tofsee | 519c5ce5aaedf029cd10b0e70a08eaf817cdfbaf1cf420e8ef9e14f4671b72bd

Analysis

max time kernel
208s
max time network
212s
platform
windows10_x64
resource
win10-20220414-en
resource tags

arch:x64arch:x86image:win10-20220414-enlocale:en-usos:windows10-1703-x64system
submitted
04-08-2022 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

519c5ce5aaedf029cd10b0e70a08eaf817cdfbaf1cf420e8ef9e14f4671b72bd.exe
Size

11.6MB
MD5

ca48c2a5c3d617e0538e0baadaa23bc7
SHA1

42936532aa66b923d389a496352e7494bdd8ba23
SHA256

519c5ce5aaedf029cd10b0e70a08eaf817cdfbaf1cf420e8ef9e14f4671b72bd
SHA512

79966f4ee83d1f2ffaaaffe2590375ea26c5ef1c42bbae50727ddf561d98a0d2928fb332ae568fec02da3140f17b1a6f1e1ca77cdc4ae0fd8d1bd663bc0afefe

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

mubrikych.top

oxxyfix.xyz

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\tbazymmr = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

fkuidypa.exe

pid process

2160 fkuidypa.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2128 netsh.exe

pid	process
2160	fkuidypa.exe

pid	process
2128	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tbazymmr\ImagePath = "C:\\Windows\\SysWOW64\\tbazymmr\\fkuidypa.exe"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

1428 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

fkuidypa.exe

description pid process target process

PID 2160 set thread context of 1428 2160 fkuidypa.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

3276 sc.exe
2744 sc.exe
656 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1428	svchost.exe

description	pid	process	target process
PID 2160 set thread context of 1428	2160	fkuidypa.exe	svchost.exe

pid	process
3276	sc.exe
2744	sc.exe
656	sc.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

519c5ce5aaedf029cd10b0e70a08eaf817cdfbaf1cf420e8ef9e14f4671b72bd.exefkuidypa.exe

description	pid	process	target process
PID 3152 wrote to memory of 2440	3152	519c5ce5aaedf029cd10b0e70a08eaf817cdfbaf1cf420e8ef9e14f4671b72bd.exe	cmd.exe
PID 3152 wrote to memory of 2440	3152	519c5ce5aaedf029cd10b0e70a08eaf817cdfbaf1cf420e8ef9e14f4671b72bd.exe	cmd.exe
PID 3152 wrote to memory of 2440	3152	519c5ce5aaedf029cd10b0e70a08eaf817cdfbaf1cf420e8ef9e14f4671b72bd.exe	cmd.exe
PID 3152 wrote to memory of 2320	3152	519c5ce5aaedf029cd10b0e70a08eaf817cdfbaf1cf420e8ef9e14f4671b72bd.exe	cmd.exe
PID 3152 wrote to memory of 2320	3152	519c5ce5aaedf029cd10b0e70a08eaf817cdfbaf1cf420e8ef9e14f4671b72bd.exe	cmd.exe
PID 3152 wrote to memory of 2320	3152	519c5ce5aaedf029cd10b0e70a08eaf817cdfbaf1cf420e8ef9e14f4671b72bd.exe	cmd.exe
PID 3152 wrote to memory of 2744	3152	519c5ce5aaedf029cd10b0e70a08eaf817cdfbaf1cf420e8ef9e14f4671b72bd.exe	sc.exe
PID 3152 wrote to memory of 2744	3152	519c5ce5aaedf029cd10b0e70a08eaf817cdfbaf1cf420e8ef9e14f4671b72bd.exe	sc.exe
PID 3152 wrote to memory of 2744	3152	519c5ce5aaedf029cd10b0e70a08eaf817cdfbaf1cf420e8ef9e14f4671b72bd.exe	sc.exe
PID 3152 wrote to memory of 656	3152	519c5ce5aaedf029cd10b0e70a08eaf817cdfbaf1cf420e8ef9e14f4671b72bd.exe	sc.exe
PID 3152 wrote to memory of 656	3152	519c5ce5aaedf029cd10b0e70a08eaf817cdfbaf1cf420e8ef9e14f4671b72bd.exe	sc.exe
PID 3152 wrote to memory of 656	3152	519c5ce5aaedf029cd10b0e70a08eaf817cdfbaf1cf420e8ef9e14f4671b72bd.exe	sc.exe
PID 3152 wrote to memory of 3276	3152	519c5ce5aaedf029cd10b0e70a08eaf817cdfbaf1cf420e8ef9e14f4671b72bd.exe	sc.exe
PID 3152 wrote to memory of 3276	3152	519c5ce5aaedf029cd10b0e70a08eaf817cdfbaf1cf420e8ef9e14f4671b72bd.exe	sc.exe
PID 3152 wrote to memory of 3276	3152	519c5ce5aaedf029cd10b0e70a08eaf817cdfbaf1cf420e8ef9e14f4671b72bd.exe	sc.exe
PID 3152 wrote to memory of 2128	3152	519c5ce5aaedf029cd10b0e70a08eaf817cdfbaf1cf420e8ef9e14f4671b72bd.exe	netsh.exe
PID 3152 wrote to memory of 2128	3152	519c5ce5aaedf029cd10b0e70a08eaf817cdfbaf1cf420e8ef9e14f4671b72bd.exe	netsh.exe
PID 3152 wrote to memory of 2128	3152	519c5ce5aaedf029cd10b0e70a08eaf817cdfbaf1cf420e8ef9e14f4671b72bd.exe	netsh.exe
PID 2160 wrote to memory of 1428	2160	fkuidypa.exe	svchost.exe
PID 2160 wrote to memory of 1428	2160	fkuidypa.exe	svchost.exe
PID 2160 wrote to memory of 1428	2160	fkuidypa.exe	svchost.exe
PID 2160 wrote to memory of 1428	2160	fkuidypa.exe	svchost.exe
PID 2160 wrote to memory of 1428	2160	fkuidypa.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\519c5ce5aaedf029cd10b0e70a08eaf817cdfbaf1cf420e8ef9e14f4671b72bd.exe
"C:\Users\Admin\AppData\Local\Temp\519c5ce5aaedf029cd10b0e70a08eaf817cdfbaf1cf420e8ef9e14f4671b72bd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tbazymmr\
2⤵
PID:2440

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\fkuidypa.exe" C:\Windows\SysWOW64\tbazymmr\
2⤵
PID:2320

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create tbazymmr binPath= "C:\Windows\SysWOW64\tbazymmr\fkuidypa.exe /d\"C:\Users\Admin\AppData\Local\Temp\519c5ce5aaedf029cd10b0e70a08eaf817cdfbaf1cf420e8ef9e14f4671b72bd.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:2744

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description tbazymmr "wifi internet conection"
2⤵
- Launches sc.exe
PID:656

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start tbazymmr
2⤵
- Launches sc.exe
PID:3276

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:2128

C:\Windows\SysWOW64\tbazymmr\fkuidypa.exe
C:\Windows\SysWOW64\tbazymmr\fkuidypa.exe /d"C:\Users\Admin\AppData\Local\Temp\519c5ce5aaedf029cd10b0e70a08eaf817cdfbaf1cf420e8ef9e14f4671b72bd.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:1428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fkuidypa.exe
Filesize
14.6MB

MD5
29d77763ce5a8cf282a869e723e77274

SHA1
1dee96c76640e50464cba111544e859677f17cc8

SHA256
9cfbe347e6181a23dd7d4ed8830d60393815b6849d69e811488cfa9e166c1ac1

SHA512
6d1327d5df93d39ca421ff02900814751517157a4804755cf8ad7bb0d80516b2969f0f656b4b53424ff3c807df4dc12b0dc5dfdd8af06566e92456540a449afa

Download Submit
C:\Windows\SysWOW64\tbazymmr\fkuidypa.exe
Filesize
14.6MB

MD5
29d77763ce5a8cf282a869e723e77274

SHA1
1dee96c76640e50464cba111544e859677f17cc8

SHA256
9cfbe347e6181a23dd7d4ed8830d60393815b6849d69e811488cfa9e166c1ac1

SHA512
6d1327d5df93d39ca421ff02900814751517157a4804755cf8ad7bb0d80516b2969f0f656b4b53424ff3c807df4dc12b0dc5dfdd8af06566e92456540a449afa

Download Submit
memory/656-186-0x0000000000000000-mapping.dmp

Download
memory/656-187-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/656-188-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/656-190-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1428-485-0x0000000002E00000-0x0000000002E15000-memory.dmp

Filesize
84KB

Download
memory/1428-484-0x0000000002E00000-0x0000000002E15000-memory.dmp

Filesize
84KB

Download
memory/1428-405-0x0000000002E09A6B-mapping.dmp

Download
memory/2128-208-0x0000000000000000-mapping.dmp

Download
memory/2160-416-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2160-374-0x0000000000841000-0x0000000000851000-memory.dmp

Filesize
64KB

Download
memory/2160-377-0x00000000004E0000-0x000000000062A000-memory.dmp

Filesize
1.3MB

Download
memory/2160-413-0x0000000000841000-0x0000000000851000-memory.dmp

Filesize
64KB

Download
memory/2320-184-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/2320-173-0x0000000000000000-mapping.dmp

Download
memory/2320-174-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/2320-177-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/2320-178-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/2320-175-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/2440-176-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/2440-169-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/2440-172-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/2440-171-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/2440-170-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/2440-168-0x0000000000000000-mapping.dmp

Download
memory/2744-180-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/2744-179-0x0000000000000000-mapping.dmp

Download
memory/2744-181-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/2744-182-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/2744-189-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/2744-183-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-140-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-144-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-153-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-154-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-155-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-156-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-157-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-158-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-159-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-160-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/3152-161-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-162-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-163-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-164-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-165-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-166-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-167-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-151-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-150-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-149-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-148-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-147-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-146-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-145-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-141-0x0000000000580000-0x00000000006CA000-memory.dmp

Filesize
1.3MB

Download
memory/3152-152-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-143-0x00000000021F0000-0x0000000002203000-memory.dmp

Filesize
76KB

Download
memory/3152-142-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-118-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-139-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-138-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-137-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-136-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-135-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-134-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-132-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-131-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-130-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-129-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-128-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-119-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-127-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-210-0x00000000021F0000-0x0000000002203000-memory.dmp

Filesize
76KB

Download
memory/3152-214-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/3152-125-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-126-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-124-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-123-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-122-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-121-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-120-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3276-196-0x0000000000000000-mapping.dmp

Download