tofsee | 60b74d0ec9fb51ab872ebc48ab29ee078d2b62a6424351af2fe003afc938eb97

Analysis

max time kernel
150s
max time network
148s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
02-12-2022 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60b74d0ec9fb51ab872ebc48ab29ee078d2b62a6424351af2fe003afc938eb97.exe
Size

349KB
MD5

ba7386d6d719c25211922c8cbe33fd14
SHA1

cc56118f3b50f2e0bbb155808ef984365dd5c0b6
SHA256

60b74d0ec9fb51ab872ebc48ab29ee078d2b62a6424351af2fe003afc938eb97
SHA512

57a6e755b75b7a13419e95dd5a3d321d71bd5996f215a405904a5e8845e9660d52eb8547ded9a08f565e80868b7b620b24eade57176d7bd72d389b8bfff7d545
SSDEEP

6144:jMkI8LNAuDspPBtA4kiduxeIowNxuRjMgU:j7nFDse4k3AQsRQg

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

svartalfheim.top

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\bldjufgw = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

wcpkdkxs.exe

pid process

3956 wcpkdkxs.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4836 netsh.exe

pid	process
3956	wcpkdkxs.exe

pid	process
4836	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\bldjufgw\ImagePath = "C:\\Windows\\SysWOW64\\bldjufgw\\wcpkdkxs.exe"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

3784 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

wcpkdkxs.exe

description pid process target process

PID 3956 set thread context of 3784 3956 wcpkdkxs.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

1252 sc.exe
2936 sc.exe
4236 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3784	svchost.exe

description	pid	process	target process
PID 3956 set thread context of 3784	3956	wcpkdkxs.exe	svchost.exe

pid	process
1252	sc.exe
2936	sc.exe
4236	sc.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

60b74d0ec9fb51ab872ebc48ab29ee078d2b62a6424351af2fe003afc938eb97.exewcpkdkxs.exe

description	pid	process	target process
PID 2792 wrote to memory of 352	2792	60b74d0ec9fb51ab872ebc48ab29ee078d2b62a6424351af2fe003afc938eb97.exe	cmd.exe
PID 2792 wrote to memory of 352	2792	60b74d0ec9fb51ab872ebc48ab29ee078d2b62a6424351af2fe003afc938eb97.exe	cmd.exe
PID 2792 wrote to memory of 352	2792	60b74d0ec9fb51ab872ebc48ab29ee078d2b62a6424351af2fe003afc938eb97.exe	cmd.exe
PID 2792 wrote to memory of 3620	2792	60b74d0ec9fb51ab872ebc48ab29ee078d2b62a6424351af2fe003afc938eb97.exe	cmd.exe
PID 2792 wrote to memory of 3620	2792	60b74d0ec9fb51ab872ebc48ab29ee078d2b62a6424351af2fe003afc938eb97.exe	cmd.exe
PID 2792 wrote to memory of 3620	2792	60b74d0ec9fb51ab872ebc48ab29ee078d2b62a6424351af2fe003afc938eb97.exe	cmd.exe
PID 2792 wrote to memory of 1252	2792	60b74d0ec9fb51ab872ebc48ab29ee078d2b62a6424351af2fe003afc938eb97.exe	sc.exe
PID 2792 wrote to memory of 1252	2792	60b74d0ec9fb51ab872ebc48ab29ee078d2b62a6424351af2fe003afc938eb97.exe	sc.exe
PID 2792 wrote to memory of 1252	2792	60b74d0ec9fb51ab872ebc48ab29ee078d2b62a6424351af2fe003afc938eb97.exe	sc.exe
PID 2792 wrote to memory of 2936	2792	60b74d0ec9fb51ab872ebc48ab29ee078d2b62a6424351af2fe003afc938eb97.exe	sc.exe
PID 2792 wrote to memory of 2936	2792	60b74d0ec9fb51ab872ebc48ab29ee078d2b62a6424351af2fe003afc938eb97.exe	sc.exe
PID 2792 wrote to memory of 2936	2792	60b74d0ec9fb51ab872ebc48ab29ee078d2b62a6424351af2fe003afc938eb97.exe	sc.exe
PID 2792 wrote to memory of 4236	2792	60b74d0ec9fb51ab872ebc48ab29ee078d2b62a6424351af2fe003afc938eb97.exe	sc.exe
PID 2792 wrote to memory of 4236	2792	60b74d0ec9fb51ab872ebc48ab29ee078d2b62a6424351af2fe003afc938eb97.exe	sc.exe
PID 2792 wrote to memory of 4236	2792	60b74d0ec9fb51ab872ebc48ab29ee078d2b62a6424351af2fe003afc938eb97.exe	sc.exe
PID 2792 wrote to memory of 4836	2792	60b74d0ec9fb51ab872ebc48ab29ee078d2b62a6424351af2fe003afc938eb97.exe	netsh.exe
PID 2792 wrote to memory of 4836	2792	60b74d0ec9fb51ab872ebc48ab29ee078d2b62a6424351af2fe003afc938eb97.exe	netsh.exe
PID 2792 wrote to memory of 4836	2792	60b74d0ec9fb51ab872ebc48ab29ee078d2b62a6424351af2fe003afc938eb97.exe	netsh.exe
PID 3956 wrote to memory of 3784	3956	wcpkdkxs.exe	svchost.exe
PID 3956 wrote to memory of 3784	3956	wcpkdkxs.exe	svchost.exe
PID 3956 wrote to memory of 3784	3956	wcpkdkxs.exe	svchost.exe
PID 3956 wrote to memory of 3784	3956	wcpkdkxs.exe	svchost.exe
PID 3956 wrote to memory of 3784	3956	wcpkdkxs.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\60b74d0ec9fb51ab872ebc48ab29ee078d2b62a6424351af2fe003afc938eb97.exe
"C:\Users\Admin\AppData\Local\Temp\60b74d0ec9fb51ab872ebc48ab29ee078d2b62a6424351af2fe003afc938eb97.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bldjufgw\
2⤵
PID:352

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\wcpkdkxs.exe" C:\Windows\SysWOW64\bldjufgw\
2⤵
PID:3620

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create bldjufgw binPath= "C:\Windows\SysWOW64\bldjufgw\wcpkdkxs.exe /d\"C:\Users\Admin\AppData\Local\Temp\60b74d0ec9fb51ab872ebc48ab29ee078d2b62a6424351af2fe003afc938eb97.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:1252

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description bldjufgw "wifi internet conection"
2⤵
- Launches sc.exe
PID:2936

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start bldjufgw
2⤵
- Launches sc.exe
PID:4236

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:4836

C:\Windows\SysWOW64\bldjufgw\wcpkdkxs.exe
C:\Windows\SysWOW64\bldjufgw\wcpkdkxs.exe /d"C:\Users\Admin\AppData\Local\Temp\60b74d0ec9fb51ab872ebc48ab29ee078d2b62a6424351af2fe003afc938eb97.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:3784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wcpkdkxs.exe
Filesize
13.7MB

MD5
3a116adf4e3d68bf901e5ad8a256a6f8

SHA1
03dd7bb37758837feff56235c076fe58f247c774

SHA256
e5384cff83edaf59e0000b196eecb449c37364fab3efc5c30bb1a0a14926da4d

SHA512
fcd25368f280335dd36f23835ab8fab169b1a7d5697df132c4228011e7f5227738a417647bfd4dd339519a2cc7fd8d46768d623cd347864dceeb2eae1a614ffe

Download Submit
C:\Windows\SysWOW64\bldjufgw\wcpkdkxs.exe
Filesize
13.7MB

MD5
3a116adf4e3d68bf901e5ad8a256a6f8

SHA1
03dd7bb37758837feff56235c076fe58f247c774

SHA256
e5384cff83edaf59e0000b196eecb449c37364fab3efc5c30bb1a0a14926da4d

SHA512
fcd25368f280335dd36f23835ab8fab169b1a7d5697df132c4228011e7f5227738a417647bfd4dd339519a2cc7fd8d46768d623cd347864dceeb2eae1a614ffe

Download Submit
memory/352-171-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/352-172-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/352-170-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/352-173-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/352-169-0x0000000000000000-mapping.dmp

Download
memory/352-174-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/1252-189-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/1252-185-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/1252-183-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/1252-186-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/1252-184-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/1252-182-0x0000000000000000-mapping.dmp

Download
memory/1252-187-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/1252-188-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/1252-190-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-160-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-136-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-138-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-142-0x0000000000460000-0x00000000005AA000-memory.dmp

Filesize
1.3MB

Download
memory/2792-141-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-140-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-143-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-144-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-145-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-146-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-147-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-148-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-149-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-150-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-152-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-151-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-153-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-154-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-155-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-156-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-157-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-158-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-159-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-120-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-161-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-162-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2792-163-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-164-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-165-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-166-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-167-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-168-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-137-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-139-0x00000000006F3000-0x0000000000709000-memory.dmp

Filesize
88KB

Download
memory/2792-135-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-134-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-133-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-132-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-121-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-218-0x00000000006F3000-0x0000000000709000-memory.dmp

Filesize
88KB

Download
memory/2792-219-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2792-122-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-123-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-124-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-131-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-130-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-129-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-128-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-127-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-126-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-125-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2936-193-0x0000000000000000-mapping.dmp

Download
memory/3620-177-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/3620-176-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/3620-179-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/3620-178-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/3620-175-0x0000000000000000-mapping.dmp

Download
memory/3620-180-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/3784-324-0x00000000030C9A6B-mapping.dmp

Download
memory/3784-398-0x00000000030C0000-0x00000000030D5000-memory.dmp

Filesize
84KB

Download
memory/3784-486-0x00000000030C0000-0x00000000030D5000-memory.dmp

Filesize
84KB

Download
memory/3956-314-0x0000000000460000-0x00000000005AA000-memory.dmp

Filesize
1.3MB

Download
memory/3956-311-0x0000000000460000-0x000000000050E000-memory.dmp

Filesize
696KB

Download
memory/3956-330-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4236-204-0x0000000000000000-mapping.dmp

Download
memory/4836-215-0x0000000000000000-mapping.dmp

Download