tofsee | 5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef

General

Target

5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe
Size

14.1MB
MD5

0e23bc0be4b1ddfa9fb1b05987dc7894
SHA1

a7e8682f89910271a131f67cf7bd2ac4c250fe77
SHA256

5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef
SHA512

c6d18bff9c8d9ca5b443a9d19dd3b1e99fa028ca514ac28e6e8093217b9e0fa257bd9e80c31200431b322fa5fd94d6cfad750f2a4a5d259445ed64a285914429

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

103.248.137.133

43.231.5.6

115.230.124.76

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\ydxtbtwr = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

lvjwkio.exe

pid process

1740 lvjwkio.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

684 netsh.exe

pid	process
1740	lvjwkio.exe

pid	process
684	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ydxtbtwr\ImagePath = "C:\\Windows\\SysWOW64\\ydxtbtwr\\lvjwkio.exe"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

732 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

lvjwkio.exe

description pid process target process

PID 1740 set thread context of 732 1740 lvjwkio.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

1988 sc.exe
1292 sc.exe
1712 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
732	svchost.exe

description	pid	process	target process
PID 1740 set thread context of 732	1740	lvjwkio.exe	svchost.exe

pid	process
1988	sc.exe
1292	sc.exe
1712	sc.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exelvjwkio.exe

description	pid	process	target process
PID 1492 wrote to memory of 1124	1492	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	cmd.exe
PID 1492 wrote to memory of 1124	1492	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	cmd.exe
PID 1492 wrote to memory of 1124	1492	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	cmd.exe
PID 1492 wrote to memory of 1124	1492	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	cmd.exe
PID 1492 wrote to memory of 2012	1492	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	cmd.exe
PID 1492 wrote to memory of 2012	1492	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	cmd.exe
PID 1492 wrote to memory of 2012	1492	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	cmd.exe
PID 1492 wrote to memory of 2012	1492	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	cmd.exe
PID 1492 wrote to memory of 1988	1492	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	sc.exe
PID 1492 wrote to memory of 1988	1492	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	sc.exe
PID 1492 wrote to memory of 1988	1492	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	sc.exe
PID 1492 wrote to memory of 1988	1492	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	sc.exe
PID 1492 wrote to memory of 1292	1492	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	sc.exe
PID 1492 wrote to memory of 1292	1492	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	sc.exe
PID 1492 wrote to memory of 1292	1492	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	sc.exe
PID 1492 wrote to memory of 1292	1492	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	sc.exe
PID 1492 wrote to memory of 1712	1492	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	sc.exe
PID 1492 wrote to memory of 1712	1492	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	sc.exe
PID 1492 wrote to memory of 1712	1492	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	sc.exe
PID 1492 wrote to memory of 1712	1492	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	sc.exe
PID 1492 wrote to memory of 684	1492	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	netsh.exe
PID 1492 wrote to memory of 684	1492	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	netsh.exe
PID 1492 wrote to memory of 684	1492	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	netsh.exe
PID 1492 wrote to memory of 684	1492	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	netsh.exe
PID 1740 wrote to memory of 732	1740	lvjwkio.exe	svchost.exe
PID 1740 wrote to memory of 732	1740	lvjwkio.exe	svchost.exe
PID 1740 wrote to memory of 732	1740	lvjwkio.exe	svchost.exe
PID 1740 wrote to memory of 732	1740	lvjwkio.exe	svchost.exe
PID 1740 wrote to memory of 732	1740	lvjwkio.exe	svchost.exe
PID 1740 wrote to memory of 732	1740	lvjwkio.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe
"C:\Users\Admin\AppData\Local\Temp\5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ydxtbtwr\
2⤵
PID:1124

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lvjwkio.exe" C:\Windows\SysWOW64\ydxtbtwr\
2⤵
PID:2012

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create ydxtbtwr binPath= "C:\Windows\SysWOW64\ydxtbtwr\lvjwkio.exe /d\"C:\Users\Admin\AppData\Local\Temp\5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe\"" type= own start= auto DisplayName= "P2P Support"
2⤵
- Launches sc.exe
PID:1988

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description ydxtbtwr "Internet Mobile Support"
2⤵
- Launches sc.exe
PID:1292

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start ydxtbtwr
2⤵
- Launches sc.exe
PID:1712

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:684

C:\Windows\SysWOW64\ydxtbtwr\lvjwkio.exe
C:\Windows\SysWOW64\ydxtbtwr\lvjwkio.exe /d"C:\Users\Admin\AppData\Local\Temp\5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lvjwkio.exe
Filesize
12.1MB

MD5
a6f8aad33c2565bb8e792c441012c0b1

SHA1
ddf38af5db5e015e60dc6c867de31764dbe4f8c1

SHA256
20f7315a9dd6b92f0ff757419eca682feab1a1bd5175309526e42fba55ab4d73

SHA512
f3930e8525d7056d3778c12d790eaf6d7ac4bc231a383b9c055fce5a6c93ab3c780f3899f0b1e5bbe47b0e8626a310d6a6ed1acaca12a83170d10ae809e280d7

Download Submit
C:\Windows\SysWOW64\ydxtbtwr\lvjwkio.exe
Filesize
12.1MB

MD5
a6f8aad33c2565bb8e792c441012c0b1

SHA1
ddf38af5db5e015e60dc6c867de31764dbe4f8c1

SHA256
20f7315a9dd6b92f0ff757419eca682feab1a1bd5175309526e42fba55ab4d73

SHA512
f3930e8525d7056d3778c12d790eaf6d7ac4bc231a383b9c055fce5a6c93ab3c780f3899f0b1e5bbe47b0e8626a310d6a6ed1acaca12a83170d10ae809e280d7

Download Submit
memory/684-63-0x0000000000000000-mapping.dmp

Download
memory/732-75-0x00000000000D0000-0x00000000000E6000-memory.dmp

Filesize
88KB

Download
memory/732-74-0x00000000000D0000-0x00000000000E6000-memory.dmp

Filesize
88KB

Download
memory/732-70-0x00000000000D9A7B-mapping.dmp

Download
memory/732-69-0x00000000000D0000-0x00000000000E6000-memory.dmp

Filesize
88KB

Download
memory/732-67-0x00000000000D0000-0x00000000000E6000-memory.dmp

Filesize
88KB

Download
memory/1124-56-0x0000000000000000-mapping.dmp

Download
memory/1292-60-0x0000000000000000-mapping.dmp

Download
memory/1492-54-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1492-55-0x0000000074C81000-0x0000000074C83000-memory.dmp

Filesize
8KB

Download
memory/1712-61-0x0000000000000000-mapping.dmp

Download
memory/1988-59-0x0000000000000000-mapping.dmp

Download
memory/2012-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads