tofsee | 5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89

General

Target

5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe
Size

102KB
MD5

58c848f7841d332fc990a34e4ebe87d0
SHA1

5ef60b4f3aba6c5fbc0f37dd0fab98e207801710
SHA256

5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89
SHA512

596a8d135ca17dfdfaa3b2a6d8f2ccc14073c711224023b26fa8c8d4003ce54ee96c0884140e4e22af4ce05d7783298ad499fabb01a28ec5cb23e99a335c5381

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\gviibcyw = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

zpvopxnw.exe

pid process

1540 zpvopxnw.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1496 netsh.exe

pid	process
1540	zpvopxnw.exe

pid	process
1496	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\gviibcyw\ImagePath = "C:\\Windows\\SysWOW64\\gviibcyw\\zpvopxnw.exe"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

240 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

zpvopxnw.exe

description pid process target process

PID 1540 set thread context of 240 1540 zpvopxnw.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

1732 sc.exe
1284 sc.exe
1256 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
240	svchost.exe

description	pid	process	target process
PID 1540 set thread context of 240	1540	zpvopxnw.exe	svchost.exe

pid	process
1732	sc.exe
1284	sc.exe
1256	sc.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exezpvopxnw.exe

description	pid	process	target process
PID 968 wrote to memory of 1064	968	5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe	cmd.exe
PID 968 wrote to memory of 1064	968	5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe	cmd.exe
PID 968 wrote to memory of 1064	968	5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe	cmd.exe
PID 968 wrote to memory of 1064	968	5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe	cmd.exe
PID 968 wrote to memory of 952	968	5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe	cmd.exe
PID 968 wrote to memory of 952	968	5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe	cmd.exe
PID 968 wrote to memory of 952	968	5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe	cmd.exe
PID 968 wrote to memory of 952	968	5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe	cmd.exe
PID 968 wrote to memory of 1732	968	5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe	sc.exe
PID 968 wrote to memory of 1732	968	5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe	sc.exe
PID 968 wrote to memory of 1732	968	5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe	sc.exe
PID 968 wrote to memory of 1732	968	5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe	sc.exe
PID 968 wrote to memory of 1284	968	5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe	sc.exe
PID 968 wrote to memory of 1284	968	5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe	sc.exe
PID 968 wrote to memory of 1284	968	5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe	sc.exe
PID 968 wrote to memory of 1284	968	5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe	sc.exe
PID 968 wrote to memory of 1256	968	5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe	sc.exe
PID 968 wrote to memory of 1256	968	5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe	sc.exe
PID 968 wrote to memory of 1256	968	5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe	sc.exe
PID 968 wrote to memory of 1256	968	5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe	sc.exe
PID 968 wrote to memory of 1496	968	5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe	netsh.exe
PID 968 wrote to memory of 1496	968	5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe	netsh.exe
PID 968 wrote to memory of 1496	968	5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe	netsh.exe
PID 968 wrote to memory of 1496	968	5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe	netsh.exe
PID 1540 wrote to memory of 240	1540	zpvopxnw.exe	svchost.exe
PID 1540 wrote to memory of 240	1540	zpvopxnw.exe	svchost.exe
PID 1540 wrote to memory of 240	1540	zpvopxnw.exe	svchost.exe
PID 1540 wrote to memory of 240	1540	zpvopxnw.exe	svchost.exe
PID 1540 wrote to memory of 240	1540	zpvopxnw.exe	svchost.exe
PID 1540 wrote to memory of 240	1540	zpvopxnw.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe
"C:\Users\Admin\AppData\Local\Temp\5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gviibcyw\
2⤵
PID:1064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zpvopxnw.exe" C:\Windows\SysWOW64\gviibcyw\
2⤵
PID:952

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create gviibcyw binPath= "C:\Windows\SysWOW64\gviibcyw\zpvopxnw.exe /d\"C:\Users\Admin\AppData\Local\Temp\5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:1732

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description gviibcyw "wifi internet conection"
2⤵
- Launches sc.exe
PID:1284

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start gviibcyw
2⤵
- Launches sc.exe
PID:1256

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:1496

C:\Windows\SysWOW64\gviibcyw\zpvopxnw.exe
C:\Windows\SysWOW64\gviibcyw\zpvopxnw.exe /d"C:\Users\Admin\AppData\Local\Temp\5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:240

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zpvopxnw.exe
Filesize
12.8MB

MD5
0b25fadd0ba4cf93b87b73e3142c42e4

SHA1
f31c8a46263083c53be9f37928ccfa2c444bfe4a

SHA256
b0e2dd1916ccc0cfd92372113ce32167d7e56112f81371e208e4c7f809861bc0

SHA512
e4d469e08cf8e8edcdbc1a624c0aeace5df63c83f13dc98a2c5db5dccb5364e5fbf8474bde3c1381c9c98dedd4927f3f89c99c4dfcbfd97bfe9bd0d56b91031b

Download Submit
C:\Windows\SysWOW64\gviibcyw\zpvopxnw.exe
Filesize
12.8MB

MD5
0b25fadd0ba4cf93b87b73e3142c42e4

SHA1
f31c8a46263083c53be9f37928ccfa2c444bfe4a

SHA256
b0e2dd1916ccc0cfd92372113ce32167d7e56112f81371e208e4c7f809861bc0

SHA512
e4d469e08cf8e8edcdbc1a624c0aeace5df63c83f13dc98a2c5db5dccb5364e5fbf8474bde3c1381c9c98dedd4927f3f89c99c4dfcbfd97bfe9bd0d56b91031b

Download Submit
memory/240-70-0x0000000000089A6B-mapping.dmp

Download
memory/240-67-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/240-75-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/240-74-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/240-69-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/952-57-0x0000000000000000-mapping.dmp

Download
memory/968-54-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/968-55-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download
memory/1064-56-0x0000000000000000-mapping.dmp

Download
memory/1256-61-0x0000000000000000-mapping.dmp

Download
memory/1284-60-0x0000000000000000-mapping.dmp

Download
memory/1496-62-0x0000000000000000-mapping.dmp

Download
memory/1540-65-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1732-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads