tofsee | 559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78

General

Target

559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe
Size

99KB
MD5

bd9639044643025556c8fbd6271fe5e5
SHA1

3bedbea22ced1f577ba4925400b36a615221b72b
SHA256

559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78
SHA512

131f147c38e09778f35ebae81b8fab8fbd2a00f2ca49ef81092c3848e3f1645f51b263bdc6828a4c84c6998fe4f44c2b7f6afa9bf86fe2b153e2d0e894898393

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

cbnjoyiv.exe

pid process

3868 cbnjoyiv.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

3392 netsh.exe

pid	process
3868	cbnjoyiv.exe

pid	process
3392	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\zkrhdgfn\ImagePath = "C:\\Windows\\SysWOW64\\zkrhdgfn\\cbnjoyiv.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

cbnjoyiv.exe

description pid process target process

PID 3868 set thread context of 4436 3868 cbnjoyiv.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

4420 sc.exe
4252 sc.exe
1400 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 3868 set thread context of 4436	3868	cbnjoyiv.exe	svchost.exe

pid	process
4420	sc.exe
4252	sc.exe
1400	sc.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.execbnjoyiv.exe

description	pid	process	target process
PID 4100 wrote to memory of 488	4100	559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe	cmd.exe
PID 4100 wrote to memory of 488	4100	559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe	cmd.exe
PID 4100 wrote to memory of 488	4100	559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe	cmd.exe
PID 4100 wrote to memory of 5048	4100	559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe	cmd.exe
PID 4100 wrote to memory of 5048	4100	559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe	cmd.exe
PID 4100 wrote to memory of 5048	4100	559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe	cmd.exe
PID 4100 wrote to memory of 4420	4100	559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe	sc.exe
PID 4100 wrote to memory of 4420	4100	559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe	sc.exe
PID 4100 wrote to memory of 4420	4100	559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe	sc.exe
PID 4100 wrote to memory of 4252	4100	559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe	sc.exe
PID 4100 wrote to memory of 4252	4100	559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe	sc.exe
PID 4100 wrote to memory of 4252	4100	559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe	sc.exe
PID 4100 wrote to memory of 1400	4100	559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe	sc.exe
PID 4100 wrote to memory of 1400	4100	559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe	sc.exe
PID 4100 wrote to memory of 1400	4100	559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe	sc.exe
PID 4100 wrote to memory of 3392	4100	559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe	netsh.exe
PID 4100 wrote to memory of 3392	4100	559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe	netsh.exe
PID 4100 wrote to memory of 3392	4100	559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe	netsh.exe
PID 3868 wrote to memory of 4436	3868	cbnjoyiv.exe	svchost.exe
PID 3868 wrote to memory of 4436	3868	cbnjoyiv.exe	svchost.exe
PID 3868 wrote to memory of 4436	3868	cbnjoyiv.exe	svchost.exe
PID 3868 wrote to memory of 4436	3868	cbnjoyiv.exe	svchost.exe
PID 3868 wrote to memory of 4436	3868	cbnjoyiv.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe
"C:\Users\Admin\AppData\Local\Temp\559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zkrhdgfn\
2⤵
PID:488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\cbnjoyiv.exe" C:\Windows\SysWOW64\zkrhdgfn\
2⤵
PID:5048

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create zkrhdgfn binPath= "C:\Windows\SysWOW64\zkrhdgfn\cbnjoyiv.exe /d\"C:\Users\Admin\AppData\Local\Temp\559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:4420

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description zkrhdgfn "wifi internet conection"
2⤵
- Launches sc.exe
PID:4252

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start zkrhdgfn
2⤵
- Launches sc.exe
PID:1400

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:3392

C:\Windows\SysWOW64\zkrhdgfn\cbnjoyiv.exe
C:\Windows\SysWOW64\zkrhdgfn\cbnjoyiv.exe /d"C:\Users\Admin\AppData\Local\Temp\559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3868

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
PID:4436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cbnjoyiv.exe
Filesize
12.0MB

MD5
ea93b0dbb3fac154355f83f1ec7b0cc8

SHA1
46b124e0b3088c3a89a5dbc72226ea282c500a23

SHA256
2ad2a0f08a5a0363b6c4fac9705381061f8a16dd4768ab73078668f56f980c7a

SHA512
fdcbb5669e347603c03413b14496eefb2be26eeb8a39d366771814cc45391cec22f3a165fb35bf6bb278f913716525071699dd62c3e908e9f846f1902d11001a

Download Submit
C:\Windows\SysWOW64\zkrhdgfn\cbnjoyiv.exe
Filesize
12.0MB

MD5
ea93b0dbb3fac154355f83f1ec7b0cc8

SHA1
46b124e0b3088c3a89a5dbc72226ea282c500a23

SHA256
2ad2a0f08a5a0363b6c4fac9705381061f8a16dd4768ab73078668f56f980c7a

SHA512
fdcbb5669e347603c03413b14496eefb2be26eeb8a39d366771814cc45391cec22f3a165fb35bf6bb278f913716525071699dd62c3e908e9f846f1902d11001a

Download Submit
memory/488-131-0x0000000000000000-mapping.dmp

Download
memory/1400-136-0x0000000000000000-mapping.dmp

Download
memory/3392-137-0x0000000000000000-mapping.dmp

Download
memory/3868-139-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4100-130-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4252-135-0x0000000000000000-mapping.dmp

Download
memory/4420-134-0x0000000000000000-mapping.dmp

Download
memory/4436-140-0x0000000000000000-mapping.dmp

Download
memory/4436-141-0x0000000000AE0000-0x0000000000AF5000-memory.dmp

Filesize
84KB

Download
memory/4436-143-0x0000000000AE0000-0x0000000000AF5000-memory.dmp

Filesize
84KB

Download
memory/4436-144-0x0000000000AE0000-0x0000000000AF5000-memory.dmp

Filesize
84KB

Download
memory/4436-145-0x0000000000AE0000-0x0000000000AF5000-memory.dmp

Filesize
84KB

Download
memory/5048-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads