tofsee | 28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7

General

Target

28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe
Size

108KB
MD5

a7b95421785baa3381af20c176aece4f
SHA1

20991f8fa8669bd25d468d1ab9ed9477438e7bfa
SHA256

28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7
SHA512

c70edcc1b4851ca1e4e65afe71d7b11156afc6d94e93ca4aac9c4dbb7661a1997fd18c8f91dd367ca1a809dec52aad850cf3b3ebbd381c5bb0d7bf32f3c54727

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

oekdemcl.exe

pid process

2276 oekdemcl.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4176 netsh.exe

pid	process
2276	oekdemcl.exe

pid	process
4176	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ysdykigs\ImagePath = "C:\\Windows\\SysWOW64\\ysdykigs\\oekdemcl.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

oekdemcl.exe

description pid process target process

PID 2276 set thread context of 32 2276 oekdemcl.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

1624 sc.exe
4684 sc.exe
3004 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2276 set thread context of 32	2276	oekdemcl.exe	svchost.exe

pid	process
1624	sc.exe
4684	sc.exe
3004	sc.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exeoekdemcl.exe

description	pid	process	target process
PID 4332 wrote to memory of 4280	4332	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	cmd.exe
PID 4332 wrote to memory of 4280	4332	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	cmd.exe
PID 4332 wrote to memory of 4280	4332	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	cmd.exe
PID 4332 wrote to memory of 3364	4332	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	cmd.exe
PID 4332 wrote to memory of 3364	4332	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	cmd.exe
PID 4332 wrote to memory of 3364	4332	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	cmd.exe
PID 4332 wrote to memory of 1624	4332	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	sc.exe
PID 4332 wrote to memory of 1624	4332	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	sc.exe
PID 4332 wrote to memory of 1624	4332	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	sc.exe
PID 4332 wrote to memory of 4684	4332	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	sc.exe
PID 4332 wrote to memory of 4684	4332	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	sc.exe
PID 4332 wrote to memory of 4684	4332	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	sc.exe
PID 4332 wrote to memory of 3004	4332	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	sc.exe
PID 4332 wrote to memory of 3004	4332	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	sc.exe
PID 4332 wrote to memory of 3004	4332	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	sc.exe
PID 4332 wrote to memory of 4176	4332	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	netsh.exe
PID 4332 wrote to memory of 4176	4332	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	netsh.exe
PID 4332 wrote to memory of 4176	4332	28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe	netsh.exe
PID 2276 wrote to memory of 32	2276	oekdemcl.exe	svchost.exe
PID 2276 wrote to memory of 32	2276	oekdemcl.exe	svchost.exe
PID 2276 wrote to memory of 32	2276	oekdemcl.exe	svchost.exe
PID 2276 wrote to memory of 32	2276	oekdemcl.exe	svchost.exe
PID 2276 wrote to memory of 32	2276	oekdemcl.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe
"C:\Users\Admin\AppData\Local\Temp\28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ysdykigs\
2⤵
PID:4280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\oekdemcl.exe" C:\Windows\SysWOW64\ysdykigs\
2⤵
PID:3364

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create ysdykigs binPath= "C:\Windows\SysWOW64\ysdykigs\oekdemcl.exe /d\"C:\Users\Admin\AppData\Local\Temp\28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:1624

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description ysdykigs "wifi internet conection"
2⤵
- Launches sc.exe
PID:4684

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start ysdykigs
2⤵
- Launches sc.exe
PID:3004

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:4176

C:\Windows\SysWOW64\ysdykigs\oekdemcl.exe
C:\Windows\SysWOW64\ysdykigs\oekdemcl.exe /d"C:\Users\Admin\AppData\Local\Temp\28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
PID:32

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\oekdemcl.exe
Filesize
14.6MB

MD5
02d0a1481cbd7bfafa888262c0048d6a

SHA1
a972c5b9ed2853ae1e2a3b1549f73f6ba3595688

SHA256
05ce4de20b01c4f3d3d5ecf516f27788b1f043a304d225cd669d3a3299844bf1

SHA512
e5395168c1fd681d236ad0d2b512b59591a1e35950a5eb6dc63ab334360f828f17330c261a8e02fc4140ac1b04488f57075bdafb7d821ef35f58accc6082fb9a

Download Submit
C:\Windows\SysWOW64\ysdykigs\oekdemcl.exe
Filesize
14.6MB

MD5
02d0a1481cbd7bfafa888262c0048d6a

SHA1
a972c5b9ed2853ae1e2a3b1549f73f6ba3595688

SHA256
05ce4de20b01c4f3d3d5ecf516f27788b1f043a304d225cd669d3a3299844bf1

SHA512
e5395168c1fd681d236ad0d2b512b59591a1e35950a5eb6dc63ab334360f828f17330c261a8e02fc4140ac1b04488f57075bdafb7d821ef35f58accc6082fb9a

Download Submit
memory/32-145-0x0000000001030000-0x0000000001045000-memory.dmp

Filesize
84KB

Download
memory/32-144-0x0000000001030000-0x0000000001045000-memory.dmp

Filesize
84KB

Download
memory/32-141-0x0000000001030000-0x0000000001045000-memory.dmp

Filesize
84KB

Download
memory/32-140-0x0000000000000000-mapping.dmp

Download
memory/1624-134-0x0000000000000000-mapping.dmp

Download
memory/2276-138-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3004-136-0x0000000000000000-mapping.dmp

Download
memory/3364-132-0x0000000000000000-mapping.dmp

Download
memory/4176-139-0x0000000000000000-mapping.dmp

Download
memory/4280-131-0x0000000000000000-mapping.dmp

Download
memory/4332-130-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4684-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads