tofsee | a8ffadf2ab8d3c75298773b6b619a6e5cbfc9557592f2993195f82d12987f049

General

Target

de3f27526eca92d8bab305d2942fbaf89d96b5fda6467dbf931b373868215b0b.exe
Size

302KB
MD5

c47f32f68a1ca3309768b48ec98cd752
SHA1

ab24f2d6a2cacd0b807b2a174e4c43e8d629b32e
SHA256

de3f27526eca92d8bab305d2942fbaf89d96b5fda6467dbf931b373868215b0b
SHA512

747db0d277eac21cdb2f51862fe861e27b444bdae4ed08bcc92a92d27c75c6ee602723fa102a3501f980bea18bd2c9a500113c6e9cf42d752240e145b1bd610d
SSDEEP

3072:Muy7xHO5Ur+3sfGjmvp8hPdJidlfZl8ebAGMR5zODTKchd+OH:xy7xHvrmsejm6d2NZlDAGMHOKcv+y

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4008 netsh.exe

pid	process
4008	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nzzzvfui\ImagePath = "C:\\Windows\\SysWOW64\\nzzzvfui\\tahkzngq.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

de3f27526eca92d8bab305d2942fbaf89d96b5fda6467dbf931b373868215b0b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	de3f27526eca92d8bab305d2942fbaf89d96b5fda6467dbf931b373868215b0b.exe

Executes dropped EXE 1 IoCs

Processes:

tahkzngq.exe

pid process

3756 tahkzngq.exe
Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

tahkzngq.exe

description pid process target process

PID 3756 set thread context of 3428 3756 tahkzngq.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

1472 sc.exe
1076 sc.exe
112 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3756	tahkzngq.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

description	pid	process	target process
PID 3756 set thread context of 3428	3756	tahkzngq.exe	svchost.exe

pid	process
1472	sc.exe
1076	sc.exe
112	sc.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
4104	396	WerFault.exe	de3f27526eca92d8bab305d2942fbaf89d96b5fda6467dbf931b373868215b0b.exe
2616	3756	WerFault.exe	tahkzngq.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Buses	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = b431b63d77725f0124edb47d450dd49d084297dce82e72baa49645fd8420eb1d7898342e80cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56811db8c48723becaa644490bdb67f27e8935f0dcafd8d3c74bbc4103d35f5a06f1dd48644713cd4f10b4c90d8f6127db9a4593494b48d792ad698410536fba36f249ec60b1b79bdf0012dd98cb07522ef975c06ccfc8d387287cc186270a4f93824dc81487235e1ab5214c5bd606d62ddd7d2ffa1c48d541de5ad743d73a2e6367b9ec60b440dd49d642df4bdf3279dcbe16d34fdc48e980fe7ad743d05f5a47312db9a4a7123e6a8502df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743d042e955d24	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

de3f27526eca92d8bab305d2942fbaf89d96b5fda6467dbf931b373868215b0b.exetahkzngq.exe

description	pid	process	target process
PID 396 wrote to memory of 4108	396	de3f27526eca92d8bab305d2942fbaf89d96b5fda6467dbf931b373868215b0b.exe	cmd.exe
PID 396 wrote to memory of 4108	396	de3f27526eca92d8bab305d2942fbaf89d96b5fda6467dbf931b373868215b0b.exe	cmd.exe
PID 396 wrote to memory of 4108	396	de3f27526eca92d8bab305d2942fbaf89d96b5fda6467dbf931b373868215b0b.exe	cmd.exe
PID 396 wrote to memory of 3524	396	de3f27526eca92d8bab305d2942fbaf89d96b5fda6467dbf931b373868215b0b.exe	cmd.exe
PID 396 wrote to memory of 3524	396	de3f27526eca92d8bab305d2942fbaf89d96b5fda6467dbf931b373868215b0b.exe	cmd.exe
PID 396 wrote to memory of 3524	396	de3f27526eca92d8bab305d2942fbaf89d96b5fda6467dbf931b373868215b0b.exe	cmd.exe
PID 396 wrote to memory of 1472	396	de3f27526eca92d8bab305d2942fbaf89d96b5fda6467dbf931b373868215b0b.exe	sc.exe
PID 396 wrote to memory of 1472	396	de3f27526eca92d8bab305d2942fbaf89d96b5fda6467dbf931b373868215b0b.exe	sc.exe
PID 396 wrote to memory of 1472	396	de3f27526eca92d8bab305d2942fbaf89d96b5fda6467dbf931b373868215b0b.exe	sc.exe
PID 396 wrote to memory of 1076	396	de3f27526eca92d8bab305d2942fbaf89d96b5fda6467dbf931b373868215b0b.exe	sc.exe
PID 396 wrote to memory of 1076	396	de3f27526eca92d8bab305d2942fbaf89d96b5fda6467dbf931b373868215b0b.exe	sc.exe
PID 396 wrote to memory of 1076	396	de3f27526eca92d8bab305d2942fbaf89d96b5fda6467dbf931b373868215b0b.exe	sc.exe
PID 396 wrote to memory of 112	396	de3f27526eca92d8bab305d2942fbaf89d96b5fda6467dbf931b373868215b0b.exe	sc.exe
PID 396 wrote to memory of 112	396	de3f27526eca92d8bab305d2942fbaf89d96b5fda6467dbf931b373868215b0b.exe	sc.exe
PID 396 wrote to memory of 112	396	de3f27526eca92d8bab305d2942fbaf89d96b5fda6467dbf931b373868215b0b.exe	sc.exe
PID 396 wrote to memory of 4008	396	de3f27526eca92d8bab305d2942fbaf89d96b5fda6467dbf931b373868215b0b.exe	netsh.exe
PID 396 wrote to memory of 4008	396	de3f27526eca92d8bab305d2942fbaf89d96b5fda6467dbf931b373868215b0b.exe	netsh.exe
PID 396 wrote to memory of 4008	396	de3f27526eca92d8bab305d2942fbaf89d96b5fda6467dbf931b373868215b0b.exe	netsh.exe
PID 3756 wrote to memory of 3428	3756	tahkzngq.exe	svchost.exe
PID 3756 wrote to memory of 3428	3756	tahkzngq.exe	svchost.exe
PID 3756 wrote to memory of 3428	3756	tahkzngq.exe	svchost.exe
PID 3756 wrote to memory of 3428	3756	tahkzngq.exe	svchost.exe
PID 3756 wrote to memory of 3428	3756	tahkzngq.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\de3f27526eca92d8bab305d2942fbaf89d96b5fda6467dbf931b373868215b0b.exe
"C:\Users\Admin\AppData\Local\Temp\de3f27526eca92d8bab305d2942fbaf89d96b5fda6467dbf931b373868215b0b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:396
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nzzzvfui\
  2⤵
  PID:4108
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\tahkzngq.exe" C:\Windows\SysWOW64\nzzzvfui\
  2⤵
  PID:3524
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create nzzzvfui binPath= "C:\Windows\SysWOW64\nzzzvfui\tahkzngq.exe /d\"C:\Users\Admin\AppData\Local\Temp\de3f27526eca92d8bab305d2942fbaf89d96b5fda6467dbf931b373868215b0b.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:1472
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description nzzzvfui "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:1076
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start nzzzvfui
  2⤵
  - Launches sc.exe
  PID:112
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:4008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 772
  2⤵
  - Program crash
  PID:4104

C:\Windows\SysWOW64\nzzzvfui\tahkzngq.exe
C:\Windows\SysWOW64\nzzzvfui\tahkzngq.exe /d"C:\Users\Admin\AppData\Local\Temp\de3f27526eca92d8bab305d2942fbaf89d96b5fda6467dbf931b373868215b0b.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3428
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 512
  2⤵
  - Program crash
  PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 396 -ip 396
1⤵
PID:1004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3756 -ip 3756
1⤵
PID:3296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tahkzngq.exe

Filesize
11.5MB

MD5
70047f5d8fa250136fed03336e705e45

SHA1
b8e5777f259ab73ac1cbb6d1426490ec00451c28

SHA256
5e345d0d99d5429f1e5bfe1d8da8d3a966627a03a1e4cd1340427b59aa1decc7

SHA512
b2c19e07f69e05086c5b437a6ceecc6868ad49ac6839cdab64f30490b0607b7bef4da16e9b9755594de6358d60efefdb35861d1e5596b9f7312763d12cf75473

Download Submit
C:\Windows\SysWOW64\nzzzvfui\tahkzngq.exe

Filesize
11.5MB

MD5
70047f5d8fa250136fed03336e705e45

SHA1
b8e5777f259ab73ac1cbb6d1426490ec00451c28

SHA256
5e345d0d99d5429f1e5bfe1d8da8d3a966627a03a1e4cd1340427b59aa1decc7

SHA512
b2c19e07f69e05086c5b437a6ceecc6868ad49ac6839cdab64f30490b0607b7bef4da16e9b9755594de6358d60efefdb35861d1e5596b9f7312763d12cf75473

Download Submit
memory/396-135-0x0000000000CB0000-0x0000000000CC3000-memory.dmp

Filesize
76KB

Download
memory/396-139-0x0000000000400000-0x0000000000A5C000-memory.dmp

Filesize
6.4MB

Download
memory/3428-140-0x0000000000750000-0x0000000000765000-memory.dmp

Filesize
84KB

Download
memory/3428-143-0x0000000000750000-0x0000000000765000-memory.dmp

Filesize
84KB

Download
memory/3428-145-0x0000000000750000-0x0000000000765000-memory.dmp

Filesize
84KB

Download
memory/3428-146-0x0000000000750000-0x0000000000765000-memory.dmp

Filesize
84KB

Download
memory/3428-148-0x0000000000750000-0x0000000000765000-memory.dmp

Filesize
84KB

Download
memory/3756-144-0x0000000000400000-0x0000000000A5C000-memory.dmp

Filesize
6.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads