tofsee | 997f091cec1b6b0ca4c760582289f88fc845072e15d22fb9ebbc70d8a411eb34

Analysis

max time kernel
152s
max time network
179s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 23:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

167KB
MD5

db37e2dceca24b2a30667e7a26816e5a
SHA1

a52d6f9718d4cb71f623f463cd590f76ad04878c
SHA256

997f091cec1b6b0ca4c760582289f88fc845072e15d22fb9ebbc70d8a411eb34
SHA512

b1f0795046296ce3ded9b195d40308999d3800f6886abff6730df2a047f30d3188828b48bd697069f51f038d8ff876d69e07563ef242070b30e219dce04b948c
SSDEEP

3072:MVtkj/2yjSgA2EVu5W+L/l5JYmsd//FuJpXxS5osnN:MnK+gA2EIL/lYZFupXI/

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

svartalfheim.top

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\ymicvlxv = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050

Executes dropped EXE 1 IoCs

pid	Process
748	ndjqvhla.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
888	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ymicvlxv\ImagePath = "C:\\Windows\\SysWOW64\\ymicvlxv\\ndjqvhla.exe"	svchost.exe

Deletes itself 1 IoCs

pid	Process
396	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 748 set thread context of 396	748	ndjqvhla.exe	41

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1812	sc.exe
1028	sc.exe
680	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1404	2044	file.exe	28
PID 2044 wrote to memory of 1404	2044	file.exe	28
PID 2044 wrote to memory of 1404	2044	file.exe	28
PID 2044 wrote to memory of 1404	2044	file.exe	28
PID 2044 wrote to memory of 1120	2044	file.exe	30
PID 2044 wrote to memory of 1120	2044	file.exe	30
PID 2044 wrote to memory of 1120	2044	file.exe	30
PID 2044 wrote to memory of 1120	2044	file.exe	30
PID 2044 wrote to memory of 1028	2044	file.exe	32
PID 2044 wrote to memory of 1028	2044	file.exe	32
PID 2044 wrote to memory of 1028	2044	file.exe	32
PID 2044 wrote to memory of 1028	2044	file.exe	32
PID 2044 wrote to memory of 680	2044	file.exe	34
PID 2044 wrote to memory of 680	2044	file.exe	34
PID 2044 wrote to memory of 680	2044	file.exe	34
PID 2044 wrote to memory of 680	2044	file.exe	34
PID 2044 wrote to memory of 1812	2044	file.exe	36
PID 2044 wrote to memory of 1812	2044	file.exe	36
PID 2044 wrote to memory of 1812	2044	file.exe	36
PID 2044 wrote to memory of 1812	2044	file.exe	36
PID 2044 wrote to memory of 888	2044	file.exe	38
PID 2044 wrote to memory of 888	2044	file.exe	38
PID 2044 wrote to memory of 888	2044	file.exe	38
PID 2044 wrote to memory of 888	2044	file.exe	38
PID 748 wrote to memory of 396	748	ndjqvhla.exe	41
PID 748 wrote to memory of 396	748	ndjqvhla.exe	41
PID 748 wrote to memory of 396	748	ndjqvhla.exe	41
PID 748 wrote to memory of 396	748	ndjqvhla.exe	41
PID 748 wrote to memory of 396	748	ndjqvhla.exe	41
PID 748 wrote to memory of 396	748	ndjqvhla.exe	41

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ymicvlxv\
  2⤵
  PID:1404
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ndjqvhla.exe" C:\Windows\SysWOW64\ymicvlxv\
  2⤵
  PID:1120
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create ymicvlxv binPath= "C:\Windows\SysWOW64\ymicvlxv\ndjqvhla.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:1028
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description ymicvlxv "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:680
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start ymicvlxv
  2⤵
  - Launches sc.exe
  PID:1812
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:888

C:\Windows\SysWOW64\ymicvlxv\ndjqvhla.exe
C:\Windows\SysWOW64\ymicvlxv\ndjqvhla.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:748
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Windows security bypass
  - Sets service image path in registry
  - Deletes itself
  PID:396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ndjqvhla.exe

Filesize
10.7MB

MD5
1fcff581a60a27a204bf70ce3471d0a2

SHA1
eb6025c2c2a9e69037559d63aa677a7a7d880de3

SHA256
daf3c6668720373e917da9167d48fd111782c590e293ce1d4769e694306a8ff4

SHA512
8a0ec0f0d00fa5f4766f37c9ba595675af449f6c8800040c0596b9c988791310f8f56d70263bf83da04d44ecb2692430fa4daf3dc3a01cf9a0767bc5c529852f

Download Submit
C:\Windows\SysWOW64\ymicvlxv\ndjqvhla.exe

Filesize
10.7MB

MD5
1fcff581a60a27a204bf70ce3471d0a2

SHA1
eb6025c2c2a9e69037559d63aa677a7a7d880de3

SHA256
daf3c6668720373e917da9167d48fd111782c590e293ce1d4769e694306a8ff4

SHA512
8a0ec0f0d00fa5f4766f37c9ba595675af449f6c8800040c0596b9c988791310f8f56d70263bf83da04d44ecb2692430fa4daf3dc3a01cf9a0767bc5c529852f

Download Submit
memory/396-79-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/396-78-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/396-70-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/396-68-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/748-72-0x00000000007BB000-0x00000000007CB000-memory.dmp

Filesize
64KB

Download
memory/748-75-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2044-65-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2044-54-0x0000000075511000-0x0000000075513000-memory.dmp

Filesize
8KB

Download
memory/2044-58-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2044-57-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download
memory/2044-56-0x000000000087B000-0x000000000088B000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads