tofsee | d5a45f5fbe4d0679d208908a1282e6675456cf565b427d886cab0b2fdf92c21b

General

Target

3-psltrtbl.exe
Size

14.9MB
MD5

b43621f4b65408c95be2bb609f310f37
SHA1

9bb79973daf63550d3f403c10f6be0a57f797b7f
SHA256

d5a45f5fbe4d0679d208908a1282e6675456cf565b427d886cab0b2fdf92c21b
SHA512

9d09de7115fca7316815c7fcfea2c431bfeccea2629aa3878ea52bd241f1ea8b60bda70828420ced7e0cfd3fbf9bb032a8656d2085afcd748cfbd6ba4e1cb04e

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\yfahmtrq = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

jmkfzgqa.exe

pid process

1996 jmkfzgqa.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1176 netsh.exe

pid	process
1996	jmkfzgqa.exe

pid	process
1176	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\yfahmtrq\ImagePath = "C:\\Windows\\SysWOW64\\yfahmtrq\\jmkfzgqa.exe"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

680 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

jmkfzgqa.exe

description pid process target process

PID 1996 set thread context of 680 1996 jmkfzgqa.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

600 sc.exe
960 sc.exe
1208 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
680	svchost.exe

description	pid	process	target process
PID 1996 set thread context of 680	1996	jmkfzgqa.exe	svchost.exe

pid	process
600	sc.exe
960	sc.exe
1208	sc.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

3-psltrtbl.exejmkfzgqa.exe

description	pid	process	target process
PID 1420 wrote to memory of 1188	1420	3-psltrtbl.exe	cmd.exe
PID 1420 wrote to memory of 1188	1420	3-psltrtbl.exe	cmd.exe
PID 1420 wrote to memory of 1188	1420	3-psltrtbl.exe	cmd.exe
PID 1420 wrote to memory of 1188	1420	3-psltrtbl.exe	cmd.exe
PID 1420 wrote to memory of 2020	1420	3-psltrtbl.exe	cmd.exe
PID 1420 wrote to memory of 2020	1420	3-psltrtbl.exe	cmd.exe
PID 1420 wrote to memory of 2020	1420	3-psltrtbl.exe	cmd.exe
PID 1420 wrote to memory of 2020	1420	3-psltrtbl.exe	cmd.exe
PID 1420 wrote to memory of 960	1420	3-psltrtbl.exe	sc.exe
PID 1420 wrote to memory of 960	1420	3-psltrtbl.exe	sc.exe
PID 1420 wrote to memory of 960	1420	3-psltrtbl.exe	sc.exe
PID 1420 wrote to memory of 960	1420	3-psltrtbl.exe	sc.exe
PID 1420 wrote to memory of 1208	1420	3-psltrtbl.exe	sc.exe
PID 1420 wrote to memory of 1208	1420	3-psltrtbl.exe	sc.exe
PID 1420 wrote to memory of 1208	1420	3-psltrtbl.exe	sc.exe
PID 1420 wrote to memory of 1208	1420	3-psltrtbl.exe	sc.exe
PID 1420 wrote to memory of 600	1420	3-psltrtbl.exe	sc.exe
PID 1420 wrote to memory of 600	1420	3-psltrtbl.exe	sc.exe
PID 1420 wrote to memory of 600	1420	3-psltrtbl.exe	sc.exe
PID 1420 wrote to memory of 600	1420	3-psltrtbl.exe	sc.exe
PID 1420 wrote to memory of 1176	1420	3-psltrtbl.exe	netsh.exe
PID 1420 wrote to memory of 1176	1420	3-psltrtbl.exe	netsh.exe
PID 1420 wrote to memory of 1176	1420	3-psltrtbl.exe	netsh.exe
PID 1420 wrote to memory of 1176	1420	3-psltrtbl.exe	netsh.exe
PID 1996 wrote to memory of 680	1996	jmkfzgqa.exe	svchost.exe
PID 1996 wrote to memory of 680	1996	jmkfzgqa.exe	svchost.exe
PID 1996 wrote to memory of 680	1996	jmkfzgqa.exe	svchost.exe
PID 1996 wrote to memory of 680	1996	jmkfzgqa.exe	svchost.exe
PID 1996 wrote to memory of 680	1996	jmkfzgqa.exe	svchost.exe
PID 1996 wrote to memory of 680	1996	jmkfzgqa.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\3-psltrtbl.exe
"C:\Users\Admin\AppData\Local\Temp\3-psltrtbl.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\yfahmtrq\
2⤵
PID:1188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jmkfzgqa.exe" C:\Windows\SysWOW64\yfahmtrq\
2⤵
PID:2020

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create yfahmtrq binPath= "C:\Windows\SysWOW64\yfahmtrq\jmkfzgqa.exe /d\"C:\Users\Admin\AppData\Local\Temp\3-psltrtbl.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:960

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description yfahmtrq "wifi internet conection"
2⤵
- Launches sc.exe
PID:1208

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start yfahmtrq
2⤵
- Launches sc.exe
PID:600

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:1176

C:\Windows\SysWOW64\yfahmtrq\jmkfzgqa.exe
C:\Windows\SysWOW64\yfahmtrq\jmkfzgqa.exe /d"C:\Users\Admin\AppData\Local\Temp\3-psltrtbl.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jmkfzgqa.exe
Filesize
11.3MB

MD5
ff2d0714ae37d3e0f7142135821e17ea

SHA1
1e70b254925727cbaed63d9e18ba1db950c69370

SHA256
e0c17a17c17b7c4bb210e1514195bff53f86ef1b20318e4f87df83b606cbce66

SHA512
3536e1f75f0c672e722931b6550024488422c4fdf60138968f3c543d47d867cbbdb1f3aeac9b7c3b81e0d1caac58140c15eebc95d03a8bc96fe2c2d339a654c1

Download Submit
C:\Windows\SysWOW64\yfahmtrq\jmkfzgqa.exe
Filesize
11.3MB

MD5
ff2d0714ae37d3e0f7142135821e17ea

SHA1
1e70b254925727cbaed63d9e18ba1db950c69370

SHA256
e0c17a17c17b7c4bb210e1514195bff53f86ef1b20318e4f87df83b606cbce66

SHA512
3536e1f75f0c672e722931b6550024488422c4fdf60138968f3c543d47d867cbbdb1f3aeac9b7c3b81e0d1caac58140c15eebc95d03a8bc96fe2c2d339a654c1

Download Submit
memory/600-63-0x0000000000000000-mapping.dmp

Download
memory/680-70-0x00000000000D0000-0x00000000000E5000-memory.dmp

Filesize
84KB

Download
memory/680-80-0x00000000000D0000-0x00000000000E5000-memory.dmp

Filesize
84KB

Download
memory/680-79-0x00000000000D0000-0x00000000000E5000-memory.dmp

Filesize
84KB

Download
memory/680-73-0x00000000000D9A6B-mapping.dmp

Download
memory/680-72-0x00000000000D0000-0x00000000000E5000-memory.dmp

Filesize
84KB

Download
memory/960-61-0x0000000000000000-mapping.dmp

Download
memory/1176-65-0x0000000000000000-mapping.dmp

Download
memory/1188-58-0x0000000000000000-mapping.dmp

Download
memory/1208-62-0x0000000000000000-mapping.dmp

Download
memory/1420-67-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/1420-66-0x00000000005DB000-0x00000000005E9000-memory.dmp

Filesize
56KB

Download
memory/1420-55-0x00000000005DB000-0x00000000005E9000-memory.dmp

Filesize
56KB

Download
memory/1420-54-0x0000000075481000-0x0000000075483000-memory.dmp

Filesize
8KB

Download
memory/1420-56-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download
memory/1420-57-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/1996-74-0x000000000068B000-0x0000000000699000-memory.dmp

Filesize
56KB

Download
memory/1996-76-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2020-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads