tofsee | 29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5

General

Target

29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe
Size

192KB
MD5

99c46fe2f6560e5f52c912fe41ebf031
SHA1

09cfc9287b737405326a14ed100b0d109386b188
SHA256

29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5
SHA512

8aa7c5fdf6fb15ebe857f1046daea8c47bb400110702f1ab02f96c0f75721753821d55e64ff0977903b526b3ca8cc0330e88944582e1a925e21f39614da9acec
SSDEEP

3072:ag7i0AlCXTi2I5VPJmVtmIq9lj/iZqXQ/8nzkNaRs9E3AZxpR/wQnzhx:3iUTi9BY8I///8n45vp+a

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

dtmkhqxw.exe

pid process

4616 dtmkhqxw.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

204 netsh.exe

pid	process
4616	dtmkhqxw.exe

pid	process
204	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\zvdbwzfp\ImagePath = "C:\\Windows\\SysWOW64\\zvdbwzfp\\dtmkhqxw.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

dtmkhqxw.exe

description pid process target process

PID 4616 set thread context of 2372 4616 dtmkhqxw.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

4632 sc.exe
1764 sc.exe
4648 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 4616 set thread context of 2372	4616	dtmkhqxw.exe	svchost.exe

pid	process
4632	sc.exe
1764	sc.exe
4648	sc.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
2452	4844	WerFault.exe	29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe
5056	4616	WerFault.exe	dtmkhqxw.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exedtmkhqxw.exe

description	pid	process	target process
PID 4844 wrote to memory of 3060	4844	29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe	cmd.exe
PID 4844 wrote to memory of 3060	4844	29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe	cmd.exe
PID 4844 wrote to memory of 3060	4844	29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe	cmd.exe
PID 4844 wrote to memory of 3212	4844	29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe	cmd.exe
PID 4844 wrote to memory of 3212	4844	29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe	cmd.exe
PID 4844 wrote to memory of 3212	4844	29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe	cmd.exe
PID 4844 wrote to memory of 1764	4844	29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe	sc.exe
PID 4844 wrote to memory of 1764	4844	29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe	sc.exe
PID 4844 wrote to memory of 1764	4844	29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe	sc.exe
PID 4844 wrote to memory of 4648	4844	29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe	sc.exe
PID 4844 wrote to memory of 4648	4844	29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe	sc.exe
PID 4844 wrote to memory of 4648	4844	29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe	sc.exe
PID 4844 wrote to memory of 4632	4844	29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe	sc.exe
PID 4844 wrote to memory of 4632	4844	29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe	sc.exe
PID 4844 wrote to memory of 4632	4844	29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe	sc.exe
PID 4844 wrote to memory of 204	4844	29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe	netsh.exe
PID 4844 wrote to memory of 204	4844	29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe	netsh.exe
PID 4844 wrote to memory of 204	4844	29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe	netsh.exe
PID 4616 wrote to memory of 2372	4616	dtmkhqxw.exe	svchost.exe
PID 4616 wrote to memory of 2372	4616	dtmkhqxw.exe	svchost.exe
PID 4616 wrote to memory of 2372	4616	dtmkhqxw.exe	svchost.exe
PID 4616 wrote to memory of 2372	4616	dtmkhqxw.exe	svchost.exe
PID 4616 wrote to memory of 2372	4616	dtmkhqxw.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe
"C:\Users\Admin\AppData\Local\Temp\29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zvdbwzfp\
2⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\dtmkhqxw.exe" C:\Windows\SysWOW64\zvdbwzfp\
2⤵
PID:3212

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create zvdbwzfp binPath= "C:\Windows\SysWOW64\zvdbwzfp\dtmkhqxw.exe /d\"C:\Users\Admin\AppData\Local\Temp\29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:1764

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description zvdbwzfp "wifi internet conection"
2⤵
- Launches sc.exe
PID:4648

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start zvdbwzfp
2⤵
- Launches sc.exe
PID:4632

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 1040
2⤵
- Program crash
PID:2452

C:\Windows\SysWOW64\zvdbwzfp\dtmkhqxw.exe
C:\Windows\SysWOW64\zvdbwzfp\dtmkhqxw.exe /d"C:\Users\Admin\AppData\Local\Temp\29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4616

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 516
2⤵
- Program crash
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4844 -ip 4844
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4616 -ip 4616
1⤵
PID:1344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dtmkhqxw.exe
Filesize
14.9MB

MD5
da778dd512d8e7353b1eda41d1efde4d

SHA1
3a2263599ddc75550352da6cce1f121cf2034a05

SHA256
aadc08a789d0ddd1f0dd044717be3cf70aed630f1e87b33a5d6d0721bfbeaa5d

SHA512
1ed21c4e68c5ad213617329928e067f8e63b793b3a943bf5a1c0edef2c594376a0ce279234ae9a800e8d52c3e50ff2a64e13e6fc9030bf630d6054f55bc52cd6

Download Submit
C:\Windows\SysWOW64\zvdbwzfp\dtmkhqxw.exe
Filesize
14.9MB

MD5
da778dd512d8e7353b1eda41d1efde4d

SHA1
3a2263599ddc75550352da6cce1f121cf2034a05

SHA256
aadc08a789d0ddd1f0dd044717be3cf70aed630f1e87b33a5d6d0721bfbeaa5d

SHA512
1ed21c4e68c5ad213617329928e067f8e63b793b3a943bf5a1c0edef2c594376a0ce279234ae9a800e8d52c3e50ff2a64e13e6fc9030bf630d6054f55bc52cd6

Download Submit
memory/204-142-0x0000000000000000-mapping.dmp

Download
memory/1764-138-0x0000000000000000-mapping.dmp

Download
memory/2372-146-0x0000000000000000-mapping.dmp

Download
memory/2372-152-0x0000000001290000-0x00000000012A5000-memory.dmp

Filesize
84KB

Download
memory/2372-151-0x0000000001290000-0x00000000012A5000-memory.dmp

Filesize
84KB

Download
memory/2372-147-0x0000000001290000-0x00000000012A5000-memory.dmp

Filesize
84KB

Download
memory/3060-135-0x0000000000000000-mapping.dmp

Download
memory/3212-136-0x0000000000000000-mapping.dmp

Download
memory/4616-150-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4632-140-0x0000000000000000-mapping.dmp

Download
memory/4648-139-0x0000000000000000-mapping.dmp

Download
memory/4844-144-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4844-143-0x00000000006D8000-0x00000000006E9000-memory.dmp

Filesize
68KB

Download
memory/4844-132-0x00000000006D8000-0x00000000006E9000-memory.dmp

Filesize
68KB

Download
memory/4844-134-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4844-133-0x00000000005B0000-0x00000000005C3000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads