tofsee | 77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb

General

Target

file.exe
Size

276KB
MD5

80ee506064ae22c8ea34ffb2431f2488
SHA1

0c5a71beb97751a781203d598e97e5a746df62df
SHA256

77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb
SHA512

39be470cc5e8f170296371c7cfb7727b402e4c8b6e1ea6d66fe4195aa83f090cb9cf17d941dbb15214ae9e0a20f0015a190eb35a563067f2d645ea3f21609a6c
SSDEEP

3072:/3czQeDsw9vCdirSqJ4GGueYDDwOtDUeblv8zMrnwg5o6JP3WJ0nWFok:GQmstdiDJ4xuHDwiDpd8z+w56J+Dak

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

632 netsh.exe
Executes dropped EXE 1 IoCs

Processes:

mcyniayg.exe

pid process

300 mcyniayg.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

524 sc.exe
1772 sc.exe
1836 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
632	netsh.exe

pid	process
300	mcyniayg.exe

pid	process
524	sc.exe
1772	sc.exe
1836	sc.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

file.exe

description	pid	process	target process
PID 1696 wrote to memory of 1956	1696	file.exe	cmd.exe
PID 1696 wrote to memory of 1956	1696	file.exe	cmd.exe
PID 1696 wrote to memory of 1956	1696	file.exe	cmd.exe
PID 1696 wrote to memory of 1956	1696	file.exe	cmd.exe
PID 1696 wrote to memory of 1612	1696	file.exe	cmd.exe
PID 1696 wrote to memory of 1612	1696	file.exe	cmd.exe
PID 1696 wrote to memory of 1612	1696	file.exe	cmd.exe
PID 1696 wrote to memory of 1612	1696	file.exe	cmd.exe
PID 1696 wrote to memory of 524	1696	file.exe	sc.exe
PID 1696 wrote to memory of 524	1696	file.exe	sc.exe
PID 1696 wrote to memory of 524	1696	file.exe	sc.exe
PID 1696 wrote to memory of 524	1696	file.exe	sc.exe
PID 1696 wrote to memory of 1772	1696	file.exe	sc.exe
PID 1696 wrote to memory of 1772	1696	file.exe	sc.exe
PID 1696 wrote to memory of 1772	1696	file.exe	sc.exe
PID 1696 wrote to memory of 1772	1696	file.exe	sc.exe
PID 1696 wrote to memory of 1836	1696	file.exe	sc.exe
PID 1696 wrote to memory of 1836	1696	file.exe	sc.exe
PID 1696 wrote to memory of 1836	1696	file.exe	sc.exe
PID 1696 wrote to memory of 1836	1696	file.exe	sc.exe
PID 1696 wrote to memory of 632	1696	file.exe	netsh.exe
PID 1696 wrote to memory of 632	1696	file.exe	netsh.exe
PID 1696 wrote to memory of 632	1696	file.exe	netsh.exe
PID 1696 wrote to memory of 632	1696	file.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hxjnsyxa\
  2⤵
  PID:1956
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\mcyniayg.exe" C:\Windows\SysWOW64\hxjnsyxa\
  2⤵
  PID:1612
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create hxjnsyxa binPath= "C:\Windows\SysWOW64\hxjnsyxa\mcyniayg.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:524
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description hxjnsyxa "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:1772
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start hxjnsyxa
  2⤵
  - Launches sc.exe
  PID:1836
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:632

C:\Windows\SysWOW64\hxjnsyxa\mcyniayg.exe
C:\Windows\SysWOW64\hxjnsyxa\mcyniayg.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Executes dropped EXE
PID:300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Privilege Escalation

New Service

1

T1050

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mcyniayg.exe

Filesize
13.4MB

MD5
50eb515b3043598149aca1dd57c4620c

SHA1
e3eb0c4cef5b3d9e5cd543de880c7ee4b36c28bf

SHA256
e8572223fdd84ac25e0becbf4322ccd5b984bf1e97a7f34b552f6a64fe1fa886

SHA512
e350951434b84176412766bb5132e922e9e95d866c39b7ca7381e401483fc4cdabbf0a49c87cc61f2d54bb52436bae99e6a38df2ff64fcc72d3220ab57e1a48c

Download Submit
C:\Windows\SysWOW64\hxjnsyxa\mcyniayg.exe

Filesize
13.4MB

MD5
50eb515b3043598149aca1dd57c4620c

SHA1
e3eb0c4cef5b3d9e5cd543de880c7ee4b36c28bf

SHA256
e8572223fdd84ac25e0becbf4322ccd5b984bf1e97a7f34b552f6a64fe1fa886

SHA512
e350951434b84176412766bb5132e922e9e95d866c39b7ca7381e401483fc4cdabbf0a49c87cc61f2d54bb52436bae99e6a38df2ff64fcc72d3220ab57e1a48c

Download Submit
memory/1696-56-0x00000000003A0000-0x00000000003B3000-memory.dmp

Filesize
76KB

Download
memory/1696-58-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing