tofsee | 80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c

General

Target

80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe
Size

207KB
MD5

ad39ad585aa201d750e984c89aa02e9c
SHA1

142a5de3ec0af160e7f21368e39eb45a654df086
SHA256

80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c
SHA512

6edfe20a8ae02b9b312689225fdd90fb208d8fde57491e9999946f16334600face6776b6011c96c22bd29d58f1fcd3a43addba849893ef89f07e171b96a76794

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\nbwexwgm = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

kmhypjqj.exe

pid process

472 kmhypjqj.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

796 netsh.exe

pid	process
472	kmhypjqj.exe

pid	process
796	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\nbwexwgm\ImagePath = "C:\\Windows\\SysWOW64\\nbwexwgm\\kmhypjqj.exe"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

1316 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

kmhypjqj.exe

description pid process target process

PID 472 set thread context of 1316 472 kmhypjqj.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

1252 sc.exe
1184 sc.exe
1656 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1316	svchost.exe

description	pid	process	target process
PID 472 set thread context of 1316	472	kmhypjqj.exe	svchost.exe

pid	process
1252	sc.exe
1184	sc.exe
1656	sc.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exekmhypjqj.exe

description	pid	process	target process
PID 632 wrote to memory of 1940	632	80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe	cmd.exe
PID 632 wrote to memory of 1940	632	80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe	cmd.exe
PID 632 wrote to memory of 1940	632	80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe	cmd.exe
PID 632 wrote to memory of 1940	632	80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe	cmd.exe
PID 632 wrote to memory of 1228	632	80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe	cmd.exe
PID 632 wrote to memory of 1228	632	80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe	cmd.exe
PID 632 wrote to memory of 1228	632	80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe	cmd.exe
PID 632 wrote to memory of 1228	632	80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe	cmd.exe
PID 632 wrote to memory of 1252	632	80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe	sc.exe
PID 632 wrote to memory of 1252	632	80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe	sc.exe
PID 632 wrote to memory of 1252	632	80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe	sc.exe
PID 632 wrote to memory of 1252	632	80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe	sc.exe
PID 632 wrote to memory of 1184	632	80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe	sc.exe
PID 632 wrote to memory of 1184	632	80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe	sc.exe
PID 632 wrote to memory of 1184	632	80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe	sc.exe
PID 632 wrote to memory of 1184	632	80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe	sc.exe
PID 632 wrote to memory of 1656	632	80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe	sc.exe
PID 632 wrote to memory of 1656	632	80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe	sc.exe
PID 632 wrote to memory of 1656	632	80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe	sc.exe
PID 632 wrote to memory of 1656	632	80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe	sc.exe
PID 472 wrote to memory of 1316	472	kmhypjqj.exe	svchost.exe
PID 472 wrote to memory of 1316	472	kmhypjqj.exe	svchost.exe
PID 472 wrote to memory of 1316	472	kmhypjqj.exe	svchost.exe
PID 472 wrote to memory of 1316	472	kmhypjqj.exe	svchost.exe
PID 632 wrote to memory of 796	632	80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe	netsh.exe
PID 632 wrote to memory of 796	632	80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe	netsh.exe
PID 632 wrote to memory of 796	632	80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe	netsh.exe
PID 632 wrote to memory of 796	632	80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe	netsh.exe
PID 472 wrote to memory of 1316	472	kmhypjqj.exe	svchost.exe
PID 472 wrote to memory of 1316	472	kmhypjqj.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe
"C:\Users\Admin\AppData\Local\Temp\80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nbwexwgm\
2⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\kmhypjqj.exe" C:\Windows\SysWOW64\nbwexwgm\
2⤵
PID:1228

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create nbwexwgm binPath= "C:\Windows\SysWOW64\nbwexwgm\kmhypjqj.exe /d\"C:\Users\Admin\AppData\Local\Temp\80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:1252

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description nbwexwgm "wifi internet conection"
2⤵
- Launches sc.exe
PID:1184

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start nbwexwgm
2⤵
- Launches sc.exe
PID:1656

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:796

C:\Windows\SysWOW64\nbwexwgm\kmhypjqj.exe
C:\Windows\SysWOW64\nbwexwgm\kmhypjqj.exe /d"C:\Users\Admin\AppData\Local\Temp\80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:472

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:1316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kmhypjqj.exe
Filesize
12.1MB

MD5
5bcdf2ad4912a4f760fd29549b210004

SHA1
7055122ff2a8c2489ad15d00069efb6512652bd1

SHA256
9b451a6e32ba88fb3c719dc7e2d71ecd85be8f793f0edd7123f5cef557c965b3

SHA512
b3bded57a8ead3ef446151242baf75bd08c49f217b9ffa95a8e43956aadf33c72f07f61161f0e0599e5d236bd7ef218999dd68f67ef44f0b6edfc265afdd322d

Download Submit
C:\Windows\SysWOW64\nbwexwgm\kmhypjqj.exe
Filesize
12.1MB

MD5
5bcdf2ad4912a4f760fd29549b210004

SHA1
7055122ff2a8c2489ad15d00069efb6512652bd1

SHA256
9b451a6e32ba88fb3c719dc7e2d71ecd85be8f793f0edd7123f5cef557c965b3

SHA512
b3bded57a8ead3ef446151242baf75bd08c49f217b9ffa95a8e43956aadf33c72f07f61161f0e0599e5d236bd7ef218999dd68f67ef44f0b6edfc265afdd322d

Download Submit
memory/472-78-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/472-77-0x00000000005E0000-0x00000000005EF000-memory.dmp

Filesize
60KB

Download
memory/472-66-0x00000000005E0000-0x00000000005EF000-memory.dmp

Filesize
60KB

Download
memory/632-72-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/632-54-0x0000000000320000-0x000000000032F000-memory.dmp

Filesize
60KB

Download
memory/632-59-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/632-55-0x0000000075391000-0x0000000075393000-memory.dmp

Filesize
8KB

Download
memory/632-57-0x0000000000320000-0x000000000032F000-memory.dmp

Filesize
60KB

Download
memory/632-58-0x00000000001B0000-0x00000000001C3000-memory.dmp

Filesize
76KB

Download
memory/796-68-0x0000000000000000-mapping.dmp

Download
memory/1184-63-0x0000000000000000-mapping.dmp

Download
memory/1228-60-0x0000000000000000-mapping.dmp

Download
memory/1252-62-0x0000000000000000-mapping.dmp

Download
memory/1316-69-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1316-79-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1316-71-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1316-73-0x0000000000089A6B-mapping.dmp

Download
memory/1316-81-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1656-64-0x0000000000000000-mapping.dmp

Download
memory/1940-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads