tofsee | b88b9ed4918755d2ee5d4e8ec49915b6b0991cff51fd6d65f75e02757af71d10

General

Target

file.exe
Size

276KB
MD5

010f80610ed8b65773d1a85863c4df30
SHA1

ef9746a7ecc34f0cfd22fec39a4d8b24674abfed
SHA256

b88b9ed4918755d2ee5d4e8ec49915b6b0991cff51fd6d65f75e02757af71d10
SHA512

fc62a6875922e8aa069618baf4c0dd608440b8b6e79c91016d37a094472983f98e4f62dce2aff9334bd5ab7c58408b9e280ab2bb4e1067f3166a144c9c8359d0
SSDEEP

3072:NQge8WCBrrL4v8CVtq5qDGyKdhpHqPmgTDrtQYaVi5MXYhIh3eGjMgG1ao5Lk:NV/Lq8CVnD4h9qPmgTHqpQVuRjMgU

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 2 IoCs

Processes:

pmghemcj.exeszzdeoyj.exe

pid process

1888 pmghemcj.exe
1456 szzdeoyj.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

936 netsh.exe

pid	process
1888	pmghemcj.exe
1456	szzdeoyj.exe

pid	process
936	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\omrhezzi\ImagePath = "C:\\Windows\\SysWOW64\\omrhezzi\\szzdeoyj.exe"	svchost.exe

Loads dropped DLL 2 IoCs

Processes:

file.exe

pid process

1340 file.exe
1340 file.exe

pid	process
1340	file.exe
1340	file.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\pnsifaaj = "\"C:\\Users\\Admin\\pmghemcj.exe\""	file.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

szzdeoyj.exe

description pid process target process

PID 1456 set thread context of 480 1456 szzdeoyj.exe svchost.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

1520 sc.exe
280 sc.exe
1892 sc.exe
540 sc.exe
1772 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1456 set thread context of 480	1456	szzdeoyj.exe	svchost.exe

pid	process
1520	sc.exe
280	sc.exe
1892	sc.exe
540	sc.exe
1772	sc.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

file.exepmghemcj.exeszzdeoyj.exe

description	pid	process	target process
PID 1340 wrote to memory of 584	1340	file.exe	cmd.exe
PID 1340 wrote to memory of 584	1340	file.exe	cmd.exe
PID 1340 wrote to memory of 584	1340	file.exe	cmd.exe
PID 1340 wrote to memory of 584	1340	file.exe	cmd.exe
PID 1340 wrote to memory of 776	1340	file.exe	cmd.exe
PID 1340 wrote to memory of 776	1340	file.exe	cmd.exe
PID 1340 wrote to memory of 776	1340	file.exe	cmd.exe
PID 1340 wrote to memory of 776	1340	file.exe	cmd.exe
PID 1340 wrote to memory of 1772	1340	file.exe	sc.exe
PID 1340 wrote to memory of 1772	1340	file.exe	sc.exe
PID 1340 wrote to memory of 1772	1340	file.exe	sc.exe
PID 1340 wrote to memory of 1772	1340	file.exe	sc.exe
PID 1340 wrote to memory of 1520	1340	file.exe	sc.exe
PID 1340 wrote to memory of 1520	1340	file.exe	sc.exe
PID 1340 wrote to memory of 1520	1340	file.exe	sc.exe
PID 1340 wrote to memory of 1520	1340	file.exe	sc.exe
PID 1340 wrote to memory of 280	1340	file.exe	sc.exe
PID 1340 wrote to memory of 280	1340	file.exe	sc.exe
PID 1340 wrote to memory of 280	1340	file.exe	sc.exe
PID 1340 wrote to memory of 280	1340	file.exe	sc.exe
PID 1340 wrote to memory of 936	1340	file.exe	netsh.exe
PID 1340 wrote to memory of 936	1340	file.exe	netsh.exe
PID 1340 wrote to memory of 936	1340	file.exe	netsh.exe
PID 1340 wrote to memory of 936	1340	file.exe	netsh.exe
PID 1340 wrote to memory of 1888	1340	file.exe	pmghemcj.exe
PID 1340 wrote to memory of 1888	1340	file.exe	pmghemcj.exe
PID 1340 wrote to memory of 1888	1340	file.exe	pmghemcj.exe
PID 1340 wrote to memory of 1888	1340	file.exe	pmghemcj.exe
PID 1888 wrote to memory of 836	1888	pmghemcj.exe	cmd.exe
PID 1888 wrote to memory of 836	1888	pmghemcj.exe	cmd.exe
PID 1888 wrote to memory of 836	1888	pmghemcj.exe	cmd.exe
PID 1888 wrote to memory of 836	1888	pmghemcj.exe	cmd.exe
PID 1888 wrote to memory of 1892	1888	pmghemcj.exe	sc.exe
PID 1888 wrote to memory of 1892	1888	pmghemcj.exe	sc.exe
PID 1888 wrote to memory of 1892	1888	pmghemcj.exe	sc.exe
PID 1888 wrote to memory of 1892	1888	pmghemcj.exe	sc.exe
PID 1888 wrote to memory of 540	1888	pmghemcj.exe	sc.exe
PID 1888 wrote to memory of 540	1888	pmghemcj.exe	sc.exe
PID 1888 wrote to memory of 540	1888	pmghemcj.exe	sc.exe
PID 1888 wrote to memory of 540	1888	pmghemcj.exe	sc.exe
PID 1456 wrote to memory of 480	1456	szzdeoyj.exe	svchost.exe
PID 1456 wrote to memory of 480	1456	szzdeoyj.exe	svchost.exe
PID 1456 wrote to memory of 480	1456	szzdeoyj.exe	svchost.exe
PID 1456 wrote to memory of 480	1456	szzdeoyj.exe	svchost.exe
PID 1456 wrote to memory of 480	1456	szzdeoyj.exe	svchost.exe
PID 1456 wrote to memory of 480	1456	szzdeoyj.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\omrhezzi\
2⤵
PID:584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ebvwtbry.exe" C:\Windows\SysWOW64\omrhezzi\
2⤵
PID:776

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create omrhezzi binPath= "C:\Windows\SysWOW64\omrhezzi\ebvwtbry.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:1772

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description omrhezzi "wifi internet conection"
2⤵
- Launches sc.exe
PID:1520

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start omrhezzi
2⤵
- Launches sc.exe
PID:280

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:936

C:\Users\Admin\pmghemcj.exe
"C:\Users\Admin\pmghemcj.exe" /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\szzdeoyj.exe" C:\Windows\SysWOW64\omrhezzi\
3⤵
PID:836

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config omrhezzi binPath= "C:\Windows\SysWOW64\omrhezzi\szzdeoyj.exe /d\"C:\Users\Admin\pmghemcj.exe\""
3⤵
- Launches sc.exe
PID:1892

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start omrhezzi
3⤵
- Launches sc.exe
PID:540

C:\Windows\SysWOW64\omrhezzi\szzdeoyj.exe
C:\Windows\SysWOW64\omrhezzi\szzdeoyj.exe /d"C:\Users\Admin\pmghemcj.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
PID:480

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ebvwtbry.exe
Filesize
10.6MB

MD5
6a79a874df93d3b57be47ad40eb12329

SHA1
df26b6dee11f49264a152d7af3f5ddf48f1675ff

SHA256
c565c3c00493a8122c52764d4e058d1a59558fa4dfe892c93763ea4a569ca1ff

SHA512
084b6fd285236ae497f6922332c1bee3db70df65a94ba613deb809d5894ed8a8d5bbe56e93afc483afa65110820bd30d8f00aea0eb7a2ee1dbd5f6afeb2d6cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\szzdeoyj.exe
Filesize
13.3MB

MD5
8371fdbb4a96acf067c9ddc7adf99622

SHA1
32ad2f1766ef37409161bb99ec3cbe0a120b7b1f

SHA256
fd266e0c4411e3f5a981520d932b721762131461d85dd80c3f70b4ae5fb6c6d4

SHA512
d514b8cb7c77fb78b4012408ee5595fcc8a055e3c362a7c85a897aa2cb7ee9a21cf74884cee7d5e1223cc6eed125153fc6e2256a347d301ad1d77f3a202904d4

Download Submit
C:\Users\Admin\pmghemcj.exe
Filesize
10.5MB

MD5
b3ae0733f936912f7e4290378b065847

SHA1
ceaf6d9528e710519d07461cf4213db599b33b79

SHA256
02f5d61427a87e81ad49ecc829345a0dedc17a45d6165f1cc1beae40f96eb7b6

SHA512
520ab2ce1cf83eed6eb01206a647cdb96f5c8db3336499ba430f8608d51c346c59032b857892fe05654d98662b26fb521d75e671c6e76f3c6022f0b89799fd54

Download Submit
C:\Users\Admin\pmghemcj.exe
Filesize
10.5MB

MD5
b3ae0733f936912f7e4290378b065847

SHA1
ceaf6d9528e710519d07461cf4213db599b33b79

SHA256
02f5d61427a87e81ad49ecc829345a0dedc17a45d6165f1cc1beae40f96eb7b6

SHA512
520ab2ce1cf83eed6eb01206a647cdb96f5c8db3336499ba430f8608d51c346c59032b857892fe05654d98662b26fb521d75e671c6e76f3c6022f0b89799fd54

Download Submit
C:\Windows\SysWOW64\omrhezzi\szzdeoyj.exe
Filesize
13.3MB

MD5
8371fdbb4a96acf067c9ddc7adf99622

SHA1
32ad2f1766ef37409161bb99ec3cbe0a120b7b1f

SHA256
fd266e0c4411e3f5a981520d932b721762131461d85dd80c3f70b4ae5fb6c6d4

SHA512
d514b8cb7c77fb78b4012408ee5595fcc8a055e3c362a7c85a897aa2cb7ee9a21cf74884cee7d5e1223cc6eed125153fc6e2256a347d301ad1d77f3a202904d4

Download Submit
\Users\Admin\pmghemcj.exe
Filesize
10.5MB

MD5
b3ae0733f936912f7e4290378b065847

SHA1
ceaf6d9528e710519d07461cf4213db599b33b79

SHA256
02f5d61427a87e81ad49ecc829345a0dedc17a45d6165f1cc1beae40f96eb7b6

SHA512
520ab2ce1cf83eed6eb01206a647cdb96f5c8db3336499ba430f8608d51c346c59032b857892fe05654d98662b26fb521d75e671c6e76f3c6022f0b89799fd54

Download Submit
\Users\Admin\pmghemcj.exe
Filesize
10.5MB

MD5
b3ae0733f936912f7e4290378b065847

SHA1
ceaf6d9528e710519d07461cf4213db599b33b79

SHA256
02f5d61427a87e81ad49ecc829345a0dedc17a45d6165f1cc1beae40f96eb7b6

SHA512
520ab2ce1cf83eed6eb01206a647cdb96f5c8db3336499ba430f8608d51c346c59032b857892fe05654d98662b26fb521d75e671c6e76f3c6022f0b89799fd54

Download Submit
memory/280-64-0x0000000000000000-mapping.dmp

Download
memory/480-95-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/480-96-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/480-86-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/480-88-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/480-89-0x0000000000089A6B-mapping.dmp

Download
memory/540-81-0x0000000000000000-mapping.dmp

Download
memory/584-57-0x0000000000000000-mapping.dmp

Download
memory/776-59-0x0000000000000000-mapping.dmp

Download
memory/836-76-0x0000000000000000-mapping.dmp

Download
memory/936-66-0x0000000000000000-mapping.dmp

Download
memory/1340-72-0x00000000004EA000-0x00000000004FF000-memory.dmp

Filesize
84KB

Download
memory/1340-56-0x00000000759C1000-0x00000000759C3000-memory.dmp

Filesize
8KB

Download
memory/1340-73-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1340-55-0x00000000002B0000-0x00000000002C3000-memory.dmp

Filesize
76KB

Download
memory/1340-54-0x00000000004EA000-0x00000000004FF000-memory.dmp

Filesize
84KB

Download
memory/1340-58-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1340-60-0x00000000004EA000-0x00000000004FF000-memory.dmp

Filesize
84KB

Download
memory/1340-61-0x00000000002B0000-0x00000000002C3000-memory.dmp

Filesize
76KB

Download
memory/1456-93-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1456-90-0x00000000004EA000-0x00000000004FF000-memory.dmp

Filesize
84KB

Download
memory/1520-63-0x0000000000000000-mapping.dmp

Download
memory/1772-62-0x0000000000000000-mapping.dmp

Download
memory/1888-83-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1888-82-0x000000000050A000-0x000000000051F000-memory.dmp

Filesize
84KB

Download
memory/1888-79-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1888-78-0x000000000050A000-0x000000000051F000-memory.dmp

Filesize
84KB

Download
memory/1888-70-0x0000000000000000-mapping.dmp

Download
memory/1892-80-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads