tofsee | 3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a

General

Target

3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe
Size

98KB
MD5

64d99f54eb2c930bfe3aab70dd462137
SHA1

ec87ef99e4a6080b01e708e0746dae89f704d120
SHA256

3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a
SHA512

3c3b1397643347189af74fd470577c840683aa955ce87d2b1ce80d3abafb68629e29b4caaa7318612071ebd2f036e1a835f99da78d9183191e5073b3dd5aeac3

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\orbqxhzk = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 2 IoCs

Processes:

yklfawxu.exeszmmpasn.exe

pid process

604 yklfawxu.exe
980 szmmpasn.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

1800 netsh.exe
800 netsh.exe

pid	process
604	yklfawxu.exe
980	szmmpasn.exe

pid	process
1800	netsh.exe
800	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\orbqxhzk\ImagePath = "C:\\Windows\\SysWOW64\\orbqxhzk\\szmmpasn.exe"	svchost.exe

Loads dropped DLL 2 IoCs

Processes:

3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe

pid	process
1532	3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe
1532	3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\qtdszjbm = "\"C:\\Users\\Admin\\yklfawxu.exe\""	3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

szmmpasn.exe

description pid process target process

PID 980 set thread context of 560 980 szmmpasn.exe svchost.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

1612 sc.exe
1972 sc.exe
916 sc.exe
452 sc.exe
1460 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 980 set thread context of 560	980	szmmpasn.exe	svchost.exe

pid	process
1612	sc.exe
1972	sc.exe
916	sc.exe
452	sc.exe
1460	sc.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exeyklfawxu.exeszmmpasn.exe

description	pid	process	target process
PID 1532 wrote to memory of 280	1532	3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe	cmd.exe
PID 1532 wrote to memory of 280	1532	3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe	cmd.exe
PID 1532 wrote to memory of 280	1532	3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe	cmd.exe
PID 1532 wrote to memory of 280	1532	3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe	cmd.exe
PID 1532 wrote to memory of 988	1532	3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe	cmd.exe
PID 1532 wrote to memory of 988	1532	3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe	cmd.exe
PID 1532 wrote to memory of 988	1532	3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe	cmd.exe
PID 1532 wrote to memory of 988	1532	3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe	cmd.exe
PID 1532 wrote to memory of 1612	1532	3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe	sc.exe
PID 1532 wrote to memory of 1612	1532	3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe	sc.exe
PID 1532 wrote to memory of 1612	1532	3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe	sc.exe
PID 1532 wrote to memory of 1612	1532	3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe	sc.exe
PID 1532 wrote to memory of 1972	1532	3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe	sc.exe
PID 1532 wrote to memory of 1972	1532	3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe	sc.exe
PID 1532 wrote to memory of 1972	1532	3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe	sc.exe
PID 1532 wrote to memory of 1972	1532	3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe	sc.exe
PID 1532 wrote to memory of 916	1532	3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe	sc.exe
PID 1532 wrote to memory of 916	1532	3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe	sc.exe
PID 1532 wrote to memory of 916	1532	3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe	sc.exe
PID 1532 wrote to memory of 916	1532	3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe	sc.exe
PID 1532 wrote to memory of 1800	1532	3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe	netsh.exe
PID 1532 wrote to memory of 1800	1532	3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe	netsh.exe
PID 1532 wrote to memory of 1800	1532	3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe	netsh.exe
PID 1532 wrote to memory of 1800	1532	3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe	netsh.exe
PID 1532 wrote to memory of 604	1532	3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe	yklfawxu.exe
PID 1532 wrote to memory of 604	1532	3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe	yklfawxu.exe
PID 1532 wrote to memory of 604	1532	3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe	yklfawxu.exe
PID 1532 wrote to memory of 604	1532	3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe	yklfawxu.exe
PID 604 wrote to memory of 1356	604	yklfawxu.exe	cmd.exe
PID 604 wrote to memory of 1356	604	yklfawxu.exe	cmd.exe
PID 604 wrote to memory of 1356	604	yklfawxu.exe	cmd.exe
PID 604 wrote to memory of 1356	604	yklfawxu.exe	cmd.exe
PID 604 wrote to memory of 452	604	yklfawxu.exe	sc.exe
PID 604 wrote to memory of 452	604	yklfawxu.exe	sc.exe
PID 604 wrote to memory of 452	604	yklfawxu.exe	sc.exe
PID 604 wrote to memory of 452	604	yklfawxu.exe	sc.exe
PID 604 wrote to memory of 1460	604	yklfawxu.exe	sc.exe
PID 604 wrote to memory of 1460	604	yklfawxu.exe	sc.exe
PID 604 wrote to memory of 1460	604	yklfawxu.exe	sc.exe
PID 604 wrote to memory of 1460	604	yklfawxu.exe	sc.exe
PID 604 wrote to memory of 800	604	yklfawxu.exe	netsh.exe
PID 604 wrote to memory of 800	604	yklfawxu.exe	netsh.exe
PID 604 wrote to memory of 800	604	yklfawxu.exe	netsh.exe
PID 604 wrote to memory of 800	604	yklfawxu.exe	netsh.exe
PID 980 wrote to memory of 560	980	szmmpasn.exe	svchost.exe
PID 980 wrote to memory of 560	980	szmmpasn.exe	svchost.exe
PID 980 wrote to memory of 560	980	szmmpasn.exe	svchost.exe
PID 980 wrote to memory of 560	980	szmmpasn.exe	svchost.exe
PID 980 wrote to memory of 560	980	szmmpasn.exe	svchost.exe
PID 980 wrote to memory of 560	980	szmmpasn.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe
"C:\Users\Admin\AppData\Local\Temp\3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\orbqxhzk\
2⤵
PID:280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xohkreqp.exe" C:\Windows\SysWOW64\orbqxhzk\
2⤵
PID:988

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create orbqxhzk binPath= "C:\Windows\SysWOW64\orbqxhzk\xohkreqp.exe /d\"C:\Users\Admin\AppData\Local\Temp\3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:1612

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description orbqxhzk "wifi internet conection"
2⤵
- Launches sc.exe
PID:1972

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start orbqxhzk
2⤵
- Launches sc.exe
PID:916

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:1800

C:\Users\Admin\yklfawxu.exe
"C:\Users\Admin\yklfawxu.exe" /d"C:\Users\Admin\AppData\Local\Temp\3d09b1338518359bce932c85f293e482c0f300173fff9a15c7f785d03d132a6a.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\szmmpasn.exe" C:\Windows\SysWOW64\orbqxhzk\
3⤵
PID:1356

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config orbqxhzk binPath= "C:\Windows\SysWOW64\orbqxhzk\szmmpasn.exe /d\"C:\Users\Admin\yklfawxu.exe\""
3⤵
- Launches sc.exe
PID:452

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start orbqxhzk
3⤵
- Launches sc.exe
PID:1460

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
3⤵
- Modifies Windows Firewall
PID:800

C:\Windows\SysWOW64\orbqxhzk\szmmpasn.exe
C:\Windows\SysWOW64\orbqxhzk\szmmpasn.exe /d"C:\Users\Admin\yklfawxu.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Windows security bypass
- Sets service image path in registry
PID:560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szmmpasn.exe
Filesize
10.7MB

MD5
f1e0aaf0912357681dcba9c8f6bf7467

SHA1
db00aea73e99889214f02295769fe2b75c245f04

SHA256
4bcb47541198e2a97e59c95a83b5eb0b1c0e56573fab58557fff75686a9beb58

SHA512
690ee3f1e0e7fc3836a18644d167e526269ef45d1a940b72f07cd473f16fccf2fae992c731356b66e8b77af1c086881dc7bed6475d6867997c061f006ca1828e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xohkreqp.exe
Filesize
11.2MB

MD5
fcc78a7769a15a8e595795d00522b857

SHA1
6d0ae65e9e37db9ad664249a5849570f98f0a0f0

SHA256
df4fa6d79faacd3a67693dfbeeb0e0bee653fa9e1211e175d0417c7e18fb64b5

SHA512
c65cc529aa2595e738698b29eb9dbe4e44de7cf0a4f9f4d432590bc258e9f0b87dc4015b591abb9cb42b4406683bec7f696ee24dbd2f702eceefe04d6ab4a101

Download Submit
C:\Users\Admin\yklfawxu.exe
Filesize
15.0MB

MD5
347829339efa630b670e44f77c46bd4e

SHA1
c5197743a2cb383a6a3c8438a6534d5ae4f0f3ee

SHA256
0d0a127633442e88e95bb323227ed18d2df86ccbabd1f0da164ae30de49b2aea

SHA512
81a4a9961f1a533f1772016b0572047cd19c39f6d7616a97b26ddfcde017efcd27372c2fd91da1c07908cf20ccdd2806aa7d40920e30888afb8ecb0c695d0b9f

Download Submit
C:\Users\Admin\yklfawxu.exe
Filesize
15.0MB

MD5
347829339efa630b670e44f77c46bd4e

SHA1
c5197743a2cb383a6a3c8438a6534d5ae4f0f3ee

SHA256
0d0a127633442e88e95bb323227ed18d2df86ccbabd1f0da164ae30de49b2aea

SHA512
81a4a9961f1a533f1772016b0572047cd19c39f6d7616a97b26ddfcde017efcd27372c2fd91da1c07908cf20ccdd2806aa7d40920e30888afb8ecb0c695d0b9f

Download Submit
C:\Windows\SysWOW64\orbqxhzk\szmmpasn.exe
Filesize
10.7MB

MD5
f1e0aaf0912357681dcba9c8f6bf7467

SHA1
db00aea73e99889214f02295769fe2b75c245f04

SHA256
4bcb47541198e2a97e59c95a83b5eb0b1c0e56573fab58557fff75686a9beb58

SHA512
690ee3f1e0e7fc3836a18644d167e526269ef45d1a940b72f07cd473f16fccf2fae992c731356b66e8b77af1c086881dc7bed6475d6867997c061f006ca1828e

Download Submit
\Users\Admin\yklfawxu.exe
Filesize
15.0MB

MD5
347829339efa630b670e44f77c46bd4e

SHA1
c5197743a2cb383a6a3c8438a6534d5ae4f0f3ee

SHA256
0d0a127633442e88e95bb323227ed18d2df86ccbabd1f0da164ae30de49b2aea

SHA512
81a4a9961f1a533f1772016b0572047cd19c39f6d7616a97b26ddfcde017efcd27372c2fd91da1c07908cf20ccdd2806aa7d40920e30888afb8ecb0c695d0b9f

Download Submit
\Users\Admin\yklfawxu.exe
Filesize
15.0MB

MD5
347829339efa630b670e44f77c46bd4e

SHA1
c5197743a2cb383a6a3c8438a6534d5ae4f0f3ee

SHA256
0d0a127633442e88e95bb323227ed18d2df86ccbabd1f0da164ae30de49b2aea

SHA512
81a4a9961f1a533f1772016b0572047cd19c39f6d7616a97b26ddfcde017efcd27372c2fd91da1c07908cf20ccdd2806aa7d40920e30888afb8ecb0c695d0b9f

Download Submit
memory/280-56-0x0000000000000000-mapping.dmp

Download
memory/452-72-0x0000000000000000-mapping.dmp

Download
memory/560-86-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/560-82-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/560-83-0x0000000000089A6B-mapping.dmp

Download
memory/560-87-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/560-80-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/560-88-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/604-65-0x0000000000000000-mapping.dmp

Download
memory/604-67-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/800-75-0x0000000000000000-mapping.dmp

Download
memory/916-61-0x0000000000000000-mapping.dmp

Download
memory/988-57-0x0000000000000000-mapping.dmp

Download
memory/1356-70-0x0000000000000000-mapping.dmp

Download
memory/1460-74-0x0000000000000000-mapping.dmp

Download
memory/1532-54-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1532-55-0x0000000076241000-0x0000000076243000-memory.dmp

Filesize
8KB

Download
memory/1612-59-0x0000000000000000-mapping.dmp

Download
memory/1800-62-0x0000000000000000-mapping.dmp

Download
memory/1972-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads