tofsee | ec9baf02d53da35618afb04be30f976c97fcca173712fa2acfefe979e598cb9a

Analysis

max time kernel
42s
max time network
3s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2022 08:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

260KB
MD5

257eb857f8bb4557e98acdc30f209b66
SHA1

f6e57354bea528c4db7c1096e53f8c5c6b94273d
SHA256

ec9baf02d53da35618afb04be30f976c97fcca173712fa2acfefe979e598cb9a
SHA512

8d0615a278e9124f6a66ec2a2a75d3bed26fa61bfaece95d7bc9a14fb27adafd2825e26c3b9e558d158e986d795823b1e7784e047c6b3d48fca348dd2a9b5e0e
SSDEEP

6144:sSFBiHLLktQEkXoaB8oLYzW7tJHuDLeGW:tBygtQEktB8hq7/HuvjW

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

svartalfheim.top

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
480	sc.exe
4804	sc.exe
724	sc.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
PID:652
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\druvxehx\
  2⤵
  PID:3916
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ysucysyr.exe" C:\Windows\SysWOW64\druvxehx\
  2⤵
  PID:3996
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create druvxehx binPath= "C:\Windows\SysWOW64\druvxehx\ysucysyr.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:480
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description druvxehx "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:4804
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start druvxehx
  2⤵
  - Launches sc.exe
  PID:724

C:\Windows\SysWOW64\druvxehx\ysucysyr.exe
C:\Windows\SysWOW64\druvxehx\ysucysyr.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
PID:3768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

New Service

T1050

Privilege Escalation

New Service

T1050

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ysucysyr.exe

Filesize
91KB

MD5
0a0f6736b8a7d4d131cebb3ec3214ee8

SHA1
55da371b594f3a5bada6005de6c51ba8f4e14a04

SHA256
357c5dac006c6bacd9f0ec05b905c41ae13905a33ae56e3e9770ecd7a2a1c524

SHA512
c1b09e31a6e5d8c019f8d5480439cb2b89ed893d74fb21905cb271137383bc03986e0fbce71a38d028faf4d8f7d5b41e5096cc5ded06b2de83ff27b4672a0db5

Download Submit
C:\Windows\SysWOW64\druvxehx\ysucysyr.exe

Filesize
217KB

MD5
146fcdbb2533d6422d9c6aef163d1dd8

SHA1
f0fff493df47c721e57ec044492cfef932e8e1ce

SHA256
0a0275d559554cdef5aa0b1ceb9a32c10626dadd4b7d1ec8acff7b8e778a6166

SHA512
787c2067103d5164ee45d2cf6f135288bc70f890e15200d65d2c82827162d8aa1238b3cf43cb4cff5f36f679c47aba0aa85c5f30e284819770cdceee7109fed3

Download Submit
memory/652-134-0x0000000003080000-0x0000000003093000-memory.dmp

Filesize
76KB

Download
memory/652-133-0x0000000002C30000-0x0000000002D30000-memory.dmp

Filesize
1024KB

Download
memory/652-135-0x0000000000400000-0x0000000002C2F000-memory.dmp

Filesize
40.2MB

Download