tofsee | d05cd710559cb6a23a84f44bfe88b91582862c7d70134cf71807ae0c49964993

General

Target

supvobl.exe
Size

12.5MB
MD5

be286c784044379ca9a6ca6e7211a29f
SHA1

bf8010a0e4b7ae88095bd9ee303707f4c0da549e
SHA256

d05cd710559cb6a23a84f44bfe88b91582862c7d70134cf71807ae0c49964993
SHA512

862e1beffa2cd58cd606a9edf2be79a03ca4a93f2edd6528e91eed2f68ad889e2e76dd43f164cd8f7eb02567504cbcf9581f730177f841a3e5a0298b48674b13
SSDEEP

24576:P7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hg:

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\hhsxszjb = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

mhldtege.exe

pid process

920 mhldtege.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

928 netsh.exe

pid	process
920	mhldtege.exe

pid	process
928	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\hhsxszjb\ImagePath = "C:\\Windows\\SysWOW64\\hhsxszjb\\mhldtege.exe"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

968 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

mhldtege.exe

description pid process target process

PID 920 set thread context of 968 920 mhldtege.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

1856 sc.exe
1488 sc.exe
1764 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
968	svchost.exe

description	pid	process	target process
PID 920 set thread context of 968	920	mhldtege.exe	svchost.exe

pid	process
1856	sc.exe
1488	sc.exe
1764	sc.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

supvobl.exemhldtege.exe

description	pid	process	target process
PID 2024 wrote to memory of 1524	2024	supvobl.exe	cmd.exe
PID 2024 wrote to memory of 1524	2024	supvobl.exe	cmd.exe
PID 2024 wrote to memory of 1524	2024	supvobl.exe	cmd.exe
PID 2024 wrote to memory of 1524	2024	supvobl.exe	cmd.exe
PID 2024 wrote to memory of 748	2024	supvobl.exe	cmd.exe
PID 2024 wrote to memory of 748	2024	supvobl.exe	cmd.exe
PID 2024 wrote to memory of 748	2024	supvobl.exe	cmd.exe
PID 2024 wrote to memory of 748	2024	supvobl.exe	cmd.exe
PID 2024 wrote to memory of 1856	2024	supvobl.exe	sc.exe
PID 2024 wrote to memory of 1856	2024	supvobl.exe	sc.exe
PID 2024 wrote to memory of 1856	2024	supvobl.exe	sc.exe
PID 2024 wrote to memory of 1856	2024	supvobl.exe	sc.exe
PID 2024 wrote to memory of 1488	2024	supvobl.exe	sc.exe
PID 2024 wrote to memory of 1488	2024	supvobl.exe	sc.exe
PID 2024 wrote to memory of 1488	2024	supvobl.exe	sc.exe
PID 2024 wrote to memory of 1488	2024	supvobl.exe	sc.exe
PID 2024 wrote to memory of 1764	2024	supvobl.exe	sc.exe
PID 2024 wrote to memory of 1764	2024	supvobl.exe	sc.exe
PID 2024 wrote to memory of 1764	2024	supvobl.exe	sc.exe
PID 2024 wrote to memory of 1764	2024	supvobl.exe	sc.exe
PID 920 wrote to memory of 968	920	mhldtege.exe	svchost.exe
PID 920 wrote to memory of 968	920	mhldtege.exe	svchost.exe
PID 920 wrote to memory of 968	920	mhldtege.exe	svchost.exe
PID 920 wrote to memory of 968	920	mhldtege.exe	svchost.exe
PID 920 wrote to memory of 968	920	mhldtege.exe	svchost.exe
PID 920 wrote to memory of 968	920	mhldtege.exe	svchost.exe
PID 2024 wrote to memory of 928	2024	supvobl.exe	netsh.exe
PID 2024 wrote to memory of 928	2024	supvobl.exe	netsh.exe
PID 2024 wrote to memory of 928	2024	supvobl.exe	netsh.exe
PID 2024 wrote to memory of 928	2024	supvobl.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\supvobl.exe
"C:\Users\Admin\AppData\Local\Temp\supvobl.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hhsxszjb\
  2⤵
  PID:1524
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\mhldtege.exe" C:\Windows\SysWOW64\hhsxszjb\
  2⤵
  PID:748
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create hhsxszjb binPath= "C:\Windows\SysWOW64\hhsxszjb\mhldtege.exe /d\"C:\Users\Admin\AppData\Local\Temp\supvobl.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:1856
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description hhsxszjb "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:1488
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start hhsxszjb
  2⤵
  - Launches sc.exe
  PID:1764
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:928

C:\Windows\SysWOW64\hhsxszjb\mhldtege.exe
C:\Windows\SysWOW64\hhsxszjb\mhldtege.exe /d"C:\Users\Admin\AppData\Local\Temp\supvobl.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:920
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Windows security bypass
  - Sets service image path in registry
  - Deletes itself
  PID:968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mhldtege.exe

Filesize
14.7MB

MD5
9abe967beb2928d487114515fb0140fc

SHA1
5434f58ca1598fab868567f596c12ff69735558a

SHA256
c9a5ec669354b9aa8b59cd3eef798ee79e3b23d315b57c2c028973075d08c708

SHA512
aba087d616866163b115958692bceeca2cc01d5dc1f4e984726599521876d004a432fa6226e50a47c5e490cb885737d9374fb2b607ab6e4709ae6b5222a3f31e

Download Submit
C:\Windows\SysWOW64\hhsxszjb\mhldtege.exe

Filesize
14.7MB

MD5
9abe967beb2928d487114515fb0140fc

SHA1
5434f58ca1598fab868567f596c12ff69735558a

SHA256
c9a5ec669354b9aa8b59cd3eef798ee79e3b23d315b57c2c028973075d08c708

SHA512
aba087d616866163b115958692bceeca2cc01d5dc1f4e984726599521876d004a432fa6226e50a47c5e490cb885737d9374fb2b607ab6e4709ae6b5222a3f31e

Download Submit
memory/748-60-0x0000000000000000-mapping.dmp

Download
memory/920-75-0x0000000000400000-0x0000000002DEE000-memory.dmp

Filesize
41.9MB

Download
memory/920-71-0x0000000002FAA000-0x0000000002FB7000-memory.dmp

Filesize
52KB

Download
memory/928-76-0x0000000000000000-mapping.dmp

Download
memory/968-67-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/968-80-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/968-70-0x0000000000089A6B-mapping.dmp

Download
memory/968-77-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/968-69-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1488-63-0x0000000000000000-mapping.dmp

Download
memory/1524-56-0x0000000000000000-mapping.dmp

Download
memory/1764-64-0x0000000000000000-mapping.dmp

Download
memory/1856-62-0x0000000000000000-mapping.dmp

Download
memory/2024-55-0x0000000076391000-0x0000000076393000-memory.dmp

Filesize
8KB

Download
memory/2024-58-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/2024-59-0x0000000000400000-0x0000000002DEE000-memory.dmp

Filesize
41.9MB

Download
memory/2024-78-0x0000000000400000-0x0000000002DEE000-memory.dmp

Filesize
41.9MB

Download
memory/2024-57-0x0000000000230000-0x0000000000330000-memory.dmp

Filesize
1024KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads