75-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/472-74-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/472-73-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/472-67-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/524-60-0x0000000000000000-mapping.dmp

Download
memory/964-55-0x00000000764C1000-0x00000000764C3000-memory.dmp

Filesize
8KB

Download
memory/964-54-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1060-56-0x0000000000000000-mapping.dmp

Download
memory/1488-65-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1620-62-0x0000000000000000-mapping.dmp

Download
memory/1888-61-0x0000000000000000-mapping.dmp

Download
memory/2028-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing