tofsee | 26459555ede3d63618aea53dad29b000e26f9bb13304b4a446f9ee167f78a8fc

General

Target

file.exe
Size

351KB
MD5

2eb8c0882b1ad0705cad453aa0b8b283
SHA1

ebd2e309e0ba0df58de9ce24314191a6ba441272
SHA256

26459555ede3d63618aea53dad29b000e26f9bb13304b4a446f9ee167f78a8fc
SHA512

28361092add39da688172d7d25c4b00150af33ee0636031aa3023d7475c7649bbfa3ab0ea5298cef977497c66bc80a1d8f9418c690fdcf97c1df2c15578dc2ac
SSDEEP

3072:fBW5Cc85YwVButS8rZuc7icDaCHcwIlzXJa1eGE6JMSrXGUNuIycfr/Y4XdDtwBx:ZWvxwTOicS1/DFSLZuIx/Y4tRAwe4

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4712 netsh.exe

pid	process
4712	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\gljdeyib\ImagePath = "C:\\Windows\\SysWOW64\\gljdeyib\\frzwcpvt.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

file.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation file.exe
Executes dropped EXE 1 IoCs

Processes:

frzwcpvt.exe

pid process

2228 frzwcpvt.exe
Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

frzwcpvt.exe

description pid process target process

PID 2228 set thread context of 3260 2228 frzwcpvt.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

3916 sc.exe
224 sc.exe
4476 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1512 4108 WerFault.exe file.exe
4488 2228 WerFault.exe frzwcpvt.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	file.exe

pid	process
2228	frzwcpvt.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

description	pid	process	target process
PID 2228 set thread context of 3260	2228	frzwcpvt.exe	svchost.exe

pid	process
3916	sc.exe
224	sc.exe
4476	sc.exe

pid	pid_target	process	target process
1512	4108	WerFault.exe	file.exe
4488	2228	WerFault.exe	frzwcpvt.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Buses	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 0490763c8b27200124edb47d450dd49d084297dce82e72baa492abfd84207c1dea1f421681cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56811d8874b743eedab644490bdb67d22e5905505cff1bc54758df21d5904e0a56a13da874f7134e2a864419bdce0286682cd0934c9c4e4241dd69d430b36fca66914ddb40e367b8be90d4091bdb67d26e49c5400cef6bb54718bce15515bb9fd3041ed85487138e7ab541ecd8484a9341ca4e2de49988d541de4ac743d04bafb2f4fb2c70f320dd49d642df4bd843a7e54b22834fdc48d57d1f6ae743d04ccac6d0adb82537338faaf5119f4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743d04cd775c24ed	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

file.exefrzwcpvt.exe

description	pid	process	target process
PID 4108 wrote to memory of 3132	4108	file.exe	cmd.exe
PID 4108 wrote to memory of 3132	4108	file.exe	cmd.exe
PID 4108 wrote to memory of 3132	4108	file.exe	cmd.exe
PID 4108 wrote to memory of 1972	4108	file.exe	cmd.exe
PID 4108 wrote to memory of 1972	4108	file.exe	cmd.exe
PID 4108 wrote to memory of 1972	4108	file.exe	cmd.exe
PID 4108 wrote to memory of 3916	4108	file.exe	sc.exe
PID 4108 wrote to memory of 3916	4108	file.exe	sc.exe
PID 4108 wrote to memory of 3916	4108	file.exe	sc.exe
PID 4108 wrote to memory of 224	4108	file.exe	sc.exe
PID 4108 wrote to memory of 224	4108	file.exe	sc.exe
PID 4108 wrote to memory of 224	4108	file.exe	sc.exe
PID 4108 wrote to memory of 4476	4108	file.exe	sc.exe
PID 4108 wrote to memory of 4476	4108	file.exe	sc.exe
PID 4108 wrote to memory of 4476	4108	file.exe	sc.exe
PID 4108 wrote to memory of 4712	4108	file.exe	netsh.exe
PID 4108 wrote to memory of 4712	4108	file.exe	netsh.exe
PID 4108 wrote to memory of 4712	4108	file.exe	netsh.exe
PID 2228 wrote to memory of 3260	2228	frzwcpvt.exe	svchost.exe
PID 2228 wrote to memory of 3260	2228	frzwcpvt.exe	svchost.exe
PID 2228 wrote to memory of 3260	2228	frzwcpvt.exe	svchost.exe
PID 2228 wrote to memory of 3260	2228	frzwcpvt.exe	svchost.exe
PID 2228 wrote to memory of 3260	2228	frzwcpvt.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gljdeyib\
  2⤵
  PID:3132
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\frzwcpvt.exe" C:\Windows\SysWOW64\gljdeyib\
  2⤵
  PID:1972
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create gljdeyib binPath= "C:\Windows\SysWOW64\gljdeyib\frzwcpvt.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:3916
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description gljdeyib "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:224
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start gljdeyib
  2⤵
  - Launches sc.exe
  PID:4476
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:4712
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 772
  2⤵
  - Program crash
  PID:1512

C:\Windows\SysWOW64\gljdeyib\frzwcpvt.exe
C:\Windows\SysWOW64\gljdeyib\frzwcpvt.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3260
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 512
  2⤵
  - Program crash
  PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4108 -ip 4108
1⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2228 -ip 2228
1⤵
PID:1236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\frzwcpvt.exe

Filesize
13.5MB

MD5
a6f0c6b391cffab576eed10f3f4b8b67

SHA1
db02cc5fca00084edfc5c4670452071f8ea4709f

SHA256
b809292e6d4b5237946ae8788a17a2dc690eec799947270ae6f2250418624753

SHA512
4e2a92af3b96cffca6c33cc393d00138c0062cd1a7e1b4308576685cdda30d6dc23c9c718ce58b379a9212c11b30b9ec6a2fa8ae262ae5bb5b627e4ad5bec9a5

Download Submit
C:\Windows\SysWOW64\gljdeyib\frzwcpvt.exe

Filesize
13.5MB

MD5
a6f0c6b391cffab576eed10f3f4b8b67

SHA1
db02cc5fca00084edfc5c4670452071f8ea4709f

SHA256
b809292e6d4b5237946ae8788a17a2dc690eec799947270ae6f2250418624753

SHA512
4e2a92af3b96cffca6c33cc393d00138c0062cd1a7e1b4308576685cdda30d6dc23c9c718ce58b379a9212c11b30b9ec6a2fa8ae262ae5bb5b627e4ad5bec9a5

Download Submit
memory/2228-145-0x0000000000400000-0x00000000007FD000-memory.dmp

Filesize
4.0MB

Download
memory/3260-140-0x0000000000C00000-0x0000000000C15000-memory.dmp

Filesize
84KB

Download
memory/3260-143-0x0000000000C00000-0x0000000000C15000-memory.dmp

Filesize
84KB

Download
memory/3260-144-0x0000000000C00000-0x0000000000C15000-memory.dmp

Filesize
84KB

Download
memory/3260-146-0x0000000000C00000-0x0000000000C15000-memory.dmp

Filesize
84KB

Download
memory/3260-148-0x0000000000C00000-0x0000000000C15000-memory.dmp

Filesize
84KB

Download
memory/4108-135-0x0000000000980000-0x0000000000993000-memory.dmp

Filesize
76KB

Download
memory/4108-138-0x0000000000400000-0x00000000007FD000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads