tofsee | 28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7

General

Target

28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe
Size

108KB
MD5

a7b95421785baa3381af20c176aece4f
SHA1

20991f8fa8669bd25d468d1ab9ed9477438e7bfa
SHA256

28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7
SHA512

c70edcc1b4851ca1e4e65afe71d7b11156afc6d94e93ca4aac9c4dbb7661a1997fd18c8f91dd367ca1a809dec52aad850cf3b3ebbd381c5bb0d7bf32f3c54727

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\ftbokhjx = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

wvhdiscp.exe

pid process

1488 wvhdiscp.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

776 netsh.exe

pid	process
1488	wvhdiscp.exe

pid	process
776	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ftbokhjx\ImagePath = "C:\\Windows\\SysWOW64\\ftbokhjx\\wvhdiscp.exe"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

1636 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

wvhdiscp.exe

description pid process target process

PID 1488 set thread context of 1636 1488 wvhdiscp.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

1416 sc.exe
2036 sc.exe
1508 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1636	svchost.exe

description	pid	process	target process
PID 1488 set thread context of 1636	1488	wvhdiscp.exe	svchost.exe

pid	process
1416	sc.exe
2036	sc.exe
1508	sc.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exewvhdiscp.exe

description	pid	process	target process
PID 1744 wrote to memory of 1096	1744	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	cmd.exe
PID 1744 wrote to memory of 1096	1744	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	cmd.exe
PID 1744 wrote to memory of 1096	1744	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	cmd.exe
PID 1744 wrote to memory of 1096	1744	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	cmd.exe
PID 1744 wrote to memory of 1136	1744	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	cmd.exe
PID 1744 wrote to memory of 1136	1744	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	cmd.exe
PID 1744 wrote to memory of 1136	1744	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	cmd.exe
PID 1744 wrote to memory of 1136	1744	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	cmd.exe
PID 1744 wrote to memory of 1416	1744	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	sc.exe
PID 1744 wrote to memory of 1416	1744	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	sc.exe
PID 1744 wrote to memory of 1416	1744	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	sc.exe
PID 1744 wrote to memory of 1416	1744	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	sc.exe
PID 1744 wrote to memory of 2036	1744	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	sc.exe
PID 1744 wrote to memory of 2036	1744	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	sc.exe
PID 1744 wrote to memory of 2036	1744	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	sc.exe
PID 1744 wrote to memory of 2036	1744	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	sc.exe
PID 1744 wrote to memory of 1508	1744	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	sc.exe
PID 1744 wrote to memory of 1508	1744	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	sc.exe
PID 1744 wrote to memory of 1508	1744	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	sc.exe
PID 1744 wrote to memory of 1508	1744	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	sc.exe
PID 1744 wrote to memory of 776	1744	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	netsh.exe
PID 1744 wrote to memory of 776	1744	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	netsh.exe
PID 1744 wrote to memory of 776	1744	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	netsh.exe
PID 1744 wrote to memory of 776	1744	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	netsh.exe
PID 1488 wrote to memory of 1636	1488	wvhdiscp.exe	svchost.exe
PID 1488 wrote to memory of 1636	1488	wvhdiscp.exe	svchost.exe
PID 1488 wrote to memory of 1636	1488	wvhdiscp.exe	svchost.exe
PID 1488 wrote to memory of 1636	1488	wvhdiscp.exe	svchost.exe
PID 1488 wrote to memory of 1636	1488	wvhdiscp.exe	svchost.exe
PID 1488 wrote to memory of 1636	1488	wvhdiscp.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe
"C:\Users\Admin\AppData\Local\Temp\28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ftbokhjx\
2⤵
PID:1096

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\wvhdiscp.exe" C:\Windows\SysWOW64\ftbokhjx\
2⤵
PID:1136

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create ftbokhjx binPath= "C:\Windows\SysWOW64\ftbokhjx\wvhdiscp.exe /d\"C:\Users\Admin\AppData\Local\Temp\28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:1416

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description ftbokhjx "wifi internet conection"
2⤵
- Launches sc.exe
PID:2036

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start ftbokhjx
2⤵
- Launches sc.exe
PID:1508

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:776

C:\Windows\SysWOW64\ftbokhjx\wvhdiscp.exe
C:\Windows\SysWOW64\ftbokhjx\wvhdiscp.exe /d"C:\Users\Admin\AppData\Local\Temp\28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:1636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wvhdiscp.exe
Filesize
13.3MB

MD5
08e2ae5c3f5443b2fd9caf577c1de114

SHA1
5b8220f864fbe015ebdbd5caad25c3d6fe14f34d

SHA256
afc64b615406bedbc8eccbdcafd99628ccef88c593caf2dad8afd084319b5170

SHA512
f0ba52fef6e8593525762de41ffc885842957a2924a12a67a9d50420e817a00b9cb76de3dab2ae6abaa2c96f523364111e5b1b0b460c38c44c3d65ac50f9041a

Download Submit
C:\Windows\SysWOW64\ftbokhjx\wvhdiscp.exe
Filesize
13.3MB

MD5
08e2ae5c3f5443b2fd9caf577c1de114

SHA1
5b8220f864fbe015ebdbd5caad25c3d6fe14f34d

SHA256
afc64b615406bedbc8eccbdcafd99628ccef88c593caf2dad8afd084319b5170

SHA512
f0ba52fef6e8593525762de41ffc885842957a2924a12a67a9d50420e817a00b9cb76de3dab2ae6abaa2c96f523364111e5b1b0b460c38c44c3d65ac50f9041a

Download Submit
memory/776-62-0x0000000000000000-mapping.dmp

Download
memory/1096-56-0x0000000000000000-mapping.dmp

Download
memory/1136-57-0x0000000000000000-mapping.dmp

Download
memory/1416-59-0x0000000000000000-mapping.dmp

Download
memory/1488-64-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1508-61-0x0000000000000000-mapping.dmp

Download
memory/1636-68-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1636-66-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1636-69-0x0000000000089A6B-mapping.dmp

Download
memory/1636-72-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1636-74-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1636-75-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1744-54-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1744-55-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download
memory/2036-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads