tofsee | 97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649

General

Target

97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe
Size

173KB
MD5

aa022c62898c665e601e15e6e204b86e
SHA1

88d9102b156445328fbfbbf2434ae4d98cf8efc9
SHA256

97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649
SHA512

23535551c14fd9ec5083d829647464048395ae7eddf1f92235e668205d991a5b335fd715d80f2463102d2c0aee1f5d61e352d21d419a489d7ea0b00ab2b8332c
SSDEEP

3072:EjhcgKXXIyhhlGyO5DEDn3U0gbmke8rvtRt22shyLFw:ECX4yhaZAn3h8/DtRt7L

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

aqsfwoz.exe

pid process

3052 aqsfwoz.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1136 netsh.exe

pid	process
3052	aqsfwoz.exe

pid	process
1136	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\jksehmvz\ImagePath = "C:\\Windows\\SysWOW64\\jksehmvz\\aqsfwoz.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

aqsfwoz.exe

description pid process target process

PID 3052 set thread context of 1224 3052 aqsfwoz.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2444 sc.exe
448 sc.exe
5032 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 3052 set thread context of 1224	3052	aqsfwoz.exe	svchost.exe

pid	process
2444	sc.exe
448	sc.exe
5032	sc.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
852	4452	WerFault.exe	97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe
2388	3052	WerFault.exe	aqsfwoz.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exeaqsfwoz.exe

description	pid	process	target process
PID 4452 wrote to memory of 632	4452	97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe	cmd.exe
PID 4452 wrote to memory of 632	4452	97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe	cmd.exe
PID 4452 wrote to memory of 632	4452	97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe	cmd.exe
PID 4452 wrote to memory of 4632	4452	97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe	cmd.exe
PID 4452 wrote to memory of 4632	4452	97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe	cmd.exe
PID 4452 wrote to memory of 4632	4452	97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe	cmd.exe
PID 4452 wrote to memory of 2444	4452	97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe	sc.exe
PID 4452 wrote to memory of 2444	4452	97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe	sc.exe
PID 4452 wrote to memory of 2444	4452	97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe	sc.exe
PID 4452 wrote to memory of 448	4452	97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe	sc.exe
PID 4452 wrote to memory of 448	4452	97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe	sc.exe
PID 4452 wrote to memory of 448	4452	97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe	sc.exe
PID 4452 wrote to memory of 5032	4452	97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe	sc.exe
PID 4452 wrote to memory of 5032	4452	97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe	sc.exe
PID 4452 wrote to memory of 5032	4452	97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe	sc.exe
PID 4452 wrote to memory of 1136	4452	97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe	netsh.exe
PID 4452 wrote to memory of 1136	4452	97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe	netsh.exe
PID 4452 wrote to memory of 1136	4452	97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe	netsh.exe
PID 3052 wrote to memory of 1224	3052	aqsfwoz.exe	svchost.exe
PID 3052 wrote to memory of 1224	3052	aqsfwoz.exe	svchost.exe
PID 3052 wrote to memory of 1224	3052	aqsfwoz.exe	svchost.exe
PID 3052 wrote to memory of 1224	3052	aqsfwoz.exe	svchost.exe
PID 3052 wrote to memory of 1224	3052	aqsfwoz.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe
"C:\Users\Admin\AppData\Local\Temp\97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jksehmvz\
2⤵
PID:632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\aqsfwoz.exe" C:\Windows\SysWOW64\jksehmvz\
2⤵
PID:4632

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create jksehmvz binPath= "C:\Windows\SysWOW64\jksehmvz\aqsfwoz.exe /d\"C:\Users\Admin\AppData\Local\Temp\97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:2444

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description jksehmvz "wifi internet conection"
2⤵
- Launches sc.exe
PID:448

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start jksehmvz
2⤵
- Launches sc.exe
PID:5032

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 1036
2⤵
- Program crash
PID:852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4452 -ip 4452
1⤵
PID:5020

C:\Windows\SysWOW64\jksehmvz\aqsfwoz.exe
C:\Windows\SysWOW64\jksehmvz\aqsfwoz.exe /d"C:\Users\Admin\AppData\Local\Temp\97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
PID:1224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 532
2⤵
- Program crash
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3052 -ip 3052
1⤵
PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aqsfwoz.exe
Filesize
11.5MB

MD5
2b039c03d03febd442c30fa6e1a72bdf

SHA1
bc2652324c9fb411f9b5b6f8840c0bc70e500584

SHA256
c55a6e8d67e446a45f216cd7d3bf0ae6cebaea4abae35eefc1c8bdb499d19485

SHA512
1ec583ed6ded98b59ec93bc7231c01974f30ee15767c91a3d70e6ce4849e49797ef59a85a0ca0e3ebccd9833c6981dd1e83b325a00fd72c6ba5de3adfa355a3d

Download Submit
C:\Windows\SysWOW64\jksehmvz\aqsfwoz.exe
Filesize
11.5MB

MD5
2b039c03d03febd442c30fa6e1a72bdf

SHA1
bc2652324c9fb411f9b5b6f8840c0bc70e500584

SHA256
c55a6e8d67e446a45f216cd7d3bf0ae6cebaea4abae35eefc1c8bdb499d19485

SHA512
1ec583ed6ded98b59ec93bc7231c01974f30ee15767c91a3d70e6ce4849e49797ef59a85a0ca0e3ebccd9833c6981dd1e83b325a00fd72c6ba5de3adfa355a3d

Download Submit
memory/448-139-0x0000000000000000-mapping.dmp

Download
memory/632-135-0x0000000000000000-mapping.dmp

Download
memory/1136-141-0x0000000000000000-mapping.dmp

Download
memory/1224-145-0x0000000000000000-mapping.dmp

Download
memory/1224-151-0x0000000000ED0000-0x0000000000EE5000-memory.dmp

Filesize
84KB

Download
memory/1224-152-0x0000000000ED0000-0x0000000000EE5000-memory.dmp

Filesize
84KB

Download
memory/1224-146-0x0000000000ED0000-0x0000000000EE5000-memory.dmp

Filesize
84KB

Download
memory/2444-138-0x0000000000000000-mapping.dmp

Download
memory/3052-150-0x0000000000400000-0x000000000070D000-memory.dmp

Filesize
3.1MB

Download
memory/3052-149-0x0000000000928000-0x0000000000939000-memory.dmp

Filesize
68KB

Download
memory/4452-132-0x0000000000A1E000-0x0000000000A2E000-memory.dmp

Filesize
64KB

Download
memory/4452-144-0x0000000000400000-0x000000000070D000-memory.dmp

Filesize
3.1MB

Download
memory/4452-143-0x0000000000A1E000-0x0000000000A2E000-memory.dmp

Filesize
64KB

Download
memory/4452-134-0x0000000000400000-0x000000000070D000-memory.dmp

Filesize
3.1MB

Download
memory/4452-133-0x00000000009A0000-0x00000000009B3000-memory.dmp

Filesize
76KB

Download
memory/4632-136-0x0000000000000000-mapping.dmp

Download
memory/5032-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads