tofsee | e8ee109e27398ee0a3db27958f243924c1bba9523919c375a49e606acc53cc54

Analysis

max time kernel
143s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
26-11-2022 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8ee109e27398ee0a3db27958f243924c1bba9523919c375a49e606acc53cc54.exe
Size

147KB
MD5

4eb62a4c6ef0b767b031754502a53d39
SHA1

1031001a9972fadf5308ade23eaa3010a168c256
SHA256

e8ee109e27398ee0a3db27958f243924c1bba9523919c375a49e606acc53cc54
SHA512

d5765daac7a19123e203e0f7e90c2ed43e6aebb1246c5516b7141f526a007a3d06310e278ebf2e0dece2e0a0446a602fea22a537d4caa6f79aa2625e23859047
SSDEEP

3072:YrEIFtEGVCjl65U0o000FBUFfmEeVdvw46LkxC:HZGVy0o000FBUYnvwL

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

svartalfheim.top

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\nljplusf = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

cehsnhwx.exe

pid process

1812 cehsnhwx.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4592 netsh.exe

pid	process
1812	cehsnhwx.exe

pid	process
4592	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nljplusf\ImagePath = "C:\\Windows\\SysWOW64\\nljplusf\\cehsnhwx.exe"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

3168 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

cehsnhwx.exe

description pid process target process

PID 1812 set thread context of 3168 1812 cehsnhwx.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

4396 sc.exe
5040 sc.exe
4780 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3168	svchost.exe

description	pid	process	target process
PID 1812 set thread context of 3168	1812	cehsnhwx.exe	svchost.exe

pid	process
4396	sc.exe
5040	sc.exe
4780	sc.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

e8ee109e27398ee0a3db27958f243924c1bba9523919c375a49e606acc53cc54.execehsnhwx.exe

description	pid	process	target process
PID 3048 wrote to memory of 4248	3048	e8ee109e27398ee0a3db27958f243924c1bba9523919c375a49e606acc53cc54.exe	cmd.exe
PID 3048 wrote to memory of 4248	3048	e8ee109e27398ee0a3db27958f243924c1bba9523919c375a49e606acc53cc54.exe	cmd.exe
PID 3048 wrote to memory of 4248	3048	e8ee109e27398ee0a3db27958f243924c1bba9523919c375a49e606acc53cc54.exe	cmd.exe
PID 3048 wrote to memory of 2320	3048	e8ee109e27398ee0a3db27958f243924c1bba9523919c375a49e606acc53cc54.exe	cmd.exe
PID 3048 wrote to memory of 2320	3048	e8ee109e27398ee0a3db27958f243924c1bba9523919c375a49e606acc53cc54.exe	cmd.exe
PID 3048 wrote to memory of 2320	3048	e8ee109e27398ee0a3db27958f243924c1bba9523919c375a49e606acc53cc54.exe	cmd.exe
PID 3048 wrote to memory of 4396	3048	e8ee109e27398ee0a3db27958f243924c1bba9523919c375a49e606acc53cc54.exe	sc.exe
PID 3048 wrote to memory of 4396	3048	e8ee109e27398ee0a3db27958f243924c1bba9523919c375a49e606acc53cc54.exe	sc.exe
PID 3048 wrote to memory of 4396	3048	e8ee109e27398ee0a3db27958f243924c1bba9523919c375a49e606acc53cc54.exe	sc.exe
PID 3048 wrote to memory of 5040	3048	e8ee109e27398ee0a3db27958f243924c1bba9523919c375a49e606acc53cc54.exe	sc.exe
PID 3048 wrote to memory of 5040	3048	e8ee109e27398ee0a3db27958f243924c1bba9523919c375a49e606acc53cc54.exe	sc.exe
PID 3048 wrote to memory of 5040	3048	e8ee109e27398ee0a3db27958f243924c1bba9523919c375a49e606acc53cc54.exe	sc.exe
PID 3048 wrote to memory of 4780	3048	e8ee109e27398ee0a3db27958f243924c1bba9523919c375a49e606acc53cc54.exe	sc.exe
PID 3048 wrote to memory of 4780	3048	e8ee109e27398ee0a3db27958f243924c1bba9523919c375a49e606acc53cc54.exe	sc.exe
PID 3048 wrote to memory of 4780	3048	e8ee109e27398ee0a3db27958f243924c1bba9523919c375a49e606acc53cc54.exe	sc.exe
PID 3048 wrote to memory of 4592	3048	e8ee109e27398ee0a3db27958f243924c1bba9523919c375a49e606acc53cc54.exe	netsh.exe
PID 3048 wrote to memory of 4592	3048	e8ee109e27398ee0a3db27958f243924c1bba9523919c375a49e606acc53cc54.exe	netsh.exe
PID 3048 wrote to memory of 4592	3048	e8ee109e27398ee0a3db27958f243924c1bba9523919c375a49e606acc53cc54.exe	netsh.exe
PID 1812 wrote to memory of 3168	1812	cehsnhwx.exe	svchost.exe
PID 1812 wrote to memory of 3168	1812	cehsnhwx.exe	svchost.exe
PID 1812 wrote to memory of 3168	1812	cehsnhwx.exe	svchost.exe
PID 1812 wrote to memory of 3168	1812	cehsnhwx.exe	svchost.exe
PID 1812 wrote to memory of 3168	1812	cehsnhwx.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\e8ee109e27398ee0a3db27958f243924c1bba9523919c375a49e606acc53cc54.exe
"C:\Users\Admin\AppData\Local\Temp\e8ee109e27398ee0a3db27958f243924c1bba9523919c375a49e606acc53cc54.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nljplusf\
2⤵
PID:4248

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\cehsnhwx.exe" C:\Windows\SysWOW64\nljplusf\
2⤵
PID:2320

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create nljplusf binPath= "C:\Windows\SysWOW64\nljplusf\cehsnhwx.exe /d\"C:\Users\Admin\AppData\Local\Temp\e8ee109e27398ee0a3db27958f243924c1bba9523919c375a49e606acc53cc54.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:4396

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description nljplusf "wifi internet conection"
2⤵
- Launches sc.exe
PID:5040

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start nljplusf
2⤵
- Launches sc.exe
PID:4780

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:4592

C:\Windows\SysWOW64\nljplusf\cehsnhwx.exe
C:\Windows\SysWOW64\nljplusf\cehsnhwx.exe /d"C:\Users\Admin\AppData\Local\Temp\e8ee109e27398ee0a3db27958f243924c1bba9523919c375a49e606acc53cc54.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:3168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cehsnhwx.exe
Filesize
12.0MB

MD5
a20570db6f22d2d776a25a5b62f8d131

SHA1
71133d7a9e776af90cd5fd7f29ea5b6a7bebdfbd

SHA256
f37ccbfef9c9d465aa62f6e54fea2c1049836b3579696a1311585c06eba7220d

SHA512
6c1b10e83efd2c42ae5505f5c74f9143b92612568a725f2a3626d1535cde5fc3d25479813ccaaa3dd036d0f2aab5bea6dd7525f3af8d875dccfe5f3e527510e4

Download Submit
C:\Windows\SysWOW64\nljplusf\cehsnhwx.exe
Filesize
12.0MB

MD5
a20570db6f22d2d776a25a5b62f8d131

SHA1
71133d7a9e776af90cd5fd7f29ea5b6a7bebdfbd

SHA256
f37ccbfef9c9d465aa62f6e54fea2c1049836b3579696a1311585c06eba7220d

SHA512
6c1b10e83efd2c42ae5505f5c74f9143b92612568a725f2a3626d1535cde5fc3d25479813ccaaa3dd036d0f2aab5bea6dd7525f3af8d875dccfe5f3e527510e4

Download Submit
memory/1812-364-0x0000000000400000-0x0000000000AD6000-memory.dmp

Filesize
6.8MB

Download
memory/1812-348-0x0000000000AE0000-0x0000000000C2A000-memory.dmp

Filesize
1.3MB

Download
memory/1812-345-0x0000000000AE0000-0x0000000000C2A000-memory.dmp

Filesize
1.3MB

Download
memory/2320-174-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2320-175-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2320-177-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2320-176-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2320-173-0x0000000000000000-mapping.dmp

Download
memory/2320-178-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-154-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-160-0x0000000000400000-0x0000000000AD6000-memory.dmp

Filesize
6.8MB

Download
memory/3048-125-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-126-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-127-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-128-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-129-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-130-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-131-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-132-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-133-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-134-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-135-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-136-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-137-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-138-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-139-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-140-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-141-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-142-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-143-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-144-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-145-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-146-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-147-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-148-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-149-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-152-0x00000000001D0000-0x00000000001E3000-memory.dmp

Filesize
76KB

Download
memory/3048-151-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-150-0x0000000000CDA000-0x0000000000CEA000-memory.dmp

Filesize
64KB

Download
memory/3048-153-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-123-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-155-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-156-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-157-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-158-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-159-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-124-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-161-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-162-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-163-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-164-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-165-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-166-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-117-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-118-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-119-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-224-0x0000000000400000-0x0000000000AD6000-memory.dmp

Filesize
6.8MB

Download
memory/3048-219-0x00000000001D0000-0x00000000001E3000-memory.dmp

Filesize
76KB

Download
memory/3048-120-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-214-0x0000000000CDA000-0x0000000000CEA000-memory.dmp

Filesize
64KB

Download
memory/3048-121-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-122-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3168-360-0x0000000000C39A6B-mapping.dmp

Download
memory/3168-486-0x0000000000C30000-0x0000000000C45000-memory.dmp

Filesize
84KB

Download
memory/3168-459-0x0000000000C30000-0x0000000000C45000-memory.dmp

Filesize
84KB

Download
memory/4248-170-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/4248-172-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/4248-168-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/4248-171-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/4248-169-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/4248-167-0x0000000000000000-mapping.dmp

Download
memory/4396-182-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/4396-179-0x0000000000000000-mapping.dmp

Download
memory/4396-183-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/4396-188-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/4396-180-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/4396-184-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/4592-213-0x0000000000000000-mapping.dmp

Download
memory/4780-202-0x0000000000000000-mapping.dmp

Download
memory/5040-185-0x0000000000000000-mapping.dmp

Download
memory/5040-187-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/5040-186-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download