tofsee | 15188d63048c1646ce4b4070eb5ff19ed65e9e63af1c884e3b314d5536bb695a

General

Target

file.exe
Size

299KB
MD5

f4d9f3f1009be26ad902f44ac9082c4e
SHA1

9814e5e8e6ce762b7e0544f8f44d1eddd9658415
SHA256

15188d63048c1646ce4b4070eb5ff19ed65e9e63af1c884e3b314d5536bb695a
SHA512

c09ec10ea165108655f52c1e001d37777c66ff205cd8936c79f5991e838ec29cc76d0ad8c7b7c129ef3fa41007559c3869d7483f5ae3fbb52d0ffe60a95208c6
SSDEEP

6144:COUmLTe6RYq4N306/C/ryGOhXDuQj96oah:CBmvjYjNda2GOhXDljD

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\xksgpfzr = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

928 netsh.exe

pid	process
928	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\xksgpfzr\ImagePath = "C:\\Windows\\SysWOW64\\xksgpfzr\\loxiieeb.exe"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

1176 svchost.exe
Executes dropped EXE 1 IoCs

Processes:

loxiieeb.exe

pid process

1052 loxiieeb.exe
Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

loxiieeb.exe

description pid process target process

PID 1052 set thread context of 1176 1052 loxiieeb.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

1120 sc.exe
380 sc.exe
1932 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1176	svchost.exe

pid	process
1052	loxiieeb.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

description	pid	process	target process
PID 1052 set thread context of 1176	1052	loxiieeb.exe	svchost.exe

pid	process
1120	sc.exe
380	sc.exe
1932	sc.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Buses	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 9c38563d83a3cf0124edb47d450dd49d084297dce82e72baa4833efd20625e1d6dd9fa2c87cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56810d480447134e7a4644490bdb67d2cef9d5a06c9f4be54758df21d5904f5a46912da82457639d4f10b4c90d8f6127db9a4593494b48d652dd39c460431faad6d249ec60b1b79bdf0012dd988b77e2ded955d02cac4e13b7e85c12b496da0f15d15d880447034e1a4501ef459a440145aca3668fdc48d541ce4ad744a6bbfff02579fc27d440dd49d642df4caeec40298a46d34fdc741461ee4ad743c3cfdba6b12c383486a3fe1a9642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743de7cc945d	svchost.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

file.exeloxiieeb.exe

description	pid	process	target process
PID 2032 wrote to memory of 1984	2032	file.exe	cmd.exe
PID 2032 wrote to memory of 1984	2032	file.exe	cmd.exe
PID 2032 wrote to memory of 1984	2032	file.exe	cmd.exe
PID 2032 wrote to memory of 1984	2032	file.exe	cmd.exe
PID 2032 wrote to memory of 1664	2032	file.exe	cmd.exe
PID 2032 wrote to memory of 1664	2032	file.exe	cmd.exe
PID 2032 wrote to memory of 1664	2032	file.exe	cmd.exe
PID 2032 wrote to memory of 1664	2032	file.exe	cmd.exe
PID 2032 wrote to memory of 1120	2032	file.exe	sc.exe
PID 2032 wrote to memory of 1120	2032	file.exe	sc.exe
PID 2032 wrote to memory of 1120	2032	file.exe	sc.exe
PID 2032 wrote to memory of 1120	2032	file.exe	sc.exe
PID 2032 wrote to memory of 380	2032	file.exe	sc.exe
PID 2032 wrote to memory of 380	2032	file.exe	sc.exe
PID 2032 wrote to memory of 380	2032	file.exe	sc.exe
PID 2032 wrote to memory of 380	2032	file.exe	sc.exe
PID 2032 wrote to memory of 1932	2032	file.exe	sc.exe
PID 2032 wrote to memory of 1932	2032	file.exe	sc.exe
PID 2032 wrote to memory of 1932	2032	file.exe	sc.exe
PID 2032 wrote to memory of 1932	2032	file.exe	sc.exe
PID 2032 wrote to memory of 928	2032	file.exe	netsh.exe
PID 2032 wrote to memory of 928	2032	file.exe	netsh.exe
PID 2032 wrote to memory of 928	2032	file.exe	netsh.exe
PID 2032 wrote to memory of 928	2032	file.exe	netsh.exe
PID 1052 wrote to memory of 1176	1052	loxiieeb.exe	svchost.exe
PID 1052 wrote to memory of 1176	1052	loxiieeb.exe	svchost.exe
PID 1052 wrote to memory of 1176	1052	loxiieeb.exe	svchost.exe
PID 1052 wrote to memory of 1176	1052	loxiieeb.exe	svchost.exe
PID 1052 wrote to memory of 1176	1052	loxiieeb.exe	svchost.exe
PID 1052 wrote to memory of 1176	1052	loxiieeb.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xksgpfzr\
2⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\loxiieeb.exe" C:\Windows\SysWOW64\xksgpfzr\
2⤵
PID:1664

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create xksgpfzr binPath= "C:\Windows\SysWOW64\xksgpfzr\loxiieeb.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:1120

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description xksgpfzr "wifi internet conection"
2⤵
- Launches sc.exe
PID:380

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start xksgpfzr
2⤵
- Launches sc.exe
PID:1932

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:928

C:\Windows\SysWOW64\xksgpfzr\loxiieeb.exe
C:\Windows\SysWOW64\xksgpfzr\loxiieeb.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\loxiieeb.exe

Filesize
12.8MB

MD5
19fda7fd36228cb53f6041fa9d403e17

SHA1
eb875d8c87fd7d0c3df6026b789b12fc8e9f4251

SHA256
a9b445ece9dcf4d925e0176c429283c4300fbd8865f257cad439198d118eaead

SHA512
89b33bfabd9ee1a1a4ffeb797bdbe05e5ec540fa27f21c15b08a4627d8772b2cc488a02b45056e21a3a9c6ae30129f1d3d23f6150740ad3bd96c300803238706

Download Submit
C:\Windows\SysWOW64\xksgpfzr\loxiieeb.exe

Filesize
12.8MB

MD5
19fda7fd36228cb53f6041fa9d403e17

SHA1
eb875d8c87fd7d0c3df6026b789b12fc8e9f4251

SHA256
a9b445ece9dcf4d925e0176c429283c4300fbd8865f257cad439198d118eaead

SHA512
89b33bfabd9ee1a1a4ffeb797bdbe05e5ec540fa27f21c15b08a4627d8772b2cc488a02b45056e21a3a9c6ae30129f1d3d23f6150740ad3bd96c300803238706

Download Submit
memory/380-62-0x0000000000000000-mapping.dmp

Download
memory/928-65-0x0000000000000000-mapping.dmp

Download
memory/1052-76-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1052-75-0x000000000063C000-0x0000000000651000-memory.dmp

Filesize
84KB

Download
memory/1120-61-0x0000000000000000-mapping.dmp

Download
memory/1176-72-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download
memory/1176-73-0x00000000000C9A6B-mapping.dmp

Download
memory/1176-80-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download
memory/1176-79-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download
memory/1176-70-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download
memory/1664-59-0x0000000000000000-mapping.dmp

Download
memory/1932-63-0x0000000000000000-mapping.dmp

Download
memory/1984-55-0x0000000000000000-mapping.dmp

Download
memory/2032-66-0x00000000005AC000-0x00000000005C1000-memory.dmp

Filesize
84KB

Download
memory/2032-54-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download
memory/2032-57-0x0000000000230000-0x0000000000243000-memory.dmp

Filesize
76KB

Download
memory/2032-67-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2032-56-0x00000000005AC000-0x00000000005C1000-memory.dmp

Filesize
84KB

Download
memory/2032-58-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads