tofsee | d195f54bc656f97fbafcbf12faed2ad4a6e8caf22bb6301747fbfa9228ece66d

Analysis

max time kernel
149s
max time network
159s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
02-12-2022 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d195f54bc656f97fbafcbf12faed2ad4a6e8caf22bb6301747fbfa9228ece66d.exe
Size

349KB
MD5

25607028a72fbb399ede69c15f19d08c
SHA1

ad83445665fdc6033d4493d3350923acbc2eff2e
SHA256

d195f54bc656f97fbafcbf12faed2ad4a6e8caf22bb6301747fbfa9228ece66d
SHA512

ae40f583c6a5241eeef93e8fdfd5879ae0c77884fb89d4501cf9b52a2629f134a82cc9d2ea61bc9715a61faf3d288eea7cdcf0687e8f5633140a970a06a74e79
SSDEEP

6144:IMAIKL74634xpBf93nGLe0q/7qCPKMPuRjMgU:I/5X3473nq07KMmRQg

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

svartalfheim.top

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\wagqjyxo = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

tqkliqgn.exe

pid process

4556 tqkliqgn.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1436 netsh.exe

pid	process
4556	tqkliqgn.exe

pid	process
1436	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wagqjyxo\ImagePath = "C:\\Windows\\SysWOW64\\wagqjyxo\\tqkliqgn.exe"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

3172 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

tqkliqgn.exe

description pid process target process

PID 4556 set thread context of 3172 4556 tqkliqgn.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

5112 sc.exe
2036 sc.exe
5000 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3172	svchost.exe

description	pid	process	target process
PID 4556 set thread context of 3172	4556	tqkliqgn.exe	svchost.exe

pid	process
5112	sc.exe
2036	sc.exe
5000	sc.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

d195f54bc656f97fbafcbf12faed2ad4a6e8caf22bb6301747fbfa9228ece66d.exetqkliqgn.exe

description	pid	process	target process
PID 2356 wrote to memory of 4740	2356	d195f54bc656f97fbafcbf12faed2ad4a6e8caf22bb6301747fbfa9228ece66d.exe	cmd.exe
PID 2356 wrote to memory of 4740	2356	d195f54bc656f97fbafcbf12faed2ad4a6e8caf22bb6301747fbfa9228ece66d.exe	cmd.exe
PID 2356 wrote to memory of 4740	2356	d195f54bc656f97fbafcbf12faed2ad4a6e8caf22bb6301747fbfa9228ece66d.exe	cmd.exe
PID 2356 wrote to memory of 3696	2356	d195f54bc656f97fbafcbf12faed2ad4a6e8caf22bb6301747fbfa9228ece66d.exe	cmd.exe
PID 2356 wrote to memory of 3696	2356	d195f54bc656f97fbafcbf12faed2ad4a6e8caf22bb6301747fbfa9228ece66d.exe	cmd.exe
PID 2356 wrote to memory of 3696	2356	d195f54bc656f97fbafcbf12faed2ad4a6e8caf22bb6301747fbfa9228ece66d.exe	cmd.exe
PID 2356 wrote to memory of 5112	2356	d195f54bc656f97fbafcbf12faed2ad4a6e8caf22bb6301747fbfa9228ece66d.exe	sc.exe
PID 2356 wrote to memory of 5112	2356	d195f54bc656f97fbafcbf12faed2ad4a6e8caf22bb6301747fbfa9228ece66d.exe	sc.exe
PID 2356 wrote to memory of 5112	2356	d195f54bc656f97fbafcbf12faed2ad4a6e8caf22bb6301747fbfa9228ece66d.exe	sc.exe
PID 2356 wrote to memory of 2036	2356	d195f54bc656f97fbafcbf12faed2ad4a6e8caf22bb6301747fbfa9228ece66d.exe	sc.exe
PID 2356 wrote to memory of 2036	2356	d195f54bc656f97fbafcbf12faed2ad4a6e8caf22bb6301747fbfa9228ece66d.exe	sc.exe
PID 2356 wrote to memory of 2036	2356	d195f54bc656f97fbafcbf12faed2ad4a6e8caf22bb6301747fbfa9228ece66d.exe	sc.exe
PID 2356 wrote to memory of 5000	2356	d195f54bc656f97fbafcbf12faed2ad4a6e8caf22bb6301747fbfa9228ece66d.exe	sc.exe
PID 2356 wrote to memory of 5000	2356	d195f54bc656f97fbafcbf12faed2ad4a6e8caf22bb6301747fbfa9228ece66d.exe	sc.exe
PID 2356 wrote to memory of 5000	2356	d195f54bc656f97fbafcbf12faed2ad4a6e8caf22bb6301747fbfa9228ece66d.exe	sc.exe
PID 2356 wrote to memory of 1436	2356	d195f54bc656f97fbafcbf12faed2ad4a6e8caf22bb6301747fbfa9228ece66d.exe	netsh.exe
PID 2356 wrote to memory of 1436	2356	d195f54bc656f97fbafcbf12faed2ad4a6e8caf22bb6301747fbfa9228ece66d.exe	netsh.exe
PID 2356 wrote to memory of 1436	2356	d195f54bc656f97fbafcbf12faed2ad4a6e8caf22bb6301747fbfa9228ece66d.exe	netsh.exe
PID 4556 wrote to memory of 3172	4556	tqkliqgn.exe	svchost.exe
PID 4556 wrote to memory of 3172	4556	tqkliqgn.exe	svchost.exe
PID 4556 wrote to memory of 3172	4556	tqkliqgn.exe	svchost.exe
PID 4556 wrote to memory of 3172	4556	tqkliqgn.exe	svchost.exe
PID 4556 wrote to memory of 3172	4556	tqkliqgn.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\d195f54bc656f97fbafcbf12faed2ad4a6e8caf22bb6301747fbfa9228ece66d.exe
"C:\Users\Admin\AppData\Local\Temp\d195f54bc656f97fbafcbf12faed2ad4a6e8caf22bb6301747fbfa9228ece66d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\wagqjyxo\
2⤵
PID:4740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\tqkliqgn.exe" C:\Windows\SysWOW64\wagqjyxo\
2⤵
PID:3696

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create wagqjyxo binPath= "C:\Windows\SysWOW64\wagqjyxo\tqkliqgn.exe /d\"C:\Users\Admin\AppData\Local\Temp\d195f54bc656f97fbafcbf12faed2ad4a6e8caf22bb6301747fbfa9228ece66d.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:5112

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description wagqjyxo "wifi internet conection"
2⤵
- Launches sc.exe
PID:2036

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start wagqjyxo
2⤵
- Launches sc.exe
PID:5000

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:1436

C:\Windows\SysWOW64\wagqjyxo\tqkliqgn.exe
C:\Windows\SysWOW64\wagqjyxo\tqkliqgn.exe /d"C:\Users\Admin\AppData\Local\Temp\d195f54bc656f97fbafcbf12faed2ad4a6e8caf22bb6301747fbfa9228ece66d.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4556

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:3172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tqkliqgn.exe
Filesize
10.9MB

MD5
2ad66c1a12a4d28f40ff88b194a904ae

SHA1
0e46a3f04314a350cc0210d09490e8588f4280cb

SHA256
3f79819d0f18e4d3b32040f69bb67b21a6f0ffb98042e2debb4b958021b9142b

SHA512
3269799dcf6b1f1688a582a31f2a2709a3bdabbd5302ec7ed5cf8b89ca08fa4abe5d63a2075307d1819963f40be2a52d2c191fceb0764cd452e4140d10439b66

Download Submit
C:\Windows\SysWOW64\wagqjyxo\tqkliqgn.exe
Filesize
10.9MB

MD5
2ad66c1a12a4d28f40ff88b194a904ae

SHA1
0e46a3f04314a350cc0210d09490e8588f4280cb

SHA256
3f79819d0f18e4d3b32040f69bb67b21a6f0ffb98042e2debb4b958021b9142b

SHA512
3269799dcf6b1f1688a582a31f2a2709a3bdabbd5302ec7ed5cf8b89ca08fa4abe5d63a2075307d1819963f40be2a52d2c191fceb0764cd452e4140d10439b66

Download Submit
memory/1436-218-0x0000000000000000-mapping.dmp

Download
memory/2036-192-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2036-193-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2036-190-0x0000000000000000-mapping.dmp

Download
memory/2356-164-0x0000000000460000-0x00000000005AA000-memory.dmp

Filesize
1.3MB

Download
memory/2356-157-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2356-128-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-129-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-166-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-130-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-132-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-133-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-134-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-135-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-136-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-137-0x0000000000803000-0x0000000000819000-memory.dmp

Filesize
88KB

Download
memory/2356-138-0x0000000000460000-0x00000000005AA000-memory.dmp

Filesize
1.3MB

Download
memory/2356-140-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-139-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-141-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-142-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-143-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-144-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-145-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-146-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-147-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-148-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-149-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-150-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-152-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-151-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-154-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-153-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-155-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-156-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-167-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-158-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-159-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-160-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-161-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-162-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-163-0x0000000000803000-0x0000000000819000-memory.dmp

Filesize
88KB

Download
memory/2356-120-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-165-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-131-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-127-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-168-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-169-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-170-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-121-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-234-0x0000000000803000-0x0000000000819000-memory.dmp

Filesize
88KB

Download
memory/2356-236-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2356-122-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-123-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-124-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-125-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-126-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-184-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3172-301-0x0000000000159A6B-mapping.dmp

Download
memory/3172-410-0x0000000000150000-0x0000000000165000-memory.dmp

Filesize
84KB

Download
memory/3172-359-0x0000000000150000-0x0000000000165000-memory.dmp

Filesize
84KB

Download
memory/3696-179-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3696-182-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3696-178-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3696-177-0x0000000000000000-mapping.dmp

Download
memory/3696-181-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3696-180-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4556-305-0x000000000076D000-0x0000000000783000-memory.dmp

Filesize
88KB

Download
memory/4556-306-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4556-296-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4556-295-0x0000000000460000-0x00000000005AA000-memory.dmp

Filesize
1.3MB

Download
memory/4556-294-0x000000000076D000-0x0000000000783000-memory.dmp

Filesize
88KB

Download
memory/4740-175-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4740-172-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4740-173-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4740-171-0x0000000000000000-mapping.dmp

Download
memory/4740-174-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4740-176-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/5000-207-0x0000000000000000-mapping.dmp

Download
memory/5112-188-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-185-0x0000000000000000-mapping.dmp

Download
memory/5112-187-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-186-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-189-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-191-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-194-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download