tofsee | ae103a988f889f4120a5d21bdf08d4ff41588c26c4efab1c604cab29dc5632a2

General

Target

file.exe
Size

178KB
MD5

faca2fb4b7df8b02263be3f101775d8d
SHA1

1ee11a0311a1507b66d76b668eaa1806794692a7
SHA256

ae103a988f889f4120a5d21bdf08d4ff41588c26c4efab1c604cab29dc5632a2
SHA512

3f8dd1204b45afb76df8137f1a46a40a6b53c3bf98b80959724d27bc1da1e1e48fb28c18ebbb4940b30ac6b98e1b04f4ccb937e7a9b836802bfbea903a88ff7c
SSDEEP

3072:knSQXMYrEDcw6d5QWBhf7RBkDuaad402UlVDYJ5V2RBB2Wk2:mDEDcwdYJRBSuld40vYJ5yB

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

euahmycr.exe

pid process

836 euahmycr.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1932 netsh.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

1504 sc.exe
1652 sc.exe
1604 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
836	euahmycr.exe

pid	process
1932	netsh.exe

pid	process
1504	sc.exe
1652	sc.exe
1604	sc.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

file.exe

description	pid	process	target process
PID 520 wrote to memory of 1092	520	file.exe	cmd.exe
PID 520 wrote to memory of 1092	520	file.exe	cmd.exe
PID 520 wrote to memory of 1092	520	file.exe	cmd.exe
PID 520 wrote to memory of 1092	520	file.exe	cmd.exe
PID 520 wrote to memory of 1656	520	file.exe	cmd.exe
PID 520 wrote to memory of 1656	520	file.exe	cmd.exe
PID 520 wrote to memory of 1656	520	file.exe	cmd.exe
PID 520 wrote to memory of 1656	520	file.exe	cmd.exe
PID 520 wrote to memory of 1652	520	file.exe	sc.exe
PID 520 wrote to memory of 1652	520	file.exe	sc.exe
PID 520 wrote to memory of 1652	520	file.exe	sc.exe
PID 520 wrote to memory of 1652	520	file.exe	sc.exe
PID 520 wrote to memory of 1604	520	file.exe	sc.exe
PID 520 wrote to memory of 1604	520	file.exe	sc.exe
PID 520 wrote to memory of 1604	520	file.exe	sc.exe
PID 520 wrote to memory of 1604	520	file.exe	sc.exe
PID 520 wrote to memory of 1504	520	file.exe	sc.exe
PID 520 wrote to memory of 1504	520	file.exe	sc.exe
PID 520 wrote to memory of 1504	520	file.exe	sc.exe
PID 520 wrote to memory of 1504	520	file.exe	sc.exe
PID 520 wrote to memory of 1932	520	file.exe	netsh.exe
PID 520 wrote to memory of 1932	520	file.exe	netsh.exe
PID 520 wrote to memory of 1932	520	file.exe	netsh.exe
PID 520 wrote to memory of 1932	520	file.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ljaojnwg\
2⤵
PID:1092

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\euahmycr.exe" C:\Windows\SysWOW64\ljaojnwg\
2⤵
PID:1656

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create ljaojnwg binPath= "C:\Windows\SysWOW64\ljaojnwg\euahmycr.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:1652

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description ljaojnwg "wifi internet conection"
2⤵
- Launches sc.exe
PID:1604

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start ljaojnwg
2⤵
- Launches sc.exe
PID:1504

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:1932

C:\Windows\SysWOW64\ljaojnwg\euahmycr.exe
C:\Windows\SysWOW64\ljaojnwg\euahmycr.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Executes dropped EXE
PID:836

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Privilege Escalation

New Service

1

T1050

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\euahmycr.exe
Filesize
14.1MB

MD5
7633f200a438f5b22cef30dde07976a4

SHA1
040b8def3ee1b7656b9bbf707cef30bc1d2d88f2

SHA256
d6dc5d1ec8f7d14a4d22e8d42837141f7126988f6f24e10d9b8259277972776d

SHA512
94b760805e57b8bf1e1cff9d90a3819bb14415491c1ffac2d5cde9ad1e30d181adcf91d92faa2f773ce21d4e6693c9968336ed840f0a0ceed3c92f708891219a

Download Submit
C:\Windows\SysWOW64\ljaojnwg\euahmycr.exe
Filesize
6.5MB

MD5
de7230727107b934ba99117acdb573c4

SHA1
be63aced8ebbf4d348a6a06de96d4502ee98a645

SHA256
7f24c2360a992bc1683a47ddd294844ee93489bae1853064e05d541a754f20fc

SHA512
49d5607e19fa17f89733dab61d7e444e57ba63eda841e59a8ad0efc2a9cc6f4e121fe4cc347ab987f846bb39468202936d11f160ae824af3828e9671ee741110

Download Submit
memory/520-59-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download
memory/520-65-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/520-54-0x00000000008EB000-0x00000000008FC000-memory.dmp

Filesize
68KB

Download
memory/520-58-0x00000000008EB000-0x00000000008FC000-memory.dmp

Filesize
68KB

Download
memory/520-57-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/520-55-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download
memory/520-69-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/520-68-0x00000000008EB000-0x00000000008FC000-memory.dmp

Filesize
68KB

Download
memory/520-56-0x00000000753F1000-0x00000000753F3000-memory.dmp

Filesize
8KB

Download
memory/1092-60-0x0000000000000000-mapping.dmp

Download
memory/1504-64-0x0000000000000000-mapping.dmp

Download
memory/1604-63-0x0000000000000000-mapping.dmp

Download
memory/1652-62-0x0000000000000000-mapping.dmp

Download
memory/1656-61-0x0000000000000000-mapping.dmp

Download
memory/1932-67-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing