tofsee | 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09

General

Target

573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe
Size

108KB
MD5

75d4f22da8952b9c6e8c82f72bfedfea
SHA1

95983ed45f7bd53399fb20e54a547308a2f9e9e4
SHA256

573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09
SHA512

e6b945e7c5fc7259690435e780232bb6ffc3b4fd37f2cc9b6f0a7a4c6b9a175e8d84e7997454a0c11cfb44fb78863920191ed3633cee23baaa29f3ea0db0cec3

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

chuuxwmr.exe

pid process

2436 chuuxwmr.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

5004 netsh.exe

pid	process
2436	chuuxwmr.exe

pid	process
5004	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fsvsltdw\ImagePath = "C:\\Windows\\SysWOW64\\fsvsltdw\\chuuxwmr.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

chuuxwmr.exe

description pid process target process

PID 2436 set thread context of 532 2436 chuuxwmr.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

3932 sc.exe
1228 sc.exe
624 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2436 set thread context of 532	2436	chuuxwmr.exe	svchost.exe

pid	process
3932	sc.exe
1228	sc.exe
624	sc.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exechuuxwmr.exe

description	pid	process	target process
PID 3460 wrote to memory of 1976	3460	573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe	cmd.exe
PID 3460 wrote to memory of 1976	3460	573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe	cmd.exe
PID 3460 wrote to memory of 1976	3460	573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe	cmd.exe
PID 3460 wrote to memory of 4644	3460	573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe	cmd.exe
PID 3460 wrote to memory of 4644	3460	573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe	cmd.exe
PID 3460 wrote to memory of 4644	3460	573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe	cmd.exe
PID 3460 wrote to memory of 3932	3460	573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe	sc.exe
PID 3460 wrote to memory of 3932	3460	573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe	sc.exe
PID 3460 wrote to memory of 3932	3460	573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe	sc.exe
PID 3460 wrote to memory of 1228	3460	573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe	sc.exe
PID 3460 wrote to memory of 1228	3460	573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe	sc.exe
PID 3460 wrote to memory of 1228	3460	573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe	sc.exe
PID 3460 wrote to memory of 624	3460	573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe	sc.exe
PID 3460 wrote to memory of 624	3460	573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe	sc.exe
PID 3460 wrote to memory of 624	3460	573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe	sc.exe
PID 3460 wrote to memory of 5004	3460	573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe	netsh.exe
PID 3460 wrote to memory of 5004	3460	573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe	netsh.exe
PID 3460 wrote to memory of 5004	3460	573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe	netsh.exe
PID 2436 wrote to memory of 532	2436	chuuxwmr.exe	svchost.exe
PID 2436 wrote to memory of 532	2436	chuuxwmr.exe	svchost.exe
PID 2436 wrote to memory of 532	2436	chuuxwmr.exe	svchost.exe
PID 2436 wrote to memory of 532	2436	chuuxwmr.exe	svchost.exe
PID 2436 wrote to memory of 532	2436	chuuxwmr.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe
"C:\Users\Admin\AppData\Local\Temp\573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\fsvsltdw\
2⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\chuuxwmr.exe" C:\Windows\SysWOW64\fsvsltdw\
2⤵
PID:4644

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create fsvsltdw binPath= "C:\Windows\SysWOW64\fsvsltdw\chuuxwmr.exe /d\"C:\Users\Admin\AppData\Local\Temp\573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:3932

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description fsvsltdw "wifi internet conection"
2⤵
- Launches sc.exe
PID:1228

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start fsvsltdw
2⤵
- Launches sc.exe
PID:624

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:5004

C:\Windows\SysWOW64\fsvsltdw\chuuxwmr.exe
C:\Windows\SysWOW64\fsvsltdw\chuuxwmr.exe /d"C:\Users\Admin\AppData\Local\Temp\573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
PID:532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\chuuxwmr.exe
Filesize
12.8MB

MD5
b7fb00add305052680b96e648d69a845

SHA1
5006caa2ff4b2c36fef90f29e566c33c41d0b51c

SHA256
48f0b979237406bc1bb615a2de259189d2b54f68aed81d8286cb017cfa9e6ee7

SHA512
d6c1f759479dacb6fdfc9e751d4b91f97e00995121f84e5c521470ccc61aa7030c51f1b7c69b44e1f4ce10bbe507f3950d7b9fd8506be3d47c3dc3bd4a105422

Download Submit
C:\Windows\SysWOW64\fsvsltdw\chuuxwmr.exe
Filesize
12.8MB

MD5
b7fb00add305052680b96e648d69a845

SHA1
5006caa2ff4b2c36fef90f29e566c33c41d0b51c

SHA256
48f0b979237406bc1bb615a2de259189d2b54f68aed81d8286cb017cfa9e6ee7

SHA512
d6c1f759479dacb6fdfc9e751d4b91f97e00995121f84e5c521470ccc61aa7030c51f1b7c69b44e1f4ce10bbe507f3950d7b9fd8506be3d47c3dc3bd4a105422

Download Submit
memory/532-143-0x0000000000C00000-0x0000000000C15000-memory.dmp

Filesize
84KB

Download
memory/532-141-0x0000000000C00000-0x0000000000C15000-memory.dmp

Filesize
84KB

Download
memory/532-140-0x0000000000000000-mapping.dmp

Download
memory/532-144-0x0000000000C00000-0x0000000000C15000-memory.dmp

Filesize
84KB

Download
memory/532-145-0x0000000000C00000-0x0000000000C15000-memory.dmp

Filesize
84KB

Download
memory/624-136-0x0000000000000000-mapping.dmp

Download
memory/1228-135-0x0000000000000000-mapping.dmp

Download
memory/1976-131-0x0000000000000000-mapping.dmp

Download
memory/2436-139-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3460-130-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3932-134-0x0000000000000000-mapping.dmp

Download
memory/4644-132-0x0000000000000000-mapping.dmp

Download
memory/5004-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads