tofsee | 3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f

General

Target

3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f.exe
Size

99KB
MD5

2b126fbd0352c9ec2f7833af3d0df7ca
SHA1

3bf9cee470ad6cf126635570d89d9d9f30cef386
SHA256

3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f
SHA512

0dfb908197503bf9c1c9deeb015504d1b51d4c00857b34c3862f6c7fd9a4423acb0a068f1b63e2d6757b4c89f2d993e7913767c24d32763afd5e3c1ec43bdcc7

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\fqogbnxz = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

nexahugf.exe

pid process

1432 nexahugf.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

992 netsh.exe

pid	process
1432	nexahugf.exe

pid	process
992	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\fqogbnxz\ImagePath = "C:\\Windows\\SysWOW64\\fqogbnxz\\nexahugf.exe"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

1484 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

nexahugf.exe

description pid process target process

PID 1432 set thread context of 1484 1432 nexahugf.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

524 sc.exe
944 sc.exe
628 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1484	svchost.exe

description	pid	process	target process
PID 1432 set thread context of 1484	1432	nexahugf.exe	svchost.exe

pid	process
524	sc.exe
944	sc.exe
628	sc.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f.exenexahugf.exe

description	pid	process	target process
PID 1884 wrote to memory of 868	1884	3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f.exe	cmd.exe
PID 1884 wrote to memory of 868	1884	3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f.exe	cmd.exe
PID 1884 wrote to memory of 868	1884	3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f.exe	cmd.exe
PID 1884 wrote to memory of 868	1884	3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f.exe	cmd.exe
PID 1884 wrote to memory of 1332	1884	3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f.exe	cmd.exe
PID 1884 wrote to memory of 1332	1884	3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f.exe	cmd.exe
PID 1884 wrote to memory of 1332	1884	3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f.exe	cmd.exe
PID 1884 wrote to memory of 1332	1884	3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f.exe	cmd.exe
PID 1884 wrote to memory of 524	1884	3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f.exe	sc.exe
PID 1884 wrote to memory of 524	1884	3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f.exe	sc.exe
PID 1884 wrote to memory of 524	1884	3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f.exe	sc.exe
PID 1884 wrote to memory of 524	1884	3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f.exe	sc.exe
PID 1884 wrote to memory of 944	1884	3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f.exe	sc.exe
PID 1884 wrote to memory of 944	1884	3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f.exe	sc.exe
PID 1884 wrote to memory of 944	1884	3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f.exe	sc.exe
PID 1884 wrote to memory of 944	1884	3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f.exe	sc.exe
PID 1884 wrote to memory of 628	1884	3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f.exe	sc.exe
PID 1884 wrote to memory of 628	1884	3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f.exe	sc.exe
PID 1884 wrote to memory of 628	1884	3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f.exe	sc.exe
PID 1884 wrote to memory of 628	1884	3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f.exe	sc.exe
PID 1432 wrote to memory of 1484	1432	nexahugf.exe	svchost.exe
PID 1432 wrote to memory of 1484	1432	nexahugf.exe	svchost.exe
PID 1432 wrote to memory of 1484	1432	nexahugf.exe	svchost.exe
PID 1432 wrote to memory of 1484	1432	nexahugf.exe	svchost.exe
PID 1432 wrote to memory of 1484	1432	nexahugf.exe	svchost.exe
PID 1432 wrote to memory of 1484	1432	nexahugf.exe	svchost.exe
PID 1884 wrote to memory of 992	1884	3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f.exe	netsh.exe
PID 1884 wrote to memory of 992	1884	3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f.exe	netsh.exe
PID 1884 wrote to memory of 992	1884	3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f.exe	netsh.exe
PID 1884 wrote to memory of 992	1884	3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f.exe
"C:\Users\Admin\AppData\Local\Temp\3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\fqogbnxz\
2⤵
PID:868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nexahugf.exe" C:\Windows\SysWOW64\fqogbnxz\
2⤵
PID:1332

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create fqogbnxz binPath= "C:\Windows\SysWOW64\fqogbnxz\nexahugf.exe /d\"C:\Users\Admin\AppData\Local\Temp\3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:524

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description fqogbnxz "wifi internet conection"
2⤵
- Launches sc.exe
PID:944

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start fqogbnxz
2⤵
- Launches sc.exe
PID:628

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:992

C:\Windows\SysWOW64\fqogbnxz\nexahugf.exe
C:\Windows\SysWOW64\fqogbnxz\nexahugf.exe /d"C:\Users\Admin\AppData\Local\Temp\3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:1484

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nexahugf.exe
Filesize
13.4MB

MD5
7d9af1780572ed70b28e856c9b11687e

SHA1
0105f00710ce3507eed1141e2324b227cc2484f9

SHA256
1f73ec8cc10d85e527d14b3fef887c4ded03d7d9c3c2a841df3aa238594642b1

SHA512
b539f3b9ee4cac1d087292da54ba8c52e57096fd45a5305a8a80ca9b9c92fa8a1191e26d35d929205ba1d66d03fb90461e874bd7d9f955084f90e1046e5586f6

Download Submit
C:\Windows\SysWOW64\fqogbnxz\nexahugf.exe
Filesize
13.4MB

MD5
7d9af1780572ed70b28e856c9b11687e

SHA1
0105f00710ce3507eed1141e2324b227cc2484f9

SHA256
1f73ec8cc10d85e527d14b3fef887c4ded03d7d9c3c2a841df3aa238594642b1

SHA512
b539f3b9ee4cac1d087292da54ba8c52e57096fd45a5305a8a80ca9b9c92fa8a1191e26d35d929205ba1d66d03fb90461e874bd7d9f955084f90e1046e5586f6

Download Submit
memory/524-59-0x0000000000000000-mapping.dmp

Download
memory/628-61-0x0000000000000000-mapping.dmp

Download
memory/868-56-0x0000000000000000-mapping.dmp

Download
memory/944-60-0x0000000000000000-mapping.dmp

Download
memory/992-73-0x0000000000000000-mapping.dmp

Download
memory/1332-57-0x0000000000000000-mapping.dmp

Download
memory/1432-63-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1484-67-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1484-65-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1484-68-0x0000000000089A6B-mapping.dmp

Download
memory/1484-72-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1484-75-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1884-54-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1884-55-0x0000000075191000-0x0000000075193000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads