tofsee | 209e78147c676b2562945d15e0637303f819bc8a2f0e34f5cfa8ba16137e85a5

General

Target

file.exe
Size

213KB
MD5

dac1f98021e82370657ca79d43940e9e
SHA1

1d69c84299549560c1a46d085256a27d6a074621
SHA256

209e78147c676b2562945d15e0637303f819bc8a2f0e34f5cfa8ba16137e85a5
SHA512

56f829653430fffee2e9799902fd38bb726c28bdda5accd43e5c3b333ef2c909d7b9c865e8ba3041609bfc415b9283a9cf4d3888dd81b1091fae7b7cc53b5432
SSDEEP

3072:HnCD27R5eVPDZg4lrEh+DsuNk0+LpzCJMZZmEo8ksJ5tMxqyI7iMPre:HRjeVPu4lrEh+Dsik0+RTDw9u/7iMT

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1476 netsh.exe

pid	process
1476	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fpxeoesa\ImagePath = "C:\\Windows\\SysWOW64\\fpxeoesa\\capxqgbx.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

file.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation file.exe
Executes dropped EXE 1 IoCs

Processes:

capxqgbx.exe

pid process

3908 capxqgbx.exe
Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

capxqgbx.exe

description pid process target process

PID 3908 set thread context of 2656 3908 capxqgbx.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

3640 sc.exe
3868 sc.exe
216 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3916 1564 WerFault.exe file.exe
3680 3908 WerFault.exe capxqgbx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	file.exe

pid	process
3908	capxqgbx.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

description	pid	process	target process
PID 3908 set thread context of 2656	3908	capxqgbx.exe	svchost.exe

pid	process
3640	sc.exe
3868	sc.exe
216	sc.exe

pid	pid_target	process	target process
3916	1564	WerFault.exe	file.exe
3680	3908	WerFault.exe	capxqgbx.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Buses	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 7cbc573ce7f5230124edb47d450dd49d084297dce82e72baa4c0bc8aaceebc1dcbe3949885cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56811d8814c7538e6ad644490bdb57922eb965803cbf78d3c74bbc4103d29fea56f15dc8c7d2862b5f9015fabd4e04d20ddcd1d34ccfcbf602bd594420432cde72f52b2c0142968d4b05514c788bc7b23e99d5a3491abee3571bbd91d5061cda56811d8814c7538e6ae64c9d45784ae2c6af86d34fdc48c541de4da1b4f6f92e72f52edb47d440dd49d645a9e34920814dda46d3731d68e541de4ac4c0d2afba27313d89a4f7139d49d642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad973c04cd	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

file.execapxqgbx.exe

description	pid	process	target process
PID 1564 wrote to memory of 884	1564	file.exe	cmd.exe
PID 1564 wrote to memory of 884	1564	file.exe	cmd.exe
PID 1564 wrote to memory of 884	1564	file.exe	cmd.exe
PID 1564 wrote to memory of 852	1564	file.exe	cmd.exe
PID 1564 wrote to memory of 852	1564	file.exe	cmd.exe
PID 1564 wrote to memory of 852	1564	file.exe	cmd.exe
PID 1564 wrote to memory of 3640	1564	file.exe	sc.exe
PID 1564 wrote to memory of 3640	1564	file.exe	sc.exe
PID 1564 wrote to memory of 3640	1564	file.exe	sc.exe
PID 1564 wrote to memory of 3868	1564	file.exe	sc.exe
PID 1564 wrote to memory of 3868	1564	file.exe	sc.exe
PID 1564 wrote to memory of 3868	1564	file.exe	sc.exe
PID 1564 wrote to memory of 216	1564	file.exe	sc.exe
PID 1564 wrote to memory of 216	1564	file.exe	sc.exe
PID 1564 wrote to memory of 216	1564	file.exe	sc.exe
PID 1564 wrote to memory of 1476	1564	file.exe	netsh.exe
PID 1564 wrote to memory of 1476	1564	file.exe	netsh.exe
PID 1564 wrote to memory of 1476	1564	file.exe	netsh.exe
PID 3908 wrote to memory of 2656	3908	capxqgbx.exe	svchost.exe
PID 3908 wrote to memory of 2656	3908	capxqgbx.exe	svchost.exe
PID 3908 wrote to memory of 2656	3908	capxqgbx.exe	svchost.exe
PID 3908 wrote to memory of 2656	3908	capxqgbx.exe	svchost.exe
PID 3908 wrote to memory of 2656	3908	capxqgbx.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\fpxeoesa\
2⤵
PID:884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\capxqgbx.exe" C:\Windows\SysWOW64\fpxeoesa\
2⤵
PID:852

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create fpxeoesa binPath= "C:\Windows\SysWOW64\fpxeoesa\capxqgbx.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:3640

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description fpxeoesa "wifi internet conection"
2⤵
- Launches sc.exe
PID:3868

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start fpxeoesa
2⤵
- Launches sc.exe
PID:216

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1048
2⤵
- Program crash
PID:3916

C:\Windows\SysWOW64\fpxeoesa\capxqgbx.exe
C:\Windows\SysWOW64\fpxeoesa\capxqgbx.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 548
2⤵
- Program crash
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1564 -ip 1564
1⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3908 -ip 3908
1⤵
PID:1644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\capxqgbx.exe
Filesize
11.8MB

MD5
13e9336881b970ee8176c77daef75fb7

SHA1
fc2cca9596b7bc019ffdd8c6c0ded60b79835368

SHA256
c336ce48a723dfdc838d384d6ef6f6d641f9efe1745607d148fccc0b52bc9825

SHA512
c701cf43b1ec98c36adf5649e68cc4ec313331052c1b859798539beabc2fdfb58fbc112a5e35d70e183741706312a7802e64c57c4266f7cf3fa4c93a32661ecd

Download Submit
C:\Windows\SysWOW64\fpxeoesa\capxqgbx.exe
Filesize
11.8MB

MD5
13e9336881b970ee8176c77daef75fb7

SHA1
fc2cca9596b7bc019ffdd8c6c0ded60b79835368

SHA256
c336ce48a723dfdc838d384d6ef6f6d641f9efe1745607d148fccc0b52bc9825

SHA512
c701cf43b1ec98c36adf5649e68cc4ec313331052c1b859798539beabc2fdfb58fbc112a5e35d70e183741706312a7802e64c57c4266f7cf3fa4c93a32661ecd

Download Submit
memory/1564-135-0x0000000000630000-0x0000000000643000-memory.dmp

Filesize
76KB

Download
memory/1564-142-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2656-139-0x0000000000E90000-0x0000000000EA5000-memory.dmp

Filesize
84KB

Download
memory/2656-144-0x0000000000E90000-0x0000000000EA5000-memory.dmp

Filesize
84KB

Download
memory/2656-145-0x0000000000E90000-0x0000000000EA5000-memory.dmp

Filesize
84KB

Download
memory/2656-146-0x0000000000E90000-0x0000000000EA5000-memory.dmp

Filesize
84KB

Download
memory/2656-148-0x0000000000E90000-0x0000000000EA5000-memory.dmp

Filesize
84KB

Download
memory/3908-143-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads