tofsee | 229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f

General

Target

229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe
Size

97KB
MD5

4d20335690b8218af519b6a5ff523c94
SHA1

05b23688e15db6b5b5730e76c762af9a1390617c
SHA256

229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f
SHA512

ffa59b9145ee118d0dfedf4dd7b6ed364ab43d5347ba8f34d2cbdde09ca318b4f9de89b1ec4933bd0eaa7068bb15bb2bbaed3658d5b5713caf02455eed20ece5

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

rhnghpfo.exe

pid process

4608 rhnghpfo.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2188 netsh.exe

pid	process
4608	rhnghpfo.exe

pid	process
2188	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\gbvygylx\ImagePath = "C:\\Windows\\SysWOW64\\gbvygylx\\rhnghpfo.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rhnghpfo.exe

description pid process target process

PID 4608 set thread context of 1688 4608 rhnghpfo.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

1692 sc.exe
4516 sc.exe
4324 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 4608 set thread context of 1688	4608	rhnghpfo.exe	svchost.exe

pid	process
1692	sc.exe
4516	sc.exe
4324	sc.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exerhnghpfo.exe

description	pid	process	target process
PID 2896 wrote to memory of 3656	2896	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	cmd.exe
PID 2896 wrote to memory of 3656	2896	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	cmd.exe
PID 2896 wrote to memory of 3656	2896	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	cmd.exe
PID 2896 wrote to memory of 3348	2896	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	cmd.exe
PID 2896 wrote to memory of 3348	2896	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	cmd.exe
PID 2896 wrote to memory of 3348	2896	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	cmd.exe
PID 2896 wrote to memory of 1692	2896	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	sc.exe
PID 2896 wrote to memory of 1692	2896	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	sc.exe
PID 2896 wrote to memory of 1692	2896	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	sc.exe
PID 2896 wrote to memory of 4516	2896	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	sc.exe
PID 2896 wrote to memory of 4516	2896	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	sc.exe
PID 2896 wrote to memory of 4516	2896	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	sc.exe
PID 2896 wrote to memory of 4324	2896	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	sc.exe
PID 2896 wrote to memory of 4324	2896	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	sc.exe
PID 2896 wrote to memory of 4324	2896	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	sc.exe
PID 2896 wrote to memory of 2188	2896	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	netsh.exe
PID 2896 wrote to memory of 2188	2896	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	netsh.exe
PID 2896 wrote to memory of 2188	2896	229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe	netsh.exe
PID 4608 wrote to memory of 1688	4608	rhnghpfo.exe	svchost.exe
PID 4608 wrote to memory of 1688	4608	rhnghpfo.exe	svchost.exe
PID 4608 wrote to memory of 1688	4608	rhnghpfo.exe	svchost.exe
PID 4608 wrote to memory of 1688	4608	rhnghpfo.exe	svchost.exe
PID 4608 wrote to memory of 1688	4608	rhnghpfo.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe
"C:\Users\Admin\AppData\Local\Temp\229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gbvygylx\
  2⤵
  PID:3656
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rhnghpfo.exe" C:\Windows\SysWOW64\gbvygylx\
  2⤵
  PID:3348
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create gbvygylx binPath= "C:\Windows\SysWOW64\gbvygylx\rhnghpfo.exe /d\"C:\Users\Admin\AppData\Local\Temp\229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:1692
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description gbvygylx "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:4516
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start gbvygylx
  2⤵
  - Launches sc.exe
  PID:4324
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2188

C:\Windows\SysWOW64\gbvygylx\rhnghpfo.exe
C:\Windows\SysWOW64\gbvygylx\rhnghpfo.exe /d"C:\Users\Admin\AppData\Local\Temp\229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  PID:1688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rhnghpfo.exe

Filesize
13.6MB

MD5
cee3935d2a47369cdd978fc6cc492b11

SHA1
664a12f8776f233889a491f09e659340fdeedb35

SHA256
f7351a8055f187331aa1067de979ce8924aafae8717a81648e88d6ba3dc900a1

SHA512
83b3e30604613bf4e6f5fb4e4787587ac9114db765a63d288168cadd687bec3af0ea6547fb5d630b3daeaf2798588598655d48bc62f8eec429d0062b2c529183

Download Submit
C:\Windows\SysWOW64\gbvygylx\rhnghpfo.exe

Filesize
13.6MB

MD5
cee3935d2a47369cdd978fc6cc492b11

SHA1
664a12f8776f233889a491f09e659340fdeedb35

SHA256
f7351a8055f187331aa1067de979ce8924aafae8717a81648e88d6ba3dc900a1

SHA512
83b3e30604613bf4e6f5fb4e4787587ac9114db765a63d288168cadd687bec3af0ea6547fb5d630b3daeaf2798588598655d48bc62f8eec429d0062b2c529183

Download Submit
memory/1688-142-0x00000000006C0000-0x00000000006D5000-memory.dmp

Filesize
84KB

Download
memory/1688-146-0x00000000006C0000-0x00000000006D5000-memory.dmp

Filesize
84KB

Download
memory/1688-145-0x00000000006C0000-0x00000000006D5000-memory.dmp

Filesize
84KB

Download
memory/1688-141-0x0000000000000000-mapping.dmp

Download
memory/1692-135-0x0000000000000000-mapping.dmp

Download
memory/2188-138-0x0000000000000000-mapping.dmp

Download
memory/2896-131-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3348-133-0x0000000000000000-mapping.dmp

Download
memory/3656-132-0x0000000000000000-mapping.dmp

Download
memory/4324-137-0x0000000000000000-mapping.dmp

Download
memory/4516-136-0x0000000000000000-mapping.dmp

Download
memory/4608-140-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads