tofsee | 204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257

General

Target

204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe
Size

143KB
MD5

6a07816512f5c3fc626e4f8fcc9b0058
SHA1

217533c5246f3133256dbf6cf09f450bd7e3edcd
SHA256

204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257
SHA512

1e65a4680b1e3e2fb94e3a7e0fe53189ebe306bfe61d2a18b3ae4226e28078cd37ad0fcaba58de5b0b542d205b9152c26e32cd596e2954f29cb200b816bfc721

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

uuawkkqi.exe

pid process

2968 uuawkkqi.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

616 netsh.exe

pid	process
2968	uuawkkqi.exe

pid	process
616	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\cxzerdcy\ImagePath = "C:\\Windows\\SysWOW64\\cxzerdcy\\uuawkkqi.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

uuawkkqi.exe

description pid process target process

PID 2968 set thread context of 1084 2968 uuawkkqi.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2308 sc.exe
1888 sc.exe
4496 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2968 set thread context of 1084	2968	uuawkkqi.exe	svchost.exe

pid	process
2308	sc.exe
1888	sc.exe
4496	sc.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exeuuawkkqi.exe

description	pid	process	target process
PID 2068 wrote to memory of 880	2068	204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe	cmd.exe
PID 2068 wrote to memory of 880	2068	204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe	cmd.exe
PID 2068 wrote to memory of 880	2068	204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe	cmd.exe
PID 2068 wrote to memory of 4324	2068	204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe	cmd.exe
PID 2068 wrote to memory of 4324	2068	204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe	cmd.exe
PID 2068 wrote to memory of 4324	2068	204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe	cmd.exe
PID 2068 wrote to memory of 2308	2068	204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe	sc.exe
PID 2068 wrote to memory of 2308	2068	204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe	sc.exe
PID 2068 wrote to memory of 2308	2068	204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe	sc.exe
PID 2068 wrote to memory of 1888	2068	204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe	sc.exe
PID 2068 wrote to memory of 1888	2068	204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe	sc.exe
PID 2068 wrote to memory of 1888	2068	204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe	sc.exe
PID 2068 wrote to memory of 4496	2068	204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe	sc.exe
PID 2068 wrote to memory of 4496	2068	204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe	sc.exe
PID 2068 wrote to memory of 4496	2068	204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe	sc.exe
PID 2068 wrote to memory of 616	2068	204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe	netsh.exe
PID 2068 wrote to memory of 616	2068	204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe	netsh.exe
PID 2068 wrote to memory of 616	2068	204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe	netsh.exe
PID 2968 wrote to memory of 1084	2968	uuawkkqi.exe	svchost.exe
PID 2968 wrote to memory of 1084	2968	uuawkkqi.exe	svchost.exe
PID 2968 wrote to memory of 1084	2968	uuawkkqi.exe	svchost.exe
PID 2968 wrote to memory of 1084	2968	uuawkkqi.exe	svchost.exe
PID 2968 wrote to memory of 1084	2968	uuawkkqi.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe
"C:\Users\Admin\AppData\Local\Temp\204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\cxzerdcy\
2⤵
PID:880

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\uuawkkqi.exe" C:\Windows\SysWOW64\cxzerdcy\
2⤵
PID:4324

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create cxzerdcy binPath= "C:\Windows\SysWOW64\cxzerdcy\uuawkkqi.exe /d\"C:\Users\Admin\AppData\Local\Temp\204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:2308

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description cxzerdcy "wifi internet conection"
2⤵
- Launches sc.exe
PID:1888

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start cxzerdcy
2⤵
- Launches sc.exe
PID:4496

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:616

C:\Windows\SysWOW64\cxzerdcy\uuawkkqi.exe
C:\Windows\SysWOW64\cxzerdcy\uuawkkqi.exe /d"C:\Users\Admin\AppData\Local\Temp\204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
PID:1084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\uuawkkqi.exe
Filesize
12.5MB

MD5
5cb91fa0039bcb180266de4ddb6938fa

SHA1
6cdf7ba2632f4c4a0c82178e55f09828fa68b391

SHA256
067fb42d2e0caf5f2f75eacf3dd516eb2cc809208fd11886c3cbd56966db13f8

SHA512
331258d70eaea05f6b572af76ea368c65f20c19110eb42f377937529d94196bd0780957f0c851dbb71da6ae9962d6aa25d74dcef9045709af20e01243d5e30cb

Download Submit
C:\Windows\SysWOW64\cxzerdcy\uuawkkqi.exe
Filesize
12.5MB

MD5
5cb91fa0039bcb180266de4ddb6938fa

SHA1
6cdf7ba2632f4c4a0c82178e55f09828fa68b391

SHA256
067fb42d2e0caf5f2f75eacf3dd516eb2cc809208fd11886c3cbd56966db13f8

SHA512
331258d70eaea05f6b572af76ea368c65f20c19110eb42f377937529d94196bd0780957f0c851dbb71da6ae9962d6aa25d74dcef9045709af20e01243d5e30cb

Download Submit
memory/616-137-0x0000000000000000-mapping.dmp

Download
memory/880-131-0x0000000000000000-mapping.dmp

Download
memory/1084-141-0x0000000001000000-0x0000000001015000-memory.dmp

Filesize
84KB

Download
memory/1084-145-0x0000000001000000-0x0000000001015000-memory.dmp

Filesize
84KB

Download
memory/1084-144-0x0000000001000000-0x0000000001015000-memory.dmp

Filesize
84KB

Download
memory/1084-140-0x0000000000000000-mapping.dmp

Download
memory/1888-135-0x0000000000000000-mapping.dmp

Download
memory/2068-130-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2308-134-0x0000000000000000-mapping.dmp

Download
memory/2968-139-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4324-132-0x0000000000000000-mapping.dmp

Download
memory/4496-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads