tofsee | d05cd710559cb6a23a84f44bfe88b91582862c7d70134cf71807ae0c49964993

General

Target

supvobl.exe
Size

12.5MB
MD5

be286c784044379ca9a6ca6e7211a29f
SHA1

bf8010a0e4b7ae88095bd9ee303707f4c0da549e
SHA256

d05cd710559cb6a23a84f44bfe88b91582862c7d70134cf71807ae0c49964993
SHA512

862e1beffa2cd58cd606a9edf2be79a03ca4a93f2edd6528e91eed2f68ad889e2e76dd43f164cd8f7eb02567504cbcf9581f730177f841a3e5a0298b48674b13
SSDEEP

24576:P7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hg:

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

veydvupl.exe

pid process

3504 veydvupl.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2220 netsh.exe

pid	process
3504	veydvupl.exe

pid	process
2220	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fodmztqz\ImagePath = "C:\\Windows\\SysWOW64\\fodmztqz\\veydvupl.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

supvobl.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation supvobl.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

veydvupl.exe

description pid process target process

PID 3504 set thread context of 1340 3504 veydvupl.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

1836 sc.exe
2312 sc.exe
4832 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5052 3012 WerFault.exe supvobl.exe
4392 3504 WerFault.exe veydvupl.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	supvobl.exe

description	pid	process	target process
PID 3504 set thread context of 1340	3504	veydvupl.exe	svchost.exe

pid	process
1836	sc.exe
2312	sc.exe
4832	sc.exe

pid	pid_target	process	target process
5052	3012	WerFault.exe	supvobl.exe
4392	3504	WerFault.exe	veydvupl.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

supvobl.exeveydvupl.exe

description	pid	process	target process
PID 3012 wrote to memory of 1732	3012	supvobl.exe	cmd.exe
PID 3012 wrote to memory of 1732	3012	supvobl.exe	cmd.exe
PID 3012 wrote to memory of 1732	3012	supvobl.exe	cmd.exe
PID 3012 wrote to memory of 5044	3012	supvobl.exe	cmd.exe
PID 3012 wrote to memory of 5044	3012	supvobl.exe	cmd.exe
PID 3012 wrote to memory of 5044	3012	supvobl.exe	cmd.exe
PID 3012 wrote to memory of 4832	3012	supvobl.exe	sc.exe
PID 3012 wrote to memory of 4832	3012	supvobl.exe	sc.exe
PID 3012 wrote to memory of 4832	3012	supvobl.exe	sc.exe
PID 3012 wrote to memory of 1836	3012	supvobl.exe	sc.exe
PID 3012 wrote to memory of 1836	3012	supvobl.exe	sc.exe
PID 3012 wrote to memory of 1836	3012	supvobl.exe	sc.exe
PID 3012 wrote to memory of 2312	3012	supvobl.exe	sc.exe
PID 3012 wrote to memory of 2312	3012	supvobl.exe	sc.exe
PID 3012 wrote to memory of 2312	3012	supvobl.exe	sc.exe
PID 3012 wrote to memory of 2220	3012	supvobl.exe	netsh.exe
PID 3012 wrote to memory of 2220	3012	supvobl.exe	netsh.exe
PID 3012 wrote to memory of 2220	3012	supvobl.exe	netsh.exe
PID 3504 wrote to memory of 1340	3504	veydvupl.exe	svchost.exe
PID 3504 wrote to memory of 1340	3504	veydvupl.exe	svchost.exe
PID 3504 wrote to memory of 1340	3504	veydvupl.exe	svchost.exe
PID 3504 wrote to memory of 1340	3504	veydvupl.exe	svchost.exe
PID 3504 wrote to memory of 1340	3504	veydvupl.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\supvobl.exe
"C:\Users\Admin\AppData\Local\Temp\supvobl.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\fodmztqz\
  2⤵
  PID:1732
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\veydvupl.exe" C:\Windows\SysWOW64\fodmztqz\
  2⤵
  PID:5044
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create fodmztqz binPath= "C:\Windows\SysWOW64\fodmztqz\veydvupl.exe /d\"C:\Users\Admin\AppData\Local\Temp\supvobl.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:4832
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description fodmztqz "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:1836
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start fodmztqz
  2⤵
  - Launches sc.exe
  PID:2312
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 1296
  2⤵
  - Program crash
  PID:5052

C:\Windows\SysWOW64\fodmztqz\veydvupl.exe
C:\Windows\SysWOW64\fodmztqz\veydvupl.exe /d"C:\Users\Admin\AppData\Local\Temp\supvobl.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  PID:1340
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 568
  2⤵
  - Program crash
  PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3012 -ip 3012
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3504 -ip 3504
1⤵
PID:5064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\veydvupl.exe

Filesize
11.2MB

MD5
4c464d5628213af7158fdf3003cec684

SHA1
195f27dd56ee16b605fa2e60a685a452dedac63d

SHA256
edeb22b788bb923ab12fd4447853e57a9f7d39d9642b54edfdd17c0dcff5ed90

SHA512
a25a8870409cce370b54c53b2ad800f1ec7ba772dab9956054c36d5f511b00a6437eee4f146be9112cb1f32e22ae3ab87484db0e86eae2dfa95344da55cde1f2

Download Submit
C:\Windows\SysWOW64\fodmztqz\veydvupl.exe

Filesize
11.2MB

MD5
4c464d5628213af7158fdf3003cec684

SHA1
195f27dd56ee16b605fa2e60a685a452dedac63d

SHA256
edeb22b788bb923ab12fd4447853e57a9f7d39d9642b54edfdd17c0dcff5ed90

SHA512
a25a8870409cce370b54c53b2ad800f1ec7ba772dab9956054c36d5f511b00a6437eee4f146be9112cb1f32e22ae3ab87484db0e86eae2dfa95344da55cde1f2

Download Submit
memory/1340-152-0x00000000008C0000-0x00000000008D5000-memory.dmp

Filesize
84KB

Download
memory/1340-149-0x00000000008C0000-0x00000000008D5000-memory.dmp

Filesize
84KB

Download
memory/1340-144-0x00000000008C0000-0x00000000008D5000-memory.dmp

Filesize
84KB

Download
memory/1340-143-0x0000000000000000-mapping.dmp

Download
memory/1732-135-0x0000000000000000-mapping.dmp

Download
memory/1836-139-0x0000000000000000-mapping.dmp

Download
memory/2220-142-0x0000000000000000-mapping.dmp

Download
memory/2312-140-0x0000000000000000-mapping.dmp

Download
memory/3012-132-0x0000000002F97000-0x0000000002FA5000-memory.dmp

Filesize
56KB

Download
memory/3012-134-0x0000000000400000-0x0000000002DEE000-memory.dmp

Filesize
41.9MB

Download
memory/3012-150-0x0000000000400000-0x0000000002DEE000-memory.dmp

Filesize
41.9MB

Download
memory/3012-133-0x00000000001D0000-0x00000000001E3000-memory.dmp

Filesize
76KB

Download
memory/3504-147-0x0000000003192000-0x00000000031A0000-memory.dmp

Filesize
56KB

Download
memory/3504-148-0x0000000000400000-0x0000000002DEE000-memory.dmp

Filesize
41.9MB

Download
memory/3504-151-0x0000000000400000-0x0000000002DEE000-memory.dmp

Filesize
41.9MB

Download
memory/4832-138-0x0000000000000000-mapping.dmp

Download
memory/5044-136-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing