tofsee | 24e3aeee7c908f97b9f9966987ceddf33b21b64b4c0e0c9297ac8f04e5d3f0de

General

Target

24e3aeee7c908f97b9f9966987ceddf33b21b64b4c0e0c9297ac8f04e5d3f0de.exe
Size

97KB
MD5

21bb978b116fa781407e7e0e7892d421
SHA1

8fb6c24e60e94e3d526913d2854626fb9920c722
SHA256

24e3aeee7c908f97b9f9966987ceddf33b21b64b4c0e0c9297ac8f04e5d3f0de
SHA512

1a042994c4586cc394e48d72fd459bda60367363932ba8a7b580bac956c6a0442302e4a74eedfd57f0264b26121841a27a9b2ab6b96d54d832517ef79307adab

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\ulqfuil = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

oviilwoj.exe

pid process

428 oviilwoj.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1052 netsh.exe

pid	process
428	oviilwoj.exe

pid	process
1052	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ulqfuil\ImagePath = "C:\\Windows\\SysWOW64\\ulqfuil\\oviilwoj.exe"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

1336 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

oviilwoj.exe

description pid process target process

PID 428 set thread context of 1336 428 oviilwoj.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2032 sc.exe
1988 sc.exe
1940 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1336	svchost.exe

description	pid	process	target process
PID 428 set thread context of 1336	428	oviilwoj.exe	svchost.exe

pid	process
2032	sc.exe
1988	sc.exe
1940	sc.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

24e3aeee7c908f97b9f9966987ceddf33b21b64b4c0e0c9297ac8f04e5d3f0de.exeoviilwoj.exe

description	pid	process	target process
PID 452 wrote to memory of 1768	452	24e3aeee7c908f97b9f9966987ceddf33b21b64b4c0e0c9297ac8f04e5d3f0de.exe	cmd.exe
PID 452 wrote to memory of 1768	452	24e3aeee7c908f97b9f9966987ceddf33b21b64b4c0e0c9297ac8f04e5d3f0de.exe	cmd.exe
PID 452 wrote to memory of 1768	452	24e3aeee7c908f97b9f9966987ceddf33b21b64b4c0e0c9297ac8f04e5d3f0de.exe	cmd.exe
PID 452 wrote to memory of 1768	452	24e3aeee7c908f97b9f9966987ceddf33b21b64b4c0e0c9297ac8f04e5d3f0de.exe	cmd.exe
PID 452 wrote to memory of 1720	452	24e3aeee7c908f97b9f9966987ceddf33b21b64b4c0e0c9297ac8f04e5d3f0de.exe	cmd.exe
PID 452 wrote to memory of 1720	452	24e3aeee7c908f97b9f9966987ceddf33b21b64b4c0e0c9297ac8f04e5d3f0de.exe	cmd.exe
PID 452 wrote to memory of 1720	452	24e3aeee7c908f97b9f9966987ceddf33b21b64b4c0e0c9297ac8f04e5d3f0de.exe	cmd.exe
PID 452 wrote to memory of 1720	452	24e3aeee7c908f97b9f9966987ceddf33b21b64b4c0e0c9297ac8f04e5d3f0de.exe	cmd.exe
PID 452 wrote to memory of 2032	452	24e3aeee7c908f97b9f9966987ceddf33b21b64b4c0e0c9297ac8f04e5d3f0de.exe	sc.exe
PID 452 wrote to memory of 2032	452	24e3aeee7c908f97b9f9966987ceddf33b21b64b4c0e0c9297ac8f04e5d3f0de.exe	sc.exe
PID 452 wrote to memory of 2032	452	24e3aeee7c908f97b9f9966987ceddf33b21b64b4c0e0c9297ac8f04e5d3f0de.exe	sc.exe
PID 452 wrote to memory of 2032	452	24e3aeee7c908f97b9f9966987ceddf33b21b64b4c0e0c9297ac8f04e5d3f0de.exe	sc.exe
PID 452 wrote to memory of 1988	452	24e3aeee7c908f97b9f9966987ceddf33b21b64b4c0e0c9297ac8f04e5d3f0de.exe	sc.exe
PID 452 wrote to memory of 1988	452	24e3aeee7c908f97b9f9966987ceddf33b21b64b4c0e0c9297ac8f04e5d3f0de.exe	sc.exe
PID 452 wrote to memory of 1988	452	24e3aeee7c908f97b9f9966987ceddf33b21b64b4c0e0c9297ac8f04e5d3f0de.exe	sc.exe
PID 452 wrote to memory of 1988	452	24e3aeee7c908f97b9f9966987ceddf33b21b64b4c0e0c9297ac8f04e5d3f0de.exe	sc.exe
PID 452 wrote to memory of 1940	452	24e3aeee7c908f97b9f9966987ceddf33b21b64b4c0e0c9297ac8f04e5d3f0de.exe	sc.exe
PID 452 wrote to memory of 1940	452	24e3aeee7c908f97b9f9966987ceddf33b21b64b4c0e0c9297ac8f04e5d3f0de.exe	sc.exe
PID 452 wrote to memory of 1940	452	24e3aeee7c908f97b9f9966987ceddf33b21b64b4c0e0c9297ac8f04e5d3f0de.exe	sc.exe
PID 452 wrote to memory of 1940	452	24e3aeee7c908f97b9f9966987ceddf33b21b64b4c0e0c9297ac8f04e5d3f0de.exe	sc.exe
PID 452 wrote to memory of 1052	452	24e3aeee7c908f97b9f9966987ceddf33b21b64b4c0e0c9297ac8f04e5d3f0de.exe	netsh.exe
PID 452 wrote to memory of 1052	452	24e3aeee7c908f97b9f9966987ceddf33b21b64b4c0e0c9297ac8f04e5d3f0de.exe	netsh.exe
PID 452 wrote to memory of 1052	452	24e3aeee7c908f97b9f9966987ceddf33b21b64b4c0e0c9297ac8f04e5d3f0de.exe	netsh.exe
PID 452 wrote to memory of 1052	452	24e3aeee7c908f97b9f9966987ceddf33b21b64b4c0e0c9297ac8f04e5d3f0de.exe	netsh.exe
PID 428 wrote to memory of 1336	428	oviilwoj.exe	svchost.exe
PID 428 wrote to memory of 1336	428	oviilwoj.exe	svchost.exe
PID 428 wrote to memory of 1336	428	oviilwoj.exe	svchost.exe
PID 428 wrote to memory of 1336	428	oviilwoj.exe	svchost.exe
PID 428 wrote to memory of 1336	428	oviilwoj.exe	svchost.exe
PID 428 wrote to memory of 1336	428	oviilwoj.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\24e3aeee7c908f97b9f9966987ceddf33b21b64b4c0e0c9297ac8f04e5d3f0de.exe
"C:\Users\Admin\AppData\Local\Temp\24e3aeee7c908f97b9f9966987ceddf33b21b64b4c0e0c9297ac8f04e5d3f0de.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:452
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ulqfuil\
  2⤵
  PID:1768
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\oviilwoj.exe" C:\Windows\SysWOW64\ulqfuil\
  2⤵
  PID:1720
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create ulqfuil binPath= "C:\Windows\SysWOW64\ulqfuil\oviilwoj.exe /d\"C:\Users\Admin\AppData\Local\Temp\24e3aeee7c908f97b9f9966987ceddf33b21b64b4c0e0c9297ac8f04e5d3f0de.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:2032
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description ulqfuil "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:1988
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start ulqfuil
  2⤵
  - Launches sc.exe
  PID:1940
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:1052

C:\Windows\SysWOW64\ulqfuil\oviilwoj.exe
C:\Windows\SysWOW64\ulqfuil\oviilwoj.exe /d"C:\Users\Admin\AppData\Local\Temp\24e3aeee7c908f97b9f9966987ceddf33b21b64b4c0e0c9297ac8f04e5d3f0de.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:428
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Windows security bypass
  - Sets service image path in registry
  - Deletes itself
  PID:1336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\oviilwoj.exe

Filesize
12.3MB

MD5
d3a5f490f3650adf57d3b3ae4188450a

SHA1
339d10ea910299e7ecdd7ac0266efd2a28fe17ef

SHA256
8a9cc47b2d15a389d3db5145c92f43a95c7347d4b09b93fa935c62658ade6967

SHA512
260d5957e57977074ce9c1b2feeff9378cb1db5202c021a1b8f0ef9d97d891a0e81874d13d0121ae5bfa6842e1f3e3e2eec79c41eeadb19ce6549a9f4341b159

Download Submit
C:\Windows\SysWOW64\ulqfuil\oviilwoj.exe

Filesize
12.3MB

MD5
d3a5f490f3650adf57d3b3ae4188450a

SHA1
339d10ea910299e7ecdd7ac0266efd2a28fe17ef

SHA256
8a9cc47b2d15a389d3db5145c92f43a95c7347d4b09b93fa935c62658ade6967

SHA512
260d5957e57977074ce9c1b2feeff9378cb1db5202c021a1b8f0ef9d97d891a0e81874d13d0121ae5bfa6842e1f3e3e2eec79c41eeadb19ce6549a9f4341b159

Download Submit
memory/428-66-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/428-74-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/452-55-0x0000000075361000-0x0000000075363000-memory.dmp

Filesize
8KB

Download
memory/452-56-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/452-54-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/452-64-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1052-63-0x0000000000000000-mapping.dmp

Download
memory/1336-78-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1336-68-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1336-77-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1336-71-0x0000000000089A6B-mapping.dmp

Download
memory/1336-70-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1720-58-0x0000000000000000-mapping.dmp

Download
memory/1768-57-0x0000000000000000-mapping.dmp

Download
memory/1940-62-0x0000000000000000-mapping.dmp

Download
memory/1988-61-0x0000000000000000-mapping.dmp

Download
memory/2032-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads