tofsee | ae103a988f889f4120a5d21bdf08d4ff41588c26c4efab1c604cab29dc5632a2

General

Target

file.exe
Size

178KB
MD5

faca2fb4b7df8b02263be3f101775d8d
SHA1

1ee11a0311a1507b66d76b668eaa1806794692a7
SHA256

ae103a988f889f4120a5d21bdf08d4ff41588c26c4efab1c604cab29dc5632a2
SHA512

3f8dd1204b45afb76df8137f1a46a40a6b53c3bf98b80959724d27bc1da1e1e48fb28c18ebbb4940b30ac6b98e1b04f4ccb937e7a9b836802bfbea903a88ff7c
SSDEEP

3072:knSQXMYrEDcw6d5QWBhf7RBkDuaad402UlVDYJ5V2RBB2Wk2:mDEDcwdYJRBSuld40vYJ5yB

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

youbgswl.exe

pid process

720 youbgswl.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

4684 netsh.exe
1824 netsh.exe

pid	process
720	youbgswl.exe

pid	process
4684	netsh.exe
1824	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

youbgswl.exefile.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	youbgswl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	file.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nurfwqvg = "\"C:\\Users\\Admin\\youbgswl.exe\""	file.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

2256 sc.exe
2896 sc.exe
4844 sc.exe
4256 sc.exe
1720 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1968 1424 WerFault.exe file.exe
1100 720 WerFault.exe youbgswl.exe

pid	process
2256	sc.exe
2896	sc.exe
4844	sc.exe
4256	sc.exe
1720	sc.exe

pid	pid_target	process	target process
1968	1424	WerFault.exe	file.exe
1100	720	WerFault.exe	youbgswl.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

file.exeyoubgswl.exe

description	pid	process	target process
PID 1424 wrote to memory of 1412	1424	file.exe	cmd.exe
PID 1424 wrote to memory of 1412	1424	file.exe	cmd.exe
PID 1424 wrote to memory of 1412	1424	file.exe	cmd.exe
PID 1424 wrote to memory of 4240	1424	file.exe	cmd.exe
PID 1424 wrote to memory of 4240	1424	file.exe	cmd.exe
PID 1424 wrote to memory of 4240	1424	file.exe	cmd.exe
PID 1424 wrote to memory of 1720	1424	file.exe	sc.exe
PID 1424 wrote to memory of 1720	1424	file.exe	sc.exe
PID 1424 wrote to memory of 1720	1424	file.exe	sc.exe
PID 1424 wrote to memory of 2256	1424	file.exe	sc.exe
PID 1424 wrote to memory of 2256	1424	file.exe	sc.exe
PID 1424 wrote to memory of 2256	1424	file.exe	sc.exe
PID 1424 wrote to memory of 2896	1424	file.exe	sc.exe
PID 1424 wrote to memory of 2896	1424	file.exe	sc.exe
PID 1424 wrote to memory of 2896	1424	file.exe	sc.exe
PID 1424 wrote to memory of 4684	1424	file.exe	netsh.exe
PID 1424 wrote to memory of 4684	1424	file.exe	netsh.exe
PID 1424 wrote to memory of 4684	1424	file.exe	netsh.exe
PID 1424 wrote to memory of 720	1424	file.exe	youbgswl.exe
PID 1424 wrote to memory of 720	1424	file.exe	youbgswl.exe
PID 1424 wrote to memory of 720	1424	file.exe	youbgswl.exe
PID 720 wrote to memory of 3464	720	youbgswl.exe	cmd.exe
PID 720 wrote to memory of 3464	720	youbgswl.exe	cmd.exe
PID 720 wrote to memory of 3464	720	youbgswl.exe	cmd.exe
PID 720 wrote to memory of 4844	720	youbgswl.exe	sc.exe
PID 720 wrote to memory of 4844	720	youbgswl.exe	sc.exe
PID 720 wrote to memory of 4844	720	youbgswl.exe	sc.exe
PID 720 wrote to memory of 4256	720	youbgswl.exe	sc.exe
PID 720 wrote to memory of 4256	720	youbgswl.exe	sc.exe
PID 720 wrote to memory of 4256	720	youbgswl.exe	sc.exe
PID 720 wrote to memory of 1824	720	youbgswl.exe	netsh.exe
PID 720 wrote to memory of 1824	720	youbgswl.exe	netsh.exe
PID 720 wrote to memory of 1824	720	youbgswl.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ryvjauzk\
2⤵
PID:1412

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ouhcvcpk.exe" C:\Windows\SysWOW64\ryvjauzk\
2⤵
PID:4240

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create ryvjauzk binPath= "C:\Windows\SysWOW64\ryvjauzk\ouhcvcpk.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:1720

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description ryvjauzk "wifi internet conection"
2⤵
- Launches sc.exe
PID:2256

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start ryvjauzk
2⤵
- Launches sc.exe
PID:2896

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:4684

C:\Users\Admin\youbgswl.exe
"C:\Users\Admin\youbgswl.exe" /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ndjqvhla.exe" C:\Windows\SysWOW64\ryvjauzk\
3⤵
PID:3464

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config ryvjauzk binPath= "C:\Windows\SysWOW64\ryvjauzk\ndjqvhla.exe /d\"C:\Users\Admin\youbgswl.exe\""
3⤵
- Launches sc.exe
PID:4844

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start ryvjauzk
3⤵
- Launches sc.exe
PID:4256

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
3⤵
- Modifies Windows Firewall
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 720 -s 1148
3⤵
- Program crash
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 1040
2⤵
- Program crash
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1424 -ip 1424
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 720 -ip 720
1⤵
PID:4084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ndjqvhla.exe
Filesize
11.5MB

MD5
2e2766c865400ebf3a33545f15a6b5bb

SHA1
deae8abfce7b100da67d7fbc3a47c0b6c73a21bb

SHA256
38231f3dbad5924a087c7feb5ca6d6dd12cf654dc0563537e8c66f868bf948e3

SHA512
65482c98abad75f1ecf36801a936b536a5ad8fd79e24a34161dc5f987e189f4069e84b27f5c97567f2d1deda4f7595066ef647e288b85e1406b8bbdddb58489f

Download Submit
C:\Users\Admin\youbgswl.exe
Filesize
11.9MB

MD5
d2e00a0595cb58a700875511395a84b0

SHA1
1af2710c53136d464bbe38b22e3a5c9aa2c3cef8

SHA256
3f487119fadbdfc40eb478de101db204942e48b33665b467e1bcb50dbdc6ee9c

SHA512
872a790d426c39191ddfd3d5817f109764f26c33df70f57411ee9521f761410350a039c5b9e594d6c3d08bbc59f56d9eee1eebcb5131d5b32ca77596ae07a9cc

Download Submit
C:\Users\Admin\youbgswl.exe
Filesize
11.9MB

MD5
d2e00a0595cb58a700875511395a84b0

SHA1
1af2710c53136d464bbe38b22e3a5c9aa2c3cef8

SHA256
3f487119fadbdfc40eb478de101db204942e48b33665b467e1bcb50dbdc6ee9c

SHA512
872a790d426c39191ddfd3d5817f109764f26c33df70f57411ee9521f761410350a039c5b9e594d6c3d08bbc59f56d9eee1eebcb5131d5b32ca77596ae07a9cc

Download Submit
memory/720-153-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/720-145-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/720-144-0x000000000086C000-0x000000000087D000-memory.dmp

Filesize
68KB

Download
memory/720-141-0x0000000000000000-mapping.dmp

Download
memory/1412-135-0x0000000000000000-mapping.dmp

Download
memory/1424-134-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/1424-132-0x0000000000A8D000-0x0000000000A9E000-memory.dmp

Filesize
68KB

Download
memory/1424-152-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/1424-151-0x0000000000A8D000-0x0000000000A9E000-memory.dmp

Filesize
68KB

Download
memory/1424-133-0x00000000009A0000-0x00000000009B3000-memory.dmp

Filesize
76KB

Download
memory/1720-137-0x0000000000000000-mapping.dmp

Download
memory/1824-150-0x0000000000000000-mapping.dmp

Download
memory/2256-138-0x0000000000000000-mapping.dmp

Download
memory/2896-139-0x0000000000000000-mapping.dmp

Download
memory/3464-146-0x0000000000000000-mapping.dmp

Download
memory/4240-136-0x0000000000000000-mapping.dmp

Download
memory/4256-149-0x0000000000000000-mapping.dmp

Download
memory/4684-140-0x0000000000000000-mapping.dmp

Download
memory/4844-148-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads