tofsee | 1fb5e05e383ce3b2950d93894f802b730a867f688d6af5d80f404956117d3e89

General

Target

1fb5e05e383ce3b2950d93894f802b730a867f688d6af5d80f404956117d3e89.exe
Size

276KB
MD5

68d3b1e67263b0d65c81e9738924c21d
SHA1

29ef6a67c445c7ba49c4206bfac2da03a9d8ac1b
SHA256

1fb5e05e383ce3b2950d93894f802b730a867f688d6af5d80f404956117d3e89
SHA512

1acdb17454cf8333b8d92d2263ba58f5fd079dd37a35df3b19ae51b6891fd9b23421fdf4a0347862d37dcf49343e7603486fb7509c6764f7bf5a5235935b7746
SSDEEP

3072:siRc48qyPDiLo4YXMtq5qsDm6JPWXylDBKJ+0h5h0jKPcWJME9hIh3eGjMgG1aoK:KFbiLxYXMnkXAXG4XQK0WJuRjMgU

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4212 netsh.exe

pid	process
4212	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1fb5e05e383ce3b2950d93894f802b730a867f688d6af5d80f404956117d3e89.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	1fb5e05e383ce3b2950d93894f802b730a867f688d6af5d80f404956117d3e89.exe

Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

3468 sc.exe
4488 sc.exe
2224 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4012 4380 WerFault.exe 1fb5e05e383ce3b2950d93894f802b730a867f688d6af5d80f404956117d3e89.exe

pid	process
3468	sc.exe
4488	sc.exe
2224	sc.exe

pid	pid_target	process	target process
4012	4380	WerFault.exe	1fb5e05e383ce3b2950d93894f802b730a867f688d6af5d80f404956117d3e89.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

1fb5e05e383ce3b2950d93894f802b730a867f688d6af5d80f404956117d3e89.exe

description	pid	process	target process
PID 4380 wrote to memory of 1700	4380	1fb5e05e383ce3b2950d93894f802b730a867f688d6af5d80f404956117d3e89.exe	cmd.exe
PID 4380 wrote to memory of 1700	4380	1fb5e05e383ce3b2950d93894f802b730a867f688d6af5d80f404956117d3e89.exe	cmd.exe
PID 4380 wrote to memory of 1700	4380	1fb5e05e383ce3b2950d93894f802b730a867f688d6af5d80f404956117d3e89.exe	cmd.exe
PID 4380 wrote to memory of 4240	4380	1fb5e05e383ce3b2950d93894f802b730a867f688d6af5d80f404956117d3e89.exe	cmd.exe
PID 4380 wrote to memory of 4240	4380	1fb5e05e383ce3b2950d93894f802b730a867f688d6af5d80f404956117d3e89.exe	cmd.exe
PID 4380 wrote to memory of 4240	4380	1fb5e05e383ce3b2950d93894f802b730a867f688d6af5d80f404956117d3e89.exe	cmd.exe
PID 4380 wrote to memory of 3468	4380	1fb5e05e383ce3b2950d93894f802b730a867f688d6af5d80f404956117d3e89.exe	sc.exe
PID 4380 wrote to memory of 3468	4380	1fb5e05e383ce3b2950d93894f802b730a867f688d6af5d80f404956117d3e89.exe	sc.exe
PID 4380 wrote to memory of 3468	4380	1fb5e05e383ce3b2950d93894f802b730a867f688d6af5d80f404956117d3e89.exe	sc.exe
PID 4380 wrote to memory of 4488	4380	1fb5e05e383ce3b2950d93894f802b730a867f688d6af5d80f404956117d3e89.exe	sc.exe
PID 4380 wrote to memory of 4488	4380	1fb5e05e383ce3b2950d93894f802b730a867f688d6af5d80f404956117d3e89.exe	sc.exe
PID 4380 wrote to memory of 4488	4380	1fb5e05e383ce3b2950d93894f802b730a867f688d6af5d80f404956117d3e89.exe	sc.exe
PID 4380 wrote to memory of 2224	4380	1fb5e05e383ce3b2950d93894f802b730a867f688d6af5d80f404956117d3e89.exe	sc.exe
PID 4380 wrote to memory of 2224	4380	1fb5e05e383ce3b2950d93894f802b730a867f688d6af5d80f404956117d3e89.exe	sc.exe
PID 4380 wrote to memory of 2224	4380	1fb5e05e383ce3b2950d93894f802b730a867f688d6af5d80f404956117d3e89.exe	sc.exe
PID 4380 wrote to memory of 4212	4380	1fb5e05e383ce3b2950d93894f802b730a867f688d6af5d80f404956117d3e89.exe	netsh.exe
PID 4380 wrote to memory of 4212	4380	1fb5e05e383ce3b2950d93894f802b730a867f688d6af5d80f404956117d3e89.exe	netsh.exe
PID 4380 wrote to memory of 4212	4380	1fb5e05e383ce3b2950d93894f802b730a867f688d6af5d80f404956117d3e89.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\1fb5e05e383ce3b2950d93894f802b730a867f688d6af5d80f404956117d3e89.exe
"C:\Users\Admin\AppData\Local\Temp\1fb5e05e383ce3b2950d93894f802b730a867f688d6af5d80f404956117d3e89.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4380

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\eptvolnz\
2⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\yffjkuep.exe" C:\Windows\SysWOW64\eptvolnz\
2⤵
PID:4240

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create eptvolnz binPath= "C:\Windows\SysWOW64\eptvolnz\yffjkuep.exe /d\"C:\Users\Admin\AppData\Local\Temp\1fb5e05e383ce3b2950d93894f802b730a867f688d6af5d80f404956117d3e89.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:3468

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description eptvolnz "wifi internet conection"
2⤵
- Launches sc.exe
PID:4488

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start eptvolnz
2⤵
- Launches sc.exe
PID:2224

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1044
2⤵
- Program crash
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4380 -ip 4380
1⤵
PID:2684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Privilege Escalation

New Service

1

T1050

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yffjkuep.exe
Filesize
13.2MB

MD5
3a1334acfaa37388f8df8682519c25b1

SHA1
39243d89f1bfa8a4d7c457eacdf68551884a8b9d

SHA256
c8dc62ebfa0552fb86b483625dd726b37138090e40496fc063f7be0d52e4d51f

SHA512
2a2cb52c9dd555c12ef42b90f413aa8e801df153b5c0763a8bb6e997f86c7c87a527255847e5a5b4acbf88df04b0891fc698c8b6c29c5b9d24024aae78e296a1

Download Submit
memory/1700-135-0x0000000000000000-mapping.dmp

Download
memory/2224-140-0x0000000000000000-mapping.dmp

Download
memory/3468-138-0x0000000000000000-mapping.dmp

Download
memory/4212-141-0x0000000000000000-mapping.dmp

Download
memory/4240-136-0x0000000000000000-mapping.dmp

Download
memory/4380-134-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4380-132-0x0000000000637000-0x000000000064C000-memory.dmp

Filesize
84KB

Download
memory/4380-133-0x0000000000490000-0x00000000004A3000-memory.dmp

Filesize
76KB

Download
memory/4380-142-0x0000000000637000-0x000000000064C000-memory.dmp

Filesize
84KB

Download
memory/4380-143-0x0000000000490000-0x00000000004A3000-memory.dmp

Filesize
76KB

Download
memory/4380-144-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4488-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing