tofsee | d05cd710559cb6a23a84f44bfe88b91582862c7d70134cf71807ae0c49964993

General

Target

supvobl.exe
Size

12.5MB
MD5

be286c784044379ca9a6ca6e7211a29f
SHA1

bf8010a0e4b7ae88095bd9ee303707f4c0da549e
SHA256

d05cd710559cb6a23a84f44bfe88b91582862c7d70134cf71807ae0c49964993
SHA512

862e1beffa2cd58cd606a9edf2be79a03ca4a93f2edd6528e91eed2f68ad889e2e76dd43f164cd8f7eb02567504cbcf9581f730177f841a3e5a0298b48674b13
SSDEEP

24576:P7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hg:

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\ibifuntv = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

sbvasrmi.exe

pid process

284 sbvasrmi.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

628 netsh.exe

pid	process
284	sbvasrmi.exe

pid	process
628	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ibifuntv\ImagePath = "C:\\Windows\\SysWOW64\\ibifuntv\\sbvasrmi.exe"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

684 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

sbvasrmi.exe

description pid process target process

PID 284 set thread context of 684 284 sbvasrmi.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

748 sc.exe
580 sc.exe
1480 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
684	svchost.exe

description	pid	process	target process
PID 284 set thread context of 684	284	sbvasrmi.exe	svchost.exe

pid	process
748	sc.exe
580	sc.exe
1480	sc.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

supvobl.exesbvasrmi.exe

description	pid	process	target process
PID 1112 wrote to memory of 1004	1112	supvobl.exe	cmd.exe
PID 1112 wrote to memory of 1004	1112	supvobl.exe	cmd.exe
PID 1112 wrote to memory of 1004	1112	supvobl.exe	cmd.exe
PID 1112 wrote to memory of 1004	1112	supvobl.exe	cmd.exe
PID 1112 wrote to memory of 1672	1112	supvobl.exe	cmd.exe
PID 1112 wrote to memory of 1672	1112	supvobl.exe	cmd.exe
PID 1112 wrote to memory of 1672	1112	supvobl.exe	cmd.exe
PID 1112 wrote to memory of 1672	1112	supvobl.exe	cmd.exe
PID 1112 wrote to memory of 580	1112	supvobl.exe	sc.exe
PID 1112 wrote to memory of 580	1112	supvobl.exe	sc.exe
PID 1112 wrote to memory of 580	1112	supvobl.exe	sc.exe
PID 1112 wrote to memory of 580	1112	supvobl.exe	sc.exe
PID 1112 wrote to memory of 1480	1112	supvobl.exe	sc.exe
PID 1112 wrote to memory of 1480	1112	supvobl.exe	sc.exe
PID 1112 wrote to memory of 1480	1112	supvobl.exe	sc.exe
PID 1112 wrote to memory of 1480	1112	supvobl.exe	sc.exe
PID 1112 wrote to memory of 748	1112	supvobl.exe	sc.exe
PID 1112 wrote to memory of 748	1112	supvobl.exe	sc.exe
PID 1112 wrote to memory of 748	1112	supvobl.exe	sc.exe
PID 1112 wrote to memory of 748	1112	supvobl.exe	sc.exe
PID 284 wrote to memory of 684	284	sbvasrmi.exe	svchost.exe
PID 284 wrote to memory of 684	284	sbvasrmi.exe	svchost.exe
PID 284 wrote to memory of 684	284	sbvasrmi.exe	svchost.exe
PID 284 wrote to memory of 684	284	sbvasrmi.exe	svchost.exe
PID 284 wrote to memory of 684	284	sbvasrmi.exe	svchost.exe
PID 284 wrote to memory of 684	284	sbvasrmi.exe	svchost.exe
PID 1112 wrote to memory of 628	1112	supvobl.exe	netsh.exe
PID 1112 wrote to memory of 628	1112	supvobl.exe	netsh.exe
PID 1112 wrote to memory of 628	1112	supvobl.exe	netsh.exe
PID 1112 wrote to memory of 628	1112	supvobl.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\supvobl.exe
"C:\Users\Admin\AppData\Local\Temp\supvobl.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ibifuntv\
  2⤵
  PID:1004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\sbvasrmi.exe" C:\Windows\SysWOW64\ibifuntv\
  2⤵
  PID:1672
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create ibifuntv binPath= "C:\Windows\SysWOW64\ibifuntv\sbvasrmi.exe /d\"C:\Users\Admin\AppData\Local\Temp\supvobl.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:580
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description ibifuntv "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:1480
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start ibifuntv
  2⤵
  - Launches sc.exe
  PID:748
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:628

C:\Windows\SysWOW64\ibifuntv\sbvasrmi.exe
C:\Windows\SysWOW64\ibifuntv\sbvasrmi.exe /d"C:\Users\Admin\AppData\Local\Temp\supvobl.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:284
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Windows security bypass
  - Sets service image path in registry
  - Deletes itself
  PID:684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sbvasrmi.exe

Filesize
13.2MB

MD5
bfb67d5d3f100cd87a1c5a4f51eb3185

SHA1
4840ee2420dee2657bfb2a2fd91d7d3239429320

SHA256
94dee3cd455cca6f4cbf06ae2826877a9423c1ace6e08b5c28b1a172645620de

SHA512
cef1e73db6e24acc72baf3c3fb110916423a20d6596f30ed942f30bde1924311a6156404e03897fe17dc356c75d7c75a411b86e0e1809e69f80d660fce7ccf8b

Download Submit
C:\Windows\SysWOW64\ibifuntv\sbvasrmi.exe

Filesize
13.2MB

MD5
bfb67d5d3f100cd87a1c5a4f51eb3185

SHA1
4840ee2420dee2657bfb2a2fd91d7d3239429320

SHA256
94dee3cd455cca6f4cbf06ae2826877a9423c1ace6e08b5c28b1a172645620de

SHA512
cef1e73db6e24acc72baf3c3fb110916423a20d6596f30ed942f30bde1924311a6156404e03897fe17dc356c75d7c75a411b86e0e1809e69f80d660fce7ccf8b

Download Submit
memory/284-77-0x0000000000400000-0x0000000002DEE000-memory.dmp

Filesize
41.9MB

Download
memory/284-70-0x000000000028A000-0x0000000000297000-memory.dmp

Filesize
52KB

Download
memory/580-61-0x0000000000000000-mapping.dmp

Download
memory/628-74-0x0000000000000000-mapping.dmp

Download
memory/684-76-0x0000000000110000-0x0000000000125000-memory.dmp

Filesize
84KB

Download
memory/684-69-0x0000000000119A6B-mapping.dmp

Download
memory/684-80-0x0000000000110000-0x0000000000125000-memory.dmp

Filesize
84KB

Download
memory/684-68-0x0000000000110000-0x0000000000125000-memory.dmp

Filesize
84KB

Download
memory/684-66-0x0000000000110000-0x0000000000125000-memory.dmp

Filesize
84KB

Download
memory/748-63-0x0000000000000000-mapping.dmp

Download
memory/1004-55-0x0000000000000000-mapping.dmp

Download
memory/1112-58-0x0000000000400000-0x0000000002DEE000-memory.dmp

Filesize
41.9MB

Download
memory/1112-56-0x000000000324A000-0x0000000003257000-memory.dmp

Filesize
52KB

Download
memory/1112-54-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download
memory/1112-75-0x000000000324A000-0x0000000003257000-memory.dmp

Filesize
52KB

Download
memory/1112-57-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/1112-78-0x0000000000400000-0x0000000002DEE000-memory.dmp

Filesize
41.9MB

Download
memory/1480-62-0x0000000000000000-mapping.dmp

Download
memory/1672-59-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads