tofsee | e601e2249d2ed99e05552157a32aa73fb476f2b55bb63d10f9a3405d8269c693

Resubmissions

08/05/2023, 12:04

230508-n83alscc6v 10

14/02/2023, 12:24

14/02/2023, 12:00

14/02/2023, 11:52

24/01/2023, 09:45

Analysis

max time kernel
19s
max time network
22s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
14/02/2023, 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe
Size

232KB
MD5

f6254a206b59207201f38f69fb018932
SHA1

4109d2edf584ce7f8104410eaa02ddae1aa37117
SHA256

8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45
SHA512

bf6ab8ed99b730a364affed3f341387d82a5fed4ae052f4e897726adae2e963182083a3ba6fa52dfa6f2bd9cc9c3b92643279f46bebf931288545938da5a01b6
SSDEEP

3072:aIGGLok59Gt+ECvLFwyvBnlS1g/tK8MJ2LJDhzLrcSb54VIcVTuh:TLoYC+rK+ztK8MY3bIr

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

svartalfheim.top

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1644	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\edupxxhy\ImagePath = "C:\\Windows\\SysWOW64\\edupxxhy\\ynbyrxtw.exe"	svchost.exe

Deletes itself 1 IoCs

pid	Process
1832	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
112	ynbyrxtw.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 112 set thread context of 1832	112	ynbyrxtw.exe	39

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2012	sc.exe
956	sc.exe
1604	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 9c380e3d0da7f10124edb47d450dd49d084297dce82e72baa49e11fdd478711d08994b5980cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56811dd8548743ce0a4644490bdb07927e4905b03c4f58d3c74bbc4103d29f5a66e16db834b7135d4f10b4c90d8f6127db9a4593494b48d792cd4984d0935fda26916edc70f3252a0f40948f48cbd7921e5915b0cc4f28d387287cc186270a4f93824dc8148743ce1ad5518c7bd606d1dddad0751a1c48d541de5ad743d73a2e6367b9ec60b440dd49d642df4bda4b0ff44e16d34fdc48e980fe7ad743d05f5a47312db9a4a7123e6a8502df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743d042a955d24	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Buses	svchost.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 1204	856	8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe	26
PID 856 wrote to memory of 1204	856	8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe	26
PID 856 wrote to memory of 1204	856	8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe	26
PID 856 wrote to memory of 1204	856	8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe	26
PID 856 wrote to memory of 1540	856	8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe	28
PID 856 wrote to memory of 1540	856	8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe	28
PID 856 wrote to memory of 1540	856	8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe	28
PID 856 wrote to memory of 1540	856	8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe	28
PID 856 wrote to memory of 956	856	8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe	30
PID 856 wrote to memory of 956	856	8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe	30
PID 856 wrote to memory of 956	856	8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe	30
PID 856 wrote to memory of 956	856	8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe	30
PID 856 wrote to memory of 1604	856	8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe	32
PID 856 wrote to memory of 1604	856	8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe	32
PID 856 wrote to memory of 1604	856	8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe	32
PID 856 wrote to memory of 1604	856	8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe	32
PID 856 wrote to memory of 2012	856	8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe	34
PID 856 wrote to memory of 2012	856	8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe	34
PID 856 wrote to memory of 2012	856	8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe	34
PID 856 wrote to memory of 2012	856	8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe	34
PID 856 wrote to memory of 1644	856	8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe	38
PID 856 wrote to memory of 1644	856	8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe	38
PID 856 wrote to memory of 1644	856	8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe	38
PID 856 wrote to memory of 1644	856	8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe	38
PID 112 wrote to memory of 1832	112	ynbyrxtw.exe	39
PID 112 wrote to memory of 1832	112	ynbyrxtw.exe	39
PID 112 wrote to memory of 1832	112	ynbyrxtw.exe	39
PID 112 wrote to memory of 1832	112	ynbyrxtw.exe	39
PID 112 wrote to memory of 1832	112	ynbyrxtw.exe	39
PID 112 wrote to memory of 1832	112	ynbyrxtw.exe	39

C:\Users\Admin\AppData\Local\Temp\8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe
"C:\Users\Admin\AppData\Local\Temp\8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:856
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\edupxxhy\
  2⤵
  PID:1204
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ynbyrxtw.exe" C:\Windows\SysWOW64\edupxxhy\
  2⤵
  PID:1540
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create edupxxhy binPath= "C:\Windows\SysWOW64\edupxxhy\ynbyrxtw.exe /d\"C:\Users\Admin\AppData\Local\Temp\8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:956
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description edupxxhy "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:1604
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start edupxxhy
  2⤵
  - Launches sc.exe
  PID:2012
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:1644

C:\Windows\SysWOW64\edupxxhy\ynbyrxtw.exe
C:\Windows\SysWOW64\edupxxhy\ynbyrxtw.exe /d"C:\Users\Admin\AppData\Local\Temp\8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:112
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Deletes itself
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ynbyrxtw.exe

Filesize
14.1MB

MD5
a26b8b2a3e377ecc320d0f6786b6020f

SHA1
100c30429cb88a221f58287110b2f88554e0ba70

SHA256
c3abf7fc8a66a932be95f1c5be8e8c29b90d1ce7b60344a8b82234af625074f3

SHA512
1aff8ac929835e939e1b4f7e248e8a42d7fb6c4d01de6c5233895ca9afc4b98ea2a78d2b98254c09be88224d88b5d458c1ed566f9f36a0665de138a0fb0cadb2

Download Submit
C:\Windows\SysWOW64\edupxxhy\ynbyrxtw.exe

Filesize
14.1MB

MD5
a26b8b2a3e377ecc320d0f6786b6020f

SHA1
100c30429cb88a221f58287110b2f88554e0ba70

SHA256
c3abf7fc8a66a932be95f1c5be8e8c29b90d1ce7b60344a8b82234af625074f3

SHA512
1aff8ac929835e939e1b4f7e248e8a42d7fb6c4d01de6c5233895ca9afc4b98ea2a78d2b98254c09be88224d88b5d458c1ed566f9f36a0665de138a0fb0cadb2

Download Submit
memory/112-76-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/112-74-0x000000000053B000-0x000000000054C000-memory.dmp

Filesize
68KB

Download
memory/856-66-0x000000000061B000-0x000000000062C000-memory.dmp

Filesize
68KB

Download
memory/856-57-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download
memory/856-56-0x000000000061B000-0x000000000062C000-memory.dmp

Filesize
68KB

Download
memory/856-58-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/856-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/856-67-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1832-70-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1832-72-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1832-79-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download