tofsee | 15188d63048c1646ce4b4070eb5ff19ed65e9e63af1c884e3b314d5536bb695a

General

Target

file.exe
Size

299KB
MD5

f4d9f3f1009be26ad902f44ac9082c4e
SHA1

9814e5e8e6ce762b7e0544f8f44d1eddd9658415
SHA256

15188d63048c1646ce4b4070eb5ff19ed65e9e63af1c884e3b314d5536bb695a
SHA512

c09ec10ea165108655f52c1e001d37777c66ff205cd8936c79f5991e838ec29cc76d0ad8c7b7c129ef3fa41007559c3869d7483f5ae3fbb52d0ffe60a95208c6
SSDEEP

6144:COUmLTe6RYq4N306/C/ryGOhXDuQj96oah:CBmvjYjNda2GOhXDljD

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4192 netsh.exe

pid	process
4192	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\pggguiag\ImagePath = "C:\\Windows\\SysWOW64\\pggguiag\\ndfsjbm.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

file.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation file.exe
Executes dropped EXE 1 IoCs

Processes:

ndfsjbm.exe

pid process

4080 ndfsjbm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	file.exe

pid	process
4080	ndfsjbm.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ndfsjbm.exe

description pid process target process

PID 4080 set thread context of 5000 4080 ndfsjbm.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

1660 sc.exe
4376 sc.exe
1920 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 4080 set thread context of 5000	4080	ndfsjbm.exe	svchost.exe

pid	process
1660	sc.exe
4376	sc.exe
1920	sc.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Buses	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 008dba3d7dadcf0124edb47d450dd49d084297dce82e72baa4c0698aa52cce1d0473b5a587cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56810d48044763ee0ac644490bdb57824ea935e07ccf4ba54758df21d5904fca66c16d8844e743de79d084295d9e13f4bb4c06d00fdadfd542cd49a450f3df8a36414edc70f3252a0f40948f48bbc7d25e4945e0ccec4e13b7e85c12b496da0f15d15d880447034e6ae5018f4	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 008dba3d7dadcf0124edb47d450dd49d084297dce82e72baa4c0698aa52cce1dd217000187cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56810d48044763ee0ac644490bdb57824ea935e07ccf4ba54758df21d5904fca66c16d8844e743de79d084295d9e13f4bb4c06d00fdadfd542cd49a450f3df8a36414edc70f3252a0f40948f484b37526ed91580dcac4e13b7e85c12b496da0f15d15d880447034e6a9551ef4	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

file.exendfsjbm.exe

description	pid	process	target process
PID 4872 wrote to memory of 3424	4872	file.exe	cmd.exe
PID 4872 wrote to memory of 3424	4872	file.exe	cmd.exe
PID 4872 wrote to memory of 3424	4872	file.exe	cmd.exe
PID 4872 wrote to memory of 4588	4872	file.exe	cmd.exe
PID 4872 wrote to memory of 4588	4872	file.exe	cmd.exe
PID 4872 wrote to memory of 4588	4872	file.exe	cmd.exe
PID 4872 wrote to memory of 1660	4872	file.exe	sc.exe
PID 4872 wrote to memory of 1660	4872	file.exe	sc.exe
PID 4872 wrote to memory of 1660	4872	file.exe	sc.exe
PID 4872 wrote to memory of 4376	4872	file.exe	sc.exe
PID 4872 wrote to memory of 4376	4872	file.exe	sc.exe
PID 4872 wrote to memory of 4376	4872	file.exe	sc.exe
PID 4872 wrote to memory of 1920	4872	file.exe	sc.exe
PID 4872 wrote to memory of 1920	4872	file.exe	sc.exe
PID 4872 wrote to memory of 1920	4872	file.exe	sc.exe
PID 4872 wrote to memory of 4192	4872	file.exe	netsh.exe
PID 4872 wrote to memory of 4192	4872	file.exe	netsh.exe
PID 4872 wrote to memory of 4192	4872	file.exe	netsh.exe
PID 4080 wrote to memory of 5000	4080	ndfsjbm.exe	svchost.exe
PID 4080 wrote to memory of 5000	4080	ndfsjbm.exe	svchost.exe
PID 4080 wrote to memory of 5000	4080	ndfsjbm.exe	svchost.exe
PID 4080 wrote to memory of 5000	4080	ndfsjbm.exe	svchost.exe
PID 4080 wrote to memory of 5000	4080	ndfsjbm.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\pggguiag\
2⤵
PID:3424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ndfsjbm.exe" C:\Windows\SysWOW64\pggguiag\
2⤵
PID:4588

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create pggguiag binPath= "C:\Windows\SysWOW64\pggguiag\ndfsjbm.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:1660

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description pggguiag "wifi internet conection"
2⤵
- Launches sc.exe
PID:4376

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start pggguiag
2⤵
- Launches sc.exe
PID:1920

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:4192

C:\Windows\SysWOW64\pggguiag\ndfsjbm.exe
C:\Windows\SysWOW64\pggguiag\ndfsjbm.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ndfsjbm.exe

Filesize
14.7MB

MD5
628aaa9ac5c201e7fef243bf1ca6ac72

SHA1
6bc2d0ec4ce4f456523613a9906beb8d505ee55c

SHA256
44fbbcc419c465207c45d37d77ce84317558f6fe484c5ac98dd56f39adf708a8

SHA512
0d1d6429389cda964120a4ba1dbf19568eaf5131da4a055dd515617256b6d0bd27a042955d80ccde93d4be59a44adfef8152d92c2a356f168a19998461c463dc

Download Submit
C:\Windows\SysWOW64\pggguiag\ndfsjbm.exe

Filesize
14.7MB

MD5
628aaa9ac5c201e7fef243bf1ca6ac72

SHA1
6bc2d0ec4ce4f456523613a9906beb8d505ee55c

SHA256
44fbbcc419c465207c45d37d77ce84317558f6fe484c5ac98dd56f39adf708a8

SHA512
0d1d6429389cda964120a4ba1dbf19568eaf5131da4a055dd515617256b6d0bd27a042955d80ccde93d4be59a44adfef8152d92c2a356f168a19998461c463dc

Download Submit
memory/1660-139-0x0000000000000000-mapping.dmp

Download
memory/1920-141-0x0000000000000000-mapping.dmp

Download
memory/3424-136-0x0000000000000000-mapping.dmp

Download
memory/4080-145-0x00000000005B9000-0x00000000005CE000-memory.dmp

Filesize
84KB

Download
memory/4080-149-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/4080-151-0x00000000005B9000-0x00000000005CE000-memory.dmp

Filesize
84KB

Download
memory/4192-143-0x0000000000000000-mapping.dmp

Download
memory/4376-140-0x0000000000000000-mapping.dmp

Download
memory/4588-137-0x0000000000000000-mapping.dmp

Download
memory/4872-134-0x0000000002210000-0x0000000002223000-memory.dmp

Filesize
76KB

Download
memory/4872-133-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/4872-144-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/4872-135-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/5000-146-0x0000000000000000-mapping.dmp

Download
memory/5000-147-0x0000000000CD0000-0x0000000000CE5000-memory.dmp

Filesize
84KB

Download
memory/5000-152-0x0000000000CD0000-0x0000000000CE5000-memory.dmp

Filesize
84KB

Download
memory/5000-153-0x0000000000CD0000-0x0000000000CE5000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads