tofsee | 5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef

General

Target

5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe
Size

14.1MB
MD5

0e23bc0be4b1ddfa9fb1b05987dc7894
SHA1

a7e8682f89910271a131f67cf7bd2ac4c250fe77
SHA256

5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef
SHA512

c6d18bff9c8d9ca5b443a9d19dd3b1e99fa028ca514ac28e6e8093217b9e0fa257bd9e80c31200431b322fa5fd94d6cfad750f2a4a5d259445ed64a285914429

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

103.248.137.133

43.231.5.6

115.230.124.76

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

xpmigpvr.exe

pid process

2936 xpmigpvr.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2672 netsh.exe

pid	process
2936	xpmigpvr.exe

pid	process
2672	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\phdmmqhk\ImagePath = "C:\\Windows\\SysWOW64\\phdmmqhk\\xpmigpvr.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

xpmigpvr.exe

description pid process target process

PID 2936 set thread context of 3580 2936 xpmigpvr.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

5080 sc.exe
4500 sc.exe
4004 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2936 set thread context of 3580	2936	xpmigpvr.exe	svchost.exe

pid	process
5080	sc.exe
4500	sc.exe
4004	sc.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exexpmigpvr.exe

description	pid	process	target process
PID 864 wrote to memory of 3080	864	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	cmd.exe
PID 864 wrote to memory of 3080	864	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	cmd.exe
PID 864 wrote to memory of 3080	864	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	cmd.exe
PID 864 wrote to memory of 1460	864	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	cmd.exe
PID 864 wrote to memory of 1460	864	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	cmd.exe
PID 864 wrote to memory of 1460	864	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	cmd.exe
PID 864 wrote to memory of 5080	864	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	sc.exe
PID 864 wrote to memory of 5080	864	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	sc.exe
PID 864 wrote to memory of 5080	864	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	sc.exe
PID 864 wrote to memory of 4500	864	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	sc.exe
PID 864 wrote to memory of 4500	864	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	sc.exe
PID 864 wrote to memory of 4500	864	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	sc.exe
PID 864 wrote to memory of 4004	864	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	sc.exe
PID 864 wrote to memory of 4004	864	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	sc.exe
PID 864 wrote to memory of 4004	864	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	sc.exe
PID 864 wrote to memory of 2672	864	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	netsh.exe
PID 864 wrote to memory of 2672	864	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	netsh.exe
PID 864 wrote to memory of 2672	864	5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe	netsh.exe
PID 2936 wrote to memory of 3580	2936	xpmigpvr.exe	svchost.exe
PID 2936 wrote to memory of 3580	2936	xpmigpvr.exe	svchost.exe
PID 2936 wrote to memory of 3580	2936	xpmigpvr.exe	svchost.exe
PID 2936 wrote to memory of 3580	2936	xpmigpvr.exe	svchost.exe
PID 2936 wrote to memory of 3580	2936	xpmigpvr.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe
"C:\Users\Admin\AppData\Local\Temp\5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\phdmmqhk\
2⤵
PID:3080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xpmigpvr.exe" C:\Windows\SysWOW64\phdmmqhk\
2⤵
PID:1460

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create phdmmqhk binPath= "C:\Windows\SysWOW64\phdmmqhk\xpmigpvr.exe /d\"C:\Users\Admin\AppData\Local\Temp\5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe\"" type= own start= auto DisplayName= "P2P Support"
2⤵
- Launches sc.exe
PID:5080

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description phdmmqhk "Internet Mobile Support"
2⤵
- Launches sc.exe
PID:4500

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start phdmmqhk
2⤵
- Launches sc.exe
PID:4004

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:2672

C:\Windows\SysWOW64\phdmmqhk\xpmigpvr.exe
C:\Windows\SysWOW64\phdmmqhk\xpmigpvr.exe /d"C:\Users\Admin\AppData\Local\Temp\5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
PID:3580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xpmigpvr.exe
Filesize
10.7MB

MD5
509457857f28e3a1c53493ea845936ff

SHA1
a9025bf46dc4ce0ae4773e6b842f517565def413

SHA256
61fceff8676fc5315ed7f59e8c76f2f390f2d53cc712e2ed3cab5444ea28d057

SHA512
47d2809adfedd9b54ff988d4d125315fc54eaabcaf632b9d5a1ae29a53ed3046f0ba34ab1f9176a10a9b01b7926ed6cca78988844efc9183020ddecea8a123f4

Download Submit
C:\Windows\SysWOW64\phdmmqhk\xpmigpvr.exe
Filesize
10.7MB

MD5
509457857f28e3a1c53493ea845936ff

SHA1
a9025bf46dc4ce0ae4773e6b842f517565def413

SHA256
61fceff8676fc5315ed7f59e8c76f2f390f2d53cc712e2ed3cab5444ea28d057

SHA512
47d2809adfedd9b54ff988d4d125315fc54eaabcaf632b9d5a1ae29a53ed3046f0ba34ab1f9176a10a9b01b7926ed6cca78988844efc9183020ddecea8a123f4

Download Submit
memory/864-130-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1460-132-0x0000000000000000-mapping.dmp

Download
memory/2672-138-0x0000000000000000-mapping.dmp

Download
memory/3080-131-0x0000000000000000-mapping.dmp

Download
memory/3580-140-0x0000000000000000-mapping.dmp

Download
memory/3580-141-0x0000000000AD0000-0x0000000000AE6000-memory.dmp

Filesize
88KB

Download
memory/3580-144-0x0000000000AD0000-0x0000000000AE6000-memory.dmp

Filesize
88KB

Download
memory/3580-145-0x0000000000AD0000-0x0000000000AE6000-memory.dmp

Filesize
88KB

Download
memory/4004-136-0x0000000000000000-mapping.dmp

Download
memory/4500-135-0x0000000000000000-mapping.dmp

Download
memory/5080-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads