tofsee | fe70a88244756a21fa321b27001ea72d524003de90356fa9797ce218c794ff5d

General

Target

fe70a88244756a21fa321b27001ea72d524003de90356fa9797ce218c794ff5d.exe
Size

11.0MB
MD5

734c2faea43e5b51f8261cd2873bb940
SHA1

3bb1bf5d3658bd1975fa35859d1ba35641735097
SHA256

fe70a88244756a21fa321b27001ea72d524003de90356fa9797ce218c794ff5d
SHA512

b77d4b10a09db22cb01f40fb1268ab05a335be58f6848b5978adfe25a8042ee73a9b1279aaffcbce24ba47232344c074787581b9bf47d09a70906dd55fcd173b

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

huusrsff.exe

pid process

4560 huusrsff.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4628 netsh.exe

pid	process
4560	huusrsff.exe

pid	process
4628	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fe70a88244756a21fa321b27001ea72d524003de90356fa9797ce218c794ff5d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	fe70a88244756a21fa321b27001ea72d524003de90356fa9797ce218c794ff5d.exe

Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

4812 sc.exe
4604 sc.exe
2668 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4812	sc.exe
4604	sc.exe
2668	sc.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
5068	4188	WerFault.exe	fe70a88244756a21fa321b27001ea72d524003de90356fa9797ce218c794ff5d.exe
1316	4560	WerFault.exe	huusrsff.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

fe70a88244756a21fa321b27001ea72d524003de90356fa9797ce218c794ff5d.exe

description	pid	process	target process
PID 4188 wrote to memory of 2876	4188	fe70a88244756a21fa321b27001ea72d524003de90356fa9797ce218c794ff5d.exe	cmd.exe
PID 4188 wrote to memory of 2876	4188	fe70a88244756a21fa321b27001ea72d524003de90356fa9797ce218c794ff5d.exe	cmd.exe
PID 4188 wrote to memory of 2876	4188	fe70a88244756a21fa321b27001ea72d524003de90356fa9797ce218c794ff5d.exe	cmd.exe
PID 4188 wrote to memory of 2508	4188	fe70a88244756a21fa321b27001ea72d524003de90356fa9797ce218c794ff5d.exe	cmd.exe
PID 4188 wrote to memory of 2508	4188	fe70a88244756a21fa321b27001ea72d524003de90356fa9797ce218c794ff5d.exe	cmd.exe
PID 4188 wrote to memory of 2508	4188	fe70a88244756a21fa321b27001ea72d524003de90356fa9797ce218c794ff5d.exe	cmd.exe
PID 4188 wrote to memory of 4812	4188	fe70a88244756a21fa321b27001ea72d524003de90356fa9797ce218c794ff5d.exe	sc.exe
PID 4188 wrote to memory of 4812	4188	fe70a88244756a21fa321b27001ea72d524003de90356fa9797ce218c794ff5d.exe	sc.exe
PID 4188 wrote to memory of 4812	4188	fe70a88244756a21fa321b27001ea72d524003de90356fa9797ce218c794ff5d.exe	sc.exe
PID 4188 wrote to memory of 4604	4188	fe70a88244756a21fa321b27001ea72d524003de90356fa9797ce218c794ff5d.exe	sc.exe
PID 4188 wrote to memory of 4604	4188	fe70a88244756a21fa321b27001ea72d524003de90356fa9797ce218c794ff5d.exe	sc.exe
PID 4188 wrote to memory of 4604	4188	fe70a88244756a21fa321b27001ea72d524003de90356fa9797ce218c794ff5d.exe	sc.exe
PID 4188 wrote to memory of 2668	4188	fe70a88244756a21fa321b27001ea72d524003de90356fa9797ce218c794ff5d.exe	sc.exe
PID 4188 wrote to memory of 2668	4188	fe70a88244756a21fa321b27001ea72d524003de90356fa9797ce218c794ff5d.exe	sc.exe
PID 4188 wrote to memory of 2668	4188	fe70a88244756a21fa321b27001ea72d524003de90356fa9797ce218c794ff5d.exe	sc.exe
PID 4188 wrote to memory of 4628	4188	fe70a88244756a21fa321b27001ea72d524003de90356fa9797ce218c794ff5d.exe	netsh.exe
PID 4188 wrote to memory of 4628	4188	fe70a88244756a21fa321b27001ea72d524003de90356fa9797ce218c794ff5d.exe	netsh.exe
PID 4188 wrote to memory of 4628	4188	fe70a88244756a21fa321b27001ea72d524003de90356fa9797ce218c794ff5d.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\fe70a88244756a21fa321b27001ea72d524003de90356fa9797ce218c794ff5d.exe
"C:\Users\Admin\AppData\Local\Temp\fe70a88244756a21fa321b27001ea72d524003de90356fa9797ce218c794ff5d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\vqpafmiq\
2⤵
PID:2876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\huusrsff.exe" C:\Windows\SysWOW64\vqpafmiq\
2⤵
PID:2508

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create vqpafmiq binPath= "C:\Windows\SysWOW64\vqpafmiq\huusrsff.exe /d\"C:\Users\Admin\AppData\Local\Temp\fe70a88244756a21fa321b27001ea72d524003de90356fa9797ce218c794ff5d.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:4812

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description vqpafmiq "wifi internet conection"
2⤵
- Launches sc.exe
PID:4604

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start vqpafmiq
2⤵
- Launches sc.exe
PID:2668

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 788
2⤵
- Program crash
PID:5068

C:\Windows\SysWOW64\vqpafmiq\huusrsff.exe
C:\Windows\SysWOW64\vqpafmiq\huusrsff.exe /d"C:\Users\Admin\AppData\Local\Temp\fe70a88244756a21fa321b27001ea72d524003de90356fa9797ce218c794ff5d.exe"
1⤵
- Executes dropped EXE
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 184
2⤵
- Program crash
PID:1316

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4188 -ip 4188
1⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4560 -ip 4560
1⤵
PID:2660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Privilege Escalation

New Service

1

T1050

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\huusrsff.exe
Filesize
276KB

MD5
34af4fb53a6d0b14df657069528a3333

SHA1
db8f2bcd4b0b10170746b57880fa71a4dfe70377

SHA256
4d33d57dbccbf7444ff274fb20f304ab4ecc7d6acf434ce937bc75d622c5ffda

SHA512
2aee35af9f84e38e786cfbc69dc468921685d4a37e4ccf9c617a8f02019f2e78ec777514958655922faf0cafec7d116ae5c70c6a1f1b228322e02788434ebd40

Download Submit
C:\Windows\SysWOW64\vqpafmiq\huusrsff.exe
Filesize
562KB

MD5
a838e6eefc30cda8216d0679e55c90ce

SHA1
b36b75a556d5bd52e8f58d870b158146b97c3e9d

SHA256
8b766c4b900448b0623ee52f903c1baae1fa97dbe5199efc5673ba43ad00eca3

SHA512
b52f841d264a37b99e5bf5db7601d56726012ba894b332f7bbf72d71e4630210f229ff7cc5d9c345b785513009cbbe01681a186280fcaaf5bf9f48df96a9758d

Download Submit
memory/1092-149-0x0000000000460000-0x0000000000475000-memory.dmp

Filesize
84KB

Download
memory/1092-142-0x0000000000000000-mapping.dmp

Download
memory/1092-147-0x0000000000460000-0x0000000000475000-memory.dmp

Filesize
84KB

Download
memory/1092-143-0x0000000000460000-0x0000000000475000-memory.dmp

Filesize
84KB

Download
memory/2508-133-0x0000000000000000-mapping.dmp

Download
memory/2668-138-0x0000000000000000-mapping.dmp

Download
memory/2876-130-0x0000000000000000-mapping.dmp

Download
memory/4188-135-0x0000000000400000-0x0000000002C68000-memory.dmp

Filesize
40.4MB

Download
memory/4188-141-0x0000000000400000-0x0000000002C68000-memory.dmp

Filesize
40.4MB

Download
memory/4188-131-0x0000000002DE8000-0x0000000002DF6000-memory.dmp

Filesize
56KB

Download
memory/4188-132-0x00000000049B0000-0x00000000049C3000-memory.dmp

Filesize
76KB

Download
memory/4560-146-0x0000000002F93000-0x0000000002FA1000-memory.dmp

Filesize
56KB

Download
memory/4560-148-0x0000000000400000-0x0000000002C68000-memory.dmp

Filesize
40.4MB

Download
memory/4604-137-0x0000000000000000-mapping.dmp

Download
memory/4628-140-0x0000000000000000-mapping.dmp

Download
memory/4812-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads