tofsee | 229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f

General

Target

229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe
Size

97KB
MD5

4d20335690b8218af519b6a5ff523c94
SHA1

05b23688e15db6b5b5730e76c762af9a1390617c
SHA256

229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f
SHA512

ffa59b9145ee118d0dfedf4dd7b6ed364ab43d5347ba8f34d2cbdde09ca318b4f9de89b1ec4933bd0eaa7068bb15bb2bbaed3658d5b5713caf02455eed20ece5

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\cnkvxpis = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

uoqnhdns.exe

pid process

892 uoqnhdns.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1204 netsh.exe

pid	process
892	uoqnhdns.exe

pid	process
1204	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\cnkvxpis\ImagePath = "C:\\Windows\\SysWOW64\\cnkvxpis\\uoqnhdns.exe"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

320 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

uoqnhdns.exe

description pid process target process

PID 892 set thread context of 320 892 uoqnhdns.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

1028 sc.exe
1996 sc.exe
956 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
320	svchost.exe

description	pid	process	target process
PID 892 set thread context of 320	892	uoqnhdns.exe	svchost.exe

pid	process
1028	sc.exe
1996	sc.exe
956	sc.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exeuoqnhdns.exe

description	pid	process	target process
PID 1092 wrote to memory of 1952	1092	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	cmd.exe
PID 1092 wrote to memory of 1952	1092	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	cmd.exe
PID 1092 wrote to memory of 1952	1092	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	cmd.exe
PID 1092 wrote to memory of 1952	1092	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	cmd.exe
PID 1092 wrote to memory of 1228	1092	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	cmd.exe
PID 1092 wrote to memory of 1228	1092	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	cmd.exe
PID 1092 wrote to memory of 1228	1092	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	cmd.exe
PID 1092 wrote to memory of 1228	1092	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	cmd.exe
PID 1092 wrote to memory of 956	1092	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	sc.exe
PID 1092 wrote to memory of 956	1092	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	sc.exe
PID 1092 wrote to memory of 956	1092	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	sc.exe
PID 1092 wrote to memory of 956	1092	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	sc.exe
PID 1092 wrote to memory of 1028	1092	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	sc.exe
PID 1092 wrote to memory of 1028	1092	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	sc.exe
PID 1092 wrote to memory of 1028	1092	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	sc.exe
PID 1092 wrote to memory of 1028	1092	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	sc.exe
PID 1092 wrote to memory of 1996	1092	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	sc.exe
PID 1092 wrote to memory of 1996	1092	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	sc.exe
PID 1092 wrote to memory of 1996	1092	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	sc.exe
PID 1092 wrote to memory of 1996	1092	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	sc.exe
PID 892 wrote to memory of 320	892	uoqnhdns.exe	svchost.exe
PID 892 wrote to memory of 320	892	uoqnhdns.exe	svchost.exe
PID 892 wrote to memory of 320	892	uoqnhdns.exe	svchost.exe
PID 892 wrote to memory of 320	892	uoqnhdns.exe	svchost.exe
PID 892 wrote to memory of 320	892	uoqnhdns.exe	svchost.exe
PID 892 wrote to memory of 320	892	uoqnhdns.exe	svchost.exe
PID 1092 wrote to memory of 1204	1092	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	netsh.exe
PID 1092 wrote to memory of 1204	1092	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	netsh.exe
PID 1092 wrote to memory of 1204	1092	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	netsh.exe
PID 1092 wrote to memory of 1204	1092	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe
"C:\Users\Admin\AppData\Local\Temp\229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\cnkvxpis\
  2⤵
  PID:1952
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\uoqnhdns.exe" C:\Windows\SysWOW64\cnkvxpis\
  2⤵
  PID:1228
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create cnkvxpis binPath= "C:\Windows\SysWOW64\cnkvxpis\uoqnhdns.exe /d\"C:\Users\Admin\AppData\Local\Temp\229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:956
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description cnkvxpis "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:1028
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start cnkvxpis
  2⤵
  - Launches sc.exe
  PID:1996
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:1204

C:\Windows\SysWOW64\cnkvxpis\uoqnhdns.exe
C:\Windows\SysWOW64\cnkvxpis\uoqnhdns.exe /d"C:\Users\Admin\AppData\Local\Temp\229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:892
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Windows security bypass
  - Sets service image path in registry
  - Deletes itself
  PID:320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\uoqnhdns.exe

Filesize
12.9MB

MD5
246aff89ea4377b0e196bdcf9f5458eb

SHA1
168c8dfe39c653e49205b27125949717d73054f5

SHA256
b9b8deb851aafca0fdae698ab048634919ab9efcd1c524ad2d036daa48ee6319

SHA512
63a064da0cf08654297953fe011b8a3a9de52d6c71f77f59c6b98cccae06ac74b6b4491460d4a6a197494ef0ce0ca138af241d9d7704d03cfa3ecd2aa9fc89dd

Download Submit
C:\Windows\SysWOW64\cnkvxpis\uoqnhdns.exe

Filesize
12.9MB

MD5
246aff89ea4377b0e196bdcf9f5458eb

SHA1
168c8dfe39c653e49205b27125949717d73054f5

SHA256
b9b8deb851aafca0fdae698ab048634919ab9efcd1c524ad2d036daa48ee6319

SHA512
63a064da0cf08654297953fe011b8a3a9de52d6c71f77f59c6b98cccae06ac74b6b4491460d4a6a197494ef0ce0ca138af241d9d7704d03cfa3ecd2aa9fc89dd

Download Submit
memory/320-65-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/320-75-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/320-74-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/320-68-0x0000000000089A6B-mapping.dmp

Download
memory/320-67-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/892-63-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/956-59-0x0000000000000000-mapping.dmp

Download
memory/1028-60-0x0000000000000000-mapping.dmp

Download
memory/1092-54-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1092-55-0x00000000765C1000-0x00000000765C3000-memory.dmp

Filesize
8KB

Download
memory/1204-72-0x0000000000000000-mapping.dmp

Download
memory/1228-57-0x0000000000000000-mapping.dmp

Download
memory/1952-56-0x0000000000000000-mapping.dmp

Download
memory/1996-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads