tofsee | e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757

General

Target

e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe
Size

300KB
MD5

925e5cc6c24e1e19a63e0864fb3b0b7e
SHA1

50b910f1c263181179dcd374116384309c1452bd
SHA256

e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757
SHA512

f91c1a890f74dd637bc1a99f13a2c0de522a088246a10e065c2246bb531082ce872205520843386125e1421d456243885466a1307985446a82ec223b42f71246

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 2 IoCs

Processes:

hwgkxyn.exehwgkxyn.exe

pid process

4884 hwgkxyn.exe
2692 hwgkxyn.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1684 netsh.exe

pid	process
4884	hwgkxyn.exe
2692	hwgkxyn.exe

pid	process
1684	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exehwgkxyn.exe

description	pid	process	target process
PID 4720 set thread context of 4312	4720	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe
PID 4884 set thread context of 2692	4884	hwgkxyn.exe	hwgkxyn.exe

Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2308 sc.exe
3624 sc.exe
1092 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2308	sc.exe
3624	sc.exe
1092	sc.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exee9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exehwgkxyn.exe

description	pid	process	target process
PID 4720 wrote to memory of 4312	4720	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe
PID 4720 wrote to memory of 4312	4720	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe
PID 4720 wrote to memory of 4312	4720	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe
PID 4720 wrote to memory of 4312	4720	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe
PID 4720 wrote to memory of 4312	4720	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe
PID 4720 wrote to memory of 4312	4720	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe
PID 4720 wrote to memory of 4312	4720	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe
PID 4720 wrote to memory of 4312	4720	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe
PID 4720 wrote to memory of 4312	4720	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe
PID 4312 wrote to memory of 5060	4312	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe	cmd.exe
PID 4312 wrote to memory of 5060	4312	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe	cmd.exe
PID 4312 wrote to memory of 5060	4312	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe	cmd.exe
PID 4312 wrote to memory of 2720	4312	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe	cmd.exe
PID 4312 wrote to memory of 2720	4312	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe	cmd.exe
PID 4312 wrote to memory of 2720	4312	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe	cmd.exe
PID 4312 wrote to memory of 2308	4312	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe	sc.exe
PID 4312 wrote to memory of 2308	4312	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe	sc.exe
PID 4312 wrote to memory of 2308	4312	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe	sc.exe
PID 4312 wrote to memory of 3624	4312	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe	sc.exe
PID 4312 wrote to memory of 3624	4312	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe	sc.exe
PID 4312 wrote to memory of 3624	4312	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe	sc.exe
PID 4312 wrote to memory of 1092	4312	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe	sc.exe
PID 4312 wrote to memory of 1092	4312	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe	sc.exe
PID 4312 wrote to memory of 1092	4312	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe	sc.exe
PID 4312 wrote to memory of 1684	4312	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe	netsh.exe
PID 4312 wrote to memory of 1684	4312	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe	netsh.exe
PID 4312 wrote to memory of 1684	4312	e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe	netsh.exe
PID 4884 wrote to memory of 2692	4884	hwgkxyn.exe	hwgkxyn.exe
PID 4884 wrote to memory of 2692	4884	hwgkxyn.exe	hwgkxyn.exe
PID 4884 wrote to memory of 2692	4884	hwgkxyn.exe	hwgkxyn.exe
PID 4884 wrote to memory of 2692	4884	hwgkxyn.exe	hwgkxyn.exe
PID 4884 wrote to memory of 2692	4884	hwgkxyn.exe	hwgkxyn.exe
PID 4884 wrote to memory of 2692	4884	hwgkxyn.exe	hwgkxyn.exe
PID 4884 wrote to memory of 2692	4884	hwgkxyn.exe	hwgkxyn.exe
PID 4884 wrote to memory of 2692	4884	hwgkxyn.exe	hwgkxyn.exe
PID 4884 wrote to memory of 2692	4884	hwgkxyn.exe	hwgkxyn.exe

C:\Users\Admin\AppData\Local\Temp\e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe
"C:\Users\Admin\AppData\Local\Temp\e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4720

C:\Users\Admin\AppData\Local\Temp\e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe
"C:\Users\Admin\AppData\Local\Temp\e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jdrskmkg\
3⤵
PID:5060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hwgkxyn.exe" C:\Windows\SysWOW64\jdrskmkg\
3⤵
PID:2720

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create jdrskmkg binPath= "C:\Windows\SysWOW64\jdrskmkg\hwgkxyn.exe /d\"C:\Users\Admin\AppData\Local\Temp\e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe\"" type= own start= auto DisplayName= "wifi support"
3⤵
- Launches sc.exe
PID:2308

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description jdrskmkg "wifi internet conection"
3⤵
- Launches sc.exe
PID:3624

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start jdrskmkg
3⤵
- Launches sc.exe
PID:1092

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
3⤵
- Modifies Windows Firewall
PID:1684

C:\Windows\SysWOW64\jdrskmkg\hwgkxyn.exe
C:\Windows\SysWOW64\jdrskmkg\hwgkxyn.exe /d"C:\Users\Admin\AppData\Local\Temp\e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\SysWOW64\jdrskmkg\hwgkxyn.exe
C:\Windows\SysWOW64\jdrskmkg\hwgkxyn.exe /d"C:\Users\Admin\AppData\Local\Temp\e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757.exe"
2⤵
- Executes dropped EXE
PID:2692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Privilege Escalation

New Service

1

T1050

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hwgkxyn.exe
Filesize
10.5MB

MD5
26c8b297e3dd75ae134019021f4dc22c

SHA1
7cd3ec555a4890c08a0eb2cd025ed426fa77e431

SHA256
9639a957f348faa4c390c3c8cb9e1fac9a6e7916c7f1934051427ccdb996a4da

SHA512
e64a8734876fda3c320b75248c1fd3630fa888aa987127d2c1760e1dd7d75c35fa99a5ce2f6c0d679adf74abbc491304c1f48d80693ec4caf4c19d89fdf808ba

Download Submit
C:\Windows\SysWOW64\jdrskmkg\hwgkxyn.exe
Filesize
10.5MB

MD5
26c8b297e3dd75ae134019021f4dc22c

SHA1
7cd3ec555a4890c08a0eb2cd025ed426fa77e431

SHA256
9639a957f348faa4c390c3c8cb9e1fac9a6e7916c7f1934051427ccdb996a4da

SHA512
e64a8734876fda3c320b75248c1fd3630fa888aa987127d2c1760e1dd7d75c35fa99a5ce2f6c0d679adf74abbc491304c1f48d80693ec4caf4c19d89fdf808ba

Download Submit
C:\Windows\SysWOW64\jdrskmkg\hwgkxyn.exe
Filesize
10.5MB

MD5
26c8b297e3dd75ae134019021f4dc22c

SHA1
7cd3ec555a4890c08a0eb2cd025ed426fa77e431

SHA256
9639a957f348faa4c390c3c8cb9e1fac9a6e7916c7f1934051427ccdb996a4da

SHA512
e64a8734876fda3c320b75248c1fd3630fa888aa987127d2c1760e1dd7d75c35fa99a5ce2f6c0d679adf74abbc491304c1f48d80693ec4caf4c19d89fdf808ba

Download Submit
memory/1092-142-0x0000000000000000-mapping.dmp

Download
memory/1684-144-0x0000000000000000-mapping.dmp

Download
memory/2308-140-0x0000000000000000-mapping.dmp

Download
memory/2692-153-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2692-152-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2692-151-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2692-146-0x0000000000000000-mapping.dmp

Download
memory/2720-138-0x0000000000000000-mapping.dmp

Download
memory/3624-141-0x0000000000000000-mapping.dmp

Download
memory/4312-130-0x0000000000000000-mapping.dmp

Download
memory/4312-145-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4312-136-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4312-135-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4312-131-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4720-134-0x0000000002DF0000-0x0000000002E04000-memory.dmp

Filesize
80KB

Download
memory/4720-133-0x0000000002F7E000-0x0000000002F8C000-memory.dmp

Filesize
56KB

Download
memory/4884-150-0x0000000002E99000-0x0000000002EA7000-memory.dmp

Filesize
56KB

Download
memory/5060-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads