tofsee | ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8

General

Target

ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe
Size

309KB
MD5

2aebc54d7b396da27fd16ec29086e95c
SHA1

ac920d32eb475b31c9a304a372b172a1a8d8f8d2
SHA256

ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8
SHA512

f521ce16ee2541301f5f7bfafdf80d5ae4f832e5df5b5ba16ae9a5c638b22af3a86ad8c47f804b1db05c772b395dd7b304fc19916bb940751f42281f929065c1

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

jrjtitbw.exe

pid process

4412 jrjtitbw.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

3360 netsh.exe

pid	process
4412	jrjtitbw.exe

pid	process
3360	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dzmfalsb\ImagePath = "C:\\Windows\\SysWOW64\\dzmfalsb\\jrjtitbw.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe

Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

jrjtitbw.exe

description pid process target process

PID 4412 set thread context of 4580 4412 jrjtitbw.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

620 sc.exe
4436 sc.exe
4276 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

description	pid	process	target process
PID 4412 set thread context of 4580	4412	jrjtitbw.exe	svchost.exe

pid	process
620	sc.exe
4436	sc.exe
4276	sc.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
3524	3020	WerFault.exe	ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe
1556	4412	WerFault.exe	jrjtitbw.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Buses	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 2cfc543ce9e6be0624edb47d450dd49d084297dce82e72baa49585fd8420451d0c2c7d3e80cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56816d480447439e4a4644490bdb57f24ee925a07cff7b454758df21d5904e0a06d1dd9834c773ae69d084295d9e13f4bb4c06d05cec4e4241dc99c410830fea76913dc817d377fa2c2104499d8847a2cee905a02cef48d387287cc186270a4f93824dc814f7d39edad501cc7bd606da2dd49461ea6c48d541de5ad743d73a2e6367b9ec60b440dd49d642df4bd2202910de16d34fdc48e980fe7ad743d05f4a57316d98753773efaaf5119f4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743d042a955d24	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exejrjtitbw.exe

description	pid	process	target process
PID 3020 wrote to memory of 3276	3020	ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe	cmd.exe
PID 3020 wrote to memory of 3276	3020	ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe	cmd.exe
PID 3020 wrote to memory of 3276	3020	ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe	cmd.exe
PID 3020 wrote to memory of 4456	3020	ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe	cmd.exe
PID 3020 wrote to memory of 4456	3020	ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe	cmd.exe
PID 3020 wrote to memory of 4456	3020	ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe	cmd.exe
PID 3020 wrote to memory of 4276	3020	ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe	sc.exe
PID 3020 wrote to memory of 4276	3020	ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe	sc.exe
PID 3020 wrote to memory of 4276	3020	ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe	sc.exe
PID 3020 wrote to memory of 620	3020	ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe	sc.exe
PID 3020 wrote to memory of 620	3020	ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe	sc.exe
PID 3020 wrote to memory of 620	3020	ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe	sc.exe
PID 3020 wrote to memory of 4436	3020	ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe	sc.exe
PID 3020 wrote to memory of 4436	3020	ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe	sc.exe
PID 3020 wrote to memory of 4436	3020	ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe	sc.exe
PID 3020 wrote to memory of 3360	3020	ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe	netsh.exe
PID 3020 wrote to memory of 3360	3020	ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe	netsh.exe
PID 3020 wrote to memory of 3360	3020	ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe	netsh.exe
PID 4412 wrote to memory of 4580	4412	jrjtitbw.exe	svchost.exe
PID 4412 wrote to memory of 4580	4412	jrjtitbw.exe	svchost.exe
PID 4412 wrote to memory of 4580	4412	jrjtitbw.exe	svchost.exe
PID 4412 wrote to memory of 4580	4412	jrjtitbw.exe	svchost.exe
PID 4412 wrote to memory of 4580	4412	jrjtitbw.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe
"C:\Users\Admin\AppData\Local\Temp\ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dzmfalsb\
2⤵
PID:3276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jrjtitbw.exe" C:\Windows\SysWOW64\dzmfalsb\
2⤵
PID:4456

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create dzmfalsb binPath= "C:\Windows\SysWOW64\dzmfalsb\jrjtitbw.exe /d\"C:\Users\Admin\AppData\Local\Temp\ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:4276

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description dzmfalsb "wifi internet conection"
2⤵
- Launches sc.exe
PID:620

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start dzmfalsb
2⤵
- Launches sc.exe
PID:4436

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 1040
2⤵
- Program crash
PID:3524

C:\Windows\SysWOW64\dzmfalsb\jrjtitbw.exe
C:\Windows\SysWOW64\dzmfalsb\jrjtitbw.exe /d"C:\Users\Admin\AppData\Local\Temp\ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4412

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 536
2⤵
- Program crash
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3020 -ip 3020
1⤵
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4412 -ip 4412
1⤵
PID:3548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jrjtitbw.exe
Filesize
10.4MB

MD5
aac71900901eff898fe44581e63528d4

SHA1
2d2ac05cf4f8f2c6a5bc74657716ec6f09fb5ab9

SHA256
34bf1396e185b44e692c0726d90871fbbaeae153f2959aad0bfef5b94732c28b

SHA512
2172f2beee8b15977d86ae60fcbd11678c7903e2ce552e0d031abf30fd066dd89b3ba1612de74e01afbddb0e40266c5809f5228adc2ce88e329d7ccc9b87d838

Download Submit
C:\Windows\SysWOW64\dzmfalsb\jrjtitbw.exe
Filesize
10.4MB

MD5
aac71900901eff898fe44581e63528d4

SHA1
2d2ac05cf4f8f2c6a5bc74657716ec6f09fb5ab9

SHA256
34bf1396e185b44e692c0726d90871fbbaeae153f2959aad0bfef5b94732c28b

SHA512
2172f2beee8b15977d86ae60fcbd11678c7903e2ce552e0d031abf30fd066dd89b3ba1612de74e01afbddb0e40266c5809f5228adc2ce88e329d7ccc9b87d838

Download Submit
memory/620-137-0x0000000000000000-mapping.dmp

Download
memory/3020-130-0x0000000002E6E000-0x0000000002E7C000-memory.dmp

Filesize
56KB

Download
memory/3020-131-0x0000000002E10000-0x0000000002E23000-memory.dmp

Filesize
76KB

Download
memory/3020-132-0x0000000000400000-0x0000000002C6C000-memory.dmp

Filesize
40.4MB

Download
memory/3020-143-0x0000000000400000-0x0000000002C6C000-memory.dmp

Filesize
40.4MB

Download
memory/3020-142-0x0000000002E10000-0x0000000002E23000-memory.dmp

Filesize
76KB

Download
memory/3020-141-0x0000000002E6E000-0x0000000002E7C000-memory.dmp

Filesize
56KB

Download
memory/3276-133-0x0000000000000000-mapping.dmp

Download
memory/3360-140-0x0000000000000000-mapping.dmp

Download
memory/4276-136-0x0000000000000000-mapping.dmp

Download
memory/4412-148-0x0000000002CF9000-0x0000000002D07000-memory.dmp

Filesize
56KB

Download
memory/4412-150-0x0000000000400000-0x0000000002C6C000-memory.dmp

Filesize
40.4MB

Download
memory/4436-138-0x0000000000000000-mapping.dmp

Download
memory/4456-134-0x0000000000000000-mapping.dmp

Download
memory/4580-144-0x0000000000000000-mapping.dmp

Download
memory/4580-145-0x0000000000B50000-0x0000000000B65000-memory.dmp

Filesize
84KB

Download
memory/4580-149-0x0000000000B50000-0x0000000000B65000-memory.dmp

Filesize
84KB

Download
memory/4580-151-0x0000000000B50000-0x0000000000B65000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads