tofsee | 7964dbbcd14d66c785b5908a2a9d4969906f1312635a917302cc755e9c27aa6f

General

Target

38684693053584c3cab7a9de72d95a8a1bd010351ce1c023505f36b770f7fa62.exe
Size

148KB
MD5

53538af5c50d7630c126e6c2dff32c7b
SHA1

19d9fc9ad096addf16608b6f13ea24bd042c6c51
SHA256

38684693053584c3cab7a9de72d95a8a1bd010351ce1c023505f36b770f7fa62
SHA512

4d234a9e726d6fb5822e5a31c00d63f0ac6aa0bad4c129c270d18fe7168a6760a030dc3c48305a88350756c4836b373a081070622cc32806af6b71c221c7db68
SSDEEP

3072:i2cTyeE8AeWn5ku22jifgRimvWkdpvbY:CTyx8Aej2jdzek/Y

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

524 netsh.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

916 sc.exe
1760 sc.exe
1324 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
524	netsh.exe

pid	process
916	sc.exe
1760	sc.exe
1324	sc.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

38684693053584c3cab7a9de72d95a8a1bd010351ce1c023505f36b770f7fa62.exe

description	pid	process	target process
PID 1712 wrote to memory of 1952	1712	38684693053584c3cab7a9de72d95a8a1bd010351ce1c023505f36b770f7fa62.exe	cmd.exe
PID 1712 wrote to memory of 1952	1712	38684693053584c3cab7a9de72d95a8a1bd010351ce1c023505f36b770f7fa62.exe	cmd.exe
PID 1712 wrote to memory of 1952	1712	38684693053584c3cab7a9de72d95a8a1bd010351ce1c023505f36b770f7fa62.exe	cmd.exe
PID 1712 wrote to memory of 1952	1712	38684693053584c3cab7a9de72d95a8a1bd010351ce1c023505f36b770f7fa62.exe	cmd.exe
PID 1712 wrote to memory of 1364	1712	38684693053584c3cab7a9de72d95a8a1bd010351ce1c023505f36b770f7fa62.exe	cmd.exe
PID 1712 wrote to memory of 1364	1712	38684693053584c3cab7a9de72d95a8a1bd010351ce1c023505f36b770f7fa62.exe	cmd.exe
PID 1712 wrote to memory of 1364	1712	38684693053584c3cab7a9de72d95a8a1bd010351ce1c023505f36b770f7fa62.exe	cmd.exe
PID 1712 wrote to memory of 1364	1712	38684693053584c3cab7a9de72d95a8a1bd010351ce1c023505f36b770f7fa62.exe	cmd.exe
PID 1712 wrote to memory of 916	1712	38684693053584c3cab7a9de72d95a8a1bd010351ce1c023505f36b770f7fa62.exe	sc.exe
PID 1712 wrote to memory of 916	1712	38684693053584c3cab7a9de72d95a8a1bd010351ce1c023505f36b770f7fa62.exe	sc.exe
PID 1712 wrote to memory of 916	1712	38684693053584c3cab7a9de72d95a8a1bd010351ce1c023505f36b770f7fa62.exe	sc.exe
PID 1712 wrote to memory of 916	1712	38684693053584c3cab7a9de72d95a8a1bd010351ce1c023505f36b770f7fa62.exe	sc.exe
PID 1712 wrote to memory of 1760	1712	38684693053584c3cab7a9de72d95a8a1bd010351ce1c023505f36b770f7fa62.exe	sc.exe
PID 1712 wrote to memory of 1760	1712	38684693053584c3cab7a9de72d95a8a1bd010351ce1c023505f36b770f7fa62.exe	sc.exe
PID 1712 wrote to memory of 1760	1712	38684693053584c3cab7a9de72d95a8a1bd010351ce1c023505f36b770f7fa62.exe	sc.exe
PID 1712 wrote to memory of 1760	1712	38684693053584c3cab7a9de72d95a8a1bd010351ce1c023505f36b770f7fa62.exe	sc.exe
PID 1712 wrote to memory of 1324	1712	38684693053584c3cab7a9de72d95a8a1bd010351ce1c023505f36b770f7fa62.exe	sc.exe
PID 1712 wrote to memory of 1324	1712	38684693053584c3cab7a9de72d95a8a1bd010351ce1c023505f36b770f7fa62.exe	sc.exe
PID 1712 wrote to memory of 1324	1712	38684693053584c3cab7a9de72d95a8a1bd010351ce1c023505f36b770f7fa62.exe	sc.exe
PID 1712 wrote to memory of 1324	1712	38684693053584c3cab7a9de72d95a8a1bd010351ce1c023505f36b770f7fa62.exe	sc.exe
PID 1712 wrote to memory of 524	1712	38684693053584c3cab7a9de72d95a8a1bd010351ce1c023505f36b770f7fa62.exe	netsh.exe
PID 1712 wrote to memory of 524	1712	38684693053584c3cab7a9de72d95a8a1bd010351ce1c023505f36b770f7fa62.exe	netsh.exe
PID 1712 wrote to memory of 524	1712	38684693053584c3cab7a9de72d95a8a1bd010351ce1c023505f36b770f7fa62.exe	netsh.exe
PID 1712 wrote to memory of 524	1712	38684693053584c3cab7a9de72d95a8a1bd010351ce1c023505f36b770f7fa62.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\38684693053584c3cab7a9de72d95a8a1bd010351ce1c023505f36b770f7fa62.exe
"C:\Users\Admin\AppData\Local\Temp\38684693053584c3cab7a9de72d95a8a1bd010351ce1c023505f36b770f7fa62.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\sckbcwrf\
2⤵
PID:1952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\qnhifndk.exe" C:\Windows\SysWOW64\sckbcwrf\
2⤵
PID:1364

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create sckbcwrf binPath= "C:\Windows\SysWOW64\sckbcwrf\qnhifndk.exe /d\"C:\Users\Admin\AppData\Local\Temp\38684693053584c3cab7a9de72d95a8a1bd010351ce1c023505f36b770f7fa62.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:916

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description sckbcwrf "wifi internet conection"
2⤵
- Launches sc.exe
PID:1760

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start sckbcwrf
2⤵
- Launches sc.exe
PID:1324

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:524

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Privilege Escalation

New Service

1

T1050

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qnhifndk.exe
Filesize
11.9MB

MD5
36fb48b61071923aa492971974af80b5

SHA1
060d4e889f021ef84001a6de64a53a4567866089

SHA256
5481b01d33687a228cc361c603d55387430be34466ee98792583a383707dd883

SHA512
f5313365a5fb56e50ec711c0912f6ce0bc33951c763843585d91c6bc31b330788a649c887929b4df402e483afb117fe41202f7dc4dbbc9fd644e14820016a945

Download Submit
memory/524-67-0x0000000000000000-mapping.dmp

Download
memory/916-63-0x0000000000000000-mapping.dmp

Download
memory/1324-66-0x0000000000000000-mapping.dmp

Download
memory/1364-61-0x0000000000000000-mapping.dmp

Download
memory/1712-58-0x0000000000BBB000-0x0000000000BCC000-memory.dmp

Filesize
68KB

Download
memory/1712-59-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download
memory/1712-57-0x0000000000400000-0x0000000000AD7000-memory.dmp

Filesize
6.8MB

Download
memory/1712-56-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/1712-65-0x0000000000400000-0x0000000000AD7000-memory.dmp

Filesize
6.8MB

Download
memory/1712-54-0x0000000000BBB000-0x0000000000BCC000-memory.dmp

Filesize
68KB

Download
memory/1712-55-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download
memory/1712-68-0x0000000000BBB000-0x0000000000BCC000-memory.dmp

Filesize
68KB

Download
memory/1712-69-0x0000000000400000-0x0000000000AD7000-memory.dmp

Filesize
6.8MB

Download
memory/1760-64-0x0000000000000000-mapping.dmp

Download
memory/1952-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing