tofsee | a4a269238941aaaa08c4dc9ab54e8ac6b1d0ea500b5eff7ed52324355d88c454

Analysis

max time kernel
290s
max time network
358s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

184KB
MD5

2428f602a858472223bf90d6c3a902c9
SHA1

f4fc96a5bda3103c20ec6e998ab75ef4a2f66901
SHA256

a4a269238941aaaa08c4dc9ab54e8ac6b1d0ea500b5eff7ed52324355d88c454
SHA512

d7d6c13d3c1f058deaae76158b9df319ceb657d2336c74bab8dea0357bd5474ff6a0789cc3622af6b41a1ad3d78cc7387b3d634e5be026baf8305ed5f2a9b13c
SSDEEP

3072:XAHOMzhUOWg1w7EFxAd5QmKZEK3k944ApdujE72+ncJgL90N6LL:PMdmg1w7EFLm4r7P0N6

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

svartalfheim.top

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

file.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation file.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

5060 sc.exe
1148 sc.exe
1284 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	file.exe

pid	process
5060	sc.exe
1148	sc.exe
1284	sc.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

file.exe

description	pid	process	target process
PID 1828 wrote to memory of 1604	1828	file.exe	cmd.exe
PID 1828 wrote to memory of 1604	1828	file.exe	cmd.exe
PID 1828 wrote to memory of 1604	1828	file.exe	cmd.exe
PID 1828 wrote to memory of 3640	1828	file.exe	cmd.exe
PID 1828 wrote to memory of 3640	1828	file.exe	cmd.exe
PID 1828 wrote to memory of 3640	1828	file.exe	cmd.exe
PID 1828 wrote to memory of 1284	1828	file.exe	sc.exe
PID 1828 wrote to memory of 1284	1828	file.exe	sc.exe
PID 1828 wrote to memory of 1284	1828	file.exe	sc.exe
PID 1828 wrote to memory of 5060	1828	file.exe	sc.exe
PID 1828 wrote to memory of 5060	1828	file.exe	sc.exe
PID 1828 wrote to memory of 5060	1828	file.exe	sc.exe
PID 1828 wrote to memory of 1148	1828	file.exe	sc.exe
PID 1828 wrote to memory of 1148	1828	file.exe	sc.exe
PID 1828 wrote to memory of 1148	1828	file.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rfpswlai\
2⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hbriljmv.exe" C:\Windows\SysWOW64\rfpswlai\
2⤵
PID:3640

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create rfpswlai binPath= "C:\Windows\SysWOW64\rfpswlai\hbriljmv.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:1284

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description rfpswlai "wifi internet conection"
2⤵
- Launches sc.exe
PID:5060

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start rfpswlai
2⤵
- Launches sc.exe
PID:1148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Privilege Escalation

New Service

T1050

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hbriljmv.exe
Filesize
13.7MB

MD5
77626a5d4cbcbe9ee71cc4d35b215f31

SHA1
5f89999603ac95d719070421eaaf273c05b408fa

SHA256
a4f65070182f590dd0b7abe8d221ef1c427ee4f1d7a78d47d13647fc5c72507e

SHA512
4947ccd9edc5579f351d84ab5bfc3dcdeac8aa5e5875fe654f4b567609975b13bdfc37b6eccd3bb88ad9bbe353f7790e94aa6b780cf745a7457e48ecaa65d83a

Download Submit
memory/1148-140-0x0000000000000000-mapping.dmp

Download
memory/1284-137-0x0000000000000000-mapping.dmp

Download
memory/1604-135-0x0000000000000000-mapping.dmp

Download
memory/1828-132-0x000000000051D000-0x000000000052D000-memory.dmp

Filesize
64KB

Download
memory/1828-133-0x00000000021B0000-0x00000000021C3000-memory.dmp

Filesize
76KB

Download
memory/1828-134-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3640-136-0x0000000000000000-mapping.dmp

Download
memory/5060-139-0x0000000000000000-mapping.dmp

Download