tofsee | 5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3

General

Target

5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe
Size

312KB
MD5

239efbf95c2860f12e662a99b3565f48
SHA1

05c15510420333d3d737d7fe97e21d0c05ca081e
SHA256

5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3
SHA512

4b256ab638ab603aeffdcb952b08e593e05d09a2d0cf6f220afd8ab9750491ec8e8ae1371515a69fd6ad2e2633dce29848e9e00040e9e64e1300c62bc335aee3

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

ihtpueob.exe

pid process

456 ihtpueob.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

3960 netsh.exe

pid	process
456	ihtpueob.exe

pid	process
3960	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dbwdahuc\ImagePath = "C:\\Windows\\SysWOW64\\dbwdahuc\\ihtpueob.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ihtpueob.exe

description pid process target process

PID 456 set thread context of 796 456 ihtpueob.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

4816 sc.exe
5116 sc.exe
380 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 456 set thread context of 796	456	ihtpueob.exe	svchost.exe

pid	process
4816	sc.exe
5116	sc.exe
380	sc.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exeihtpueob.exe

description	pid	process	target process
PID 4752 wrote to memory of 4660	4752	5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe	cmd.exe
PID 4752 wrote to memory of 4660	4752	5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe	cmd.exe
PID 4752 wrote to memory of 4660	4752	5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe	cmd.exe
PID 4752 wrote to memory of 4644	4752	5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe	cmd.exe
PID 4752 wrote to memory of 4644	4752	5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe	cmd.exe
PID 4752 wrote to memory of 4644	4752	5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe	cmd.exe
PID 4752 wrote to memory of 4816	4752	5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe	sc.exe
PID 4752 wrote to memory of 4816	4752	5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe	sc.exe
PID 4752 wrote to memory of 4816	4752	5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe	sc.exe
PID 4752 wrote to memory of 5116	4752	5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe	sc.exe
PID 4752 wrote to memory of 5116	4752	5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe	sc.exe
PID 4752 wrote to memory of 5116	4752	5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe	sc.exe
PID 4752 wrote to memory of 380	4752	5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe	sc.exe
PID 4752 wrote to memory of 380	4752	5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe	sc.exe
PID 4752 wrote to memory of 380	4752	5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe	sc.exe
PID 4752 wrote to memory of 3960	4752	5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe	netsh.exe
PID 4752 wrote to memory of 3960	4752	5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe	netsh.exe
PID 4752 wrote to memory of 3960	4752	5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe	netsh.exe
PID 456 wrote to memory of 796	456	ihtpueob.exe	svchost.exe
PID 456 wrote to memory of 796	456	ihtpueob.exe	svchost.exe
PID 456 wrote to memory of 796	456	ihtpueob.exe	svchost.exe
PID 456 wrote to memory of 796	456	ihtpueob.exe	svchost.exe
PID 456 wrote to memory of 796	456	ihtpueob.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe
"C:\Users\Admin\AppData\Local\Temp\5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dbwdahuc\
2⤵
PID:4660

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ihtpueob.exe" C:\Windows\SysWOW64\dbwdahuc\
2⤵
PID:4644

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create dbwdahuc binPath= "C:\Windows\SysWOW64\dbwdahuc\ihtpueob.exe /d\"C:\Users\Admin\AppData\Local\Temp\5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:4816

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description dbwdahuc "wifi internet conection"
2⤵
- Launches sc.exe
PID:5116

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start dbwdahuc
2⤵
- Launches sc.exe
PID:380

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:3960

C:\Windows\SysWOW64\dbwdahuc\ihtpueob.exe
C:\Windows\SysWOW64\dbwdahuc\ihtpueob.exe /d"C:\Users\Admin\AppData\Local\Temp\5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
PID:796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ihtpueob.exe
Filesize
13.2MB

MD5
9ad4bc4e8ff2646568f1b03fd5343dc8

SHA1
544fa3e1af746be7043e5b3ab6f55c77de77b652

SHA256
fa8ee7321c7746969b200698d35b9453e8d289fb8eff51a1bbb71334bf851bce

SHA512
f6b146b031c95959bc2e1c890fd74ba72e9e47469eca1ce90742bbb5cd381c05a11eeaab6bfc371b9576f84f4f92a3d8d76c2aa81bb7f6398fe092ab2dbbc0a6

Download Submit
C:\Windows\SysWOW64\dbwdahuc\ihtpueob.exe
Filesize
13.2MB

MD5
9ad4bc4e8ff2646568f1b03fd5343dc8

SHA1
544fa3e1af746be7043e5b3ab6f55c77de77b652

SHA256
fa8ee7321c7746969b200698d35b9453e8d289fb8eff51a1bbb71334bf851bce

SHA512
f6b146b031c95959bc2e1c890fd74ba72e9e47469eca1ce90742bbb5cd381c05a11eeaab6bfc371b9576f84f4f92a3d8d76c2aa81bb7f6398fe092ab2dbbc0a6

Download Submit
memory/380-138-0x0000000000000000-mapping.dmp

Download
memory/456-142-0x000000000541F000-0x000000000542E000-memory.dmp

Filesize
60KB

Download
memory/456-149-0x0000000000400000-0x00000000052AF000-memory.dmp

Filesize
78.7MB

Download
memory/456-147-0x000000000541F000-0x000000000542E000-memory.dmp

Filesize
60KB

Download
memory/796-143-0x0000000000000000-mapping.dmp

Download
memory/796-150-0x0000000000E80000-0x0000000000E95000-memory.dmp

Filesize
84KB

Download
memory/796-148-0x0000000000E80000-0x0000000000E95000-memory.dmp

Filesize
84KB

Download
memory/796-144-0x0000000000E80000-0x0000000000E95000-memory.dmp

Filesize
84KB

Download
memory/3960-140-0x0000000000000000-mapping.dmp

Download
memory/4644-134-0x0000000000000000-mapping.dmp

Download
memory/4660-132-0x0000000000000000-mapping.dmp

Download
memory/4752-141-0x0000000000400000-0x00000000052AF000-memory.dmp

Filesize
78.7MB

Download
memory/4752-130-0x0000000005343000-0x0000000005352000-memory.dmp

Filesize
60KB

Download
memory/4752-131-0x0000000005343000-0x0000000005352000-memory.dmp

Filesize
60KB

Download
memory/4752-133-0x0000000000400000-0x00000000052AF000-memory.dmp

Filesize
78.7MB

Download
memory/4816-136-0x0000000000000000-mapping.dmp

Download
memory/5116-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads