tofsee | d05cd710559cb6a23a84f44bfe88b91582862c7d70134cf71807ae0c49964993

General

Target

supvobl.exe
Size

12.5MB
MD5

be286c784044379ca9a6ca6e7211a29f
SHA1

bf8010a0e4b7ae88095bd9ee303707f4c0da549e
SHA256

d05cd710559cb6a23a84f44bfe88b91582862c7d70134cf71807ae0c49964993
SHA512

862e1beffa2cd58cd606a9edf2be79a03ca4a93f2edd6528e91eed2f68ad889e2e76dd43f164cd8f7eb02567504cbcf9581f730177f841a3e5a0298b48674b13
SSDEEP

24576:P7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hg:

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

pysxpojf.exe

pid process

216 pysxpojf.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

344 netsh.exe

pid	process
216	pysxpojf.exe

pid	process
344	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\jldqbkkb\ImagePath = "C:\\Windows\\SysWOW64\\jldqbkkb\\pysxpojf.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

supvobl.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	supvobl.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

pysxpojf.exe

description pid process target process

PID 216 set thread context of 1536 216 pysxpojf.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2628 sc.exe
4908 sc.exe
3988 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4308 216 WerFault.exe pysxpojf.exe
2044 2196 WerFault.exe supvobl.exe

description	pid	process	target process
PID 216 set thread context of 1536	216	pysxpojf.exe	svchost.exe

pid	process
2628	sc.exe
4908	sc.exe
3988	sc.exe

pid	pid_target	process	target process
4308	216	WerFault.exe	pysxpojf.exe
2044	2196	WerFault.exe	supvobl.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

supvobl.exepysxpojf.exe

description	pid	process	target process
PID 2196 wrote to memory of 1120	2196	supvobl.exe	cmd.exe
PID 2196 wrote to memory of 1120	2196	supvobl.exe	cmd.exe
PID 2196 wrote to memory of 1120	2196	supvobl.exe	cmd.exe
PID 2196 wrote to memory of 2360	2196	supvobl.exe	cmd.exe
PID 2196 wrote to memory of 2360	2196	supvobl.exe	cmd.exe
PID 2196 wrote to memory of 2360	2196	supvobl.exe	cmd.exe
PID 2196 wrote to memory of 2628	2196	supvobl.exe	sc.exe
PID 2196 wrote to memory of 2628	2196	supvobl.exe	sc.exe
PID 2196 wrote to memory of 2628	2196	supvobl.exe	sc.exe
PID 2196 wrote to memory of 4908	2196	supvobl.exe	sc.exe
PID 2196 wrote to memory of 4908	2196	supvobl.exe	sc.exe
PID 2196 wrote to memory of 4908	2196	supvobl.exe	sc.exe
PID 2196 wrote to memory of 3988	2196	supvobl.exe	sc.exe
PID 2196 wrote to memory of 3988	2196	supvobl.exe	sc.exe
PID 2196 wrote to memory of 3988	2196	supvobl.exe	sc.exe
PID 2196 wrote to memory of 344	2196	supvobl.exe	netsh.exe
PID 2196 wrote to memory of 344	2196	supvobl.exe	netsh.exe
PID 2196 wrote to memory of 344	2196	supvobl.exe	netsh.exe
PID 216 wrote to memory of 1536	216	pysxpojf.exe	svchost.exe
PID 216 wrote to memory of 1536	216	pysxpojf.exe	svchost.exe
PID 216 wrote to memory of 1536	216	pysxpojf.exe	svchost.exe
PID 216 wrote to memory of 1536	216	pysxpojf.exe	svchost.exe
PID 216 wrote to memory of 1536	216	pysxpojf.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\supvobl.exe
"C:\Users\Admin\AppData\Local\Temp\supvobl.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jldqbkkb\
  2⤵
  PID:1120
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pysxpojf.exe" C:\Windows\SysWOW64\jldqbkkb\
  2⤵
  PID:2360
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create jldqbkkb binPath= "C:\Windows\SysWOW64\jldqbkkb\pysxpojf.exe /d\"C:\Users\Admin\AppData\Local\Temp\supvobl.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:2628
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description jldqbkkb "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:4908
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start jldqbkkb
  2⤵
  - Launches sc.exe
  PID:3988
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:344
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 572
  2⤵
  - Program crash
  PID:2044

C:\Windows\SysWOW64\jldqbkkb\pysxpojf.exe
C:\Windows\SysWOW64\jldqbkkb\pysxpojf.exe /d"C:\Users\Admin\AppData\Local\Temp\supvobl.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:216
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  PID:1536
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 568
  2⤵
  - Program crash
  PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2196 -ip 2196
1⤵
PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 216 -ip 216
1⤵
PID:2128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pysxpojf.exe

Filesize
13.1MB

MD5
408fc222d1ca9795042137be9361c3f5

SHA1
ab64ce46a7a0419598738c4279869a5b21e4b7d2

SHA256
3878141b7b9fe2f794331b3a63b2e45f446ce85fb81d66e7f4ea2360cafa3ba3

SHA512
14964de457285d5bdbdc936ccd96f5bc424989d33d7c564c0941819fa259cc5c6bdf8036f8674ebd6f4aff92a85591d3af458f77fba31c4e4ef3229161c87b0c

Download Submit
C:\Windows\SysWOW64\jldqbkkb\pysxpojf.exe

Filesize
13.1MB

MD5
408fc222d1ca9795042137be9361c3f5

SHA1
ab64ce46a7a0419598738c4279869a5b21e4b7d2

SHA256
3878141b7b9fe2f794331b3a63b2e45f446ce85fb81d66e7f4ea2360cafa3ba3

SHA512
14964de457285d5bdbdc936ccd96f5bc424989d33d7c564c0941819fa259cc5c6bdf8036f8674ebd6f4aff92a85591d3af458f77fba31c4e4ef3229161c87b0c

Download Submit
memory/216-152-0x0000000000400000-0x0000000002DEE000-memory.dmp

Filesize
41.9MB

Download
memory/216-148-0x0000000002EC0000-0x0000000002ED3000-memory.dmp

Filesize
76KB

Download
memory/216-147-0x00000000030E2000-0x00000000030F0000-memory.dmp

Filesize
56KB

Download
memory/344-142-0x0000000000000000-mapping.dmp

Download
memory/1120-134-0x0000000000000000-mapping.dmp

Download
memory/1536-143-0x0000000000000000-mapping.dmp

Download
memory/1536-153-0x0000000000BE0000-0x0000000000BF5000-memory.dmp

Filesize
84KB

Download
memory/1536-151-0x0000000000BE0000-0x0000000000BF5000-memory.dmp

Filesize
84KB

Download
memory/1536-144-0x0000000000BE0000-0x0000000000BF5000-memory.dmp

Filesize
84KB

Download
memory/2196-149-0x0000000003017000-0x0000000003025000-memory.dmp

Filesize
56KB

Download
memory/2196-132-0x0000000003017000-0x0000000003025000-memory.dmp

Filesize
56KB

Download
memory/2196-135-0x0000000000400000-0x0000000002DEE000-memory.dmp

Filesize
41.9MB

Download
memory/2196-150-0x0000000000400000-0x0000000002DEE000-memory.dmp

Filesize
41.9MB

Download
memory/2196-133-0x0000000002F40000-0x0000000002F53000-memory.dmp

Filesize
76KB

Download
memory/2360-136-0x0000000000000000-mapping.dmp

Download
memory/2628-138-0x0000000000000000-mapping.dmp

Download
memory/3988-140-0x0000000000000000-mapping.dmp

Download
memory/4908-139-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads