tofsee | 650b125ce1f1646d33549681d7a1cfc8846f01a94d96d7cf1654cb1499442828

General

Target

file.exe
Size

237KB
MD5

5f22cf2b4084eeb86e75a33e469f8618
SHA1

dcae74f903c5bf5ea85d20ff674ebc747eda60dd
SHA256

650b125ce1f1646d33549681d7a1cfc8846f01a94d96d7cf1654cb1499442828
SHA512

2fde1c85438e3e52cbc95def2e245b131dee2f5b8953d872f12adbbfcba835f467b43b482fe26b61d4d7d36615a7271412b5fc646f5b8c0a3cca709b1581a642
SSDEEP

3072:DBGOKty9CLpLgdVLKNIFMae2nsvmPo+kysBmK:NBDgtLgzLoahnseEysZ

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

3272 netsh.exe

pid	process
3272	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\sbfjbcgi\ImagePath = "C:\\Windows\\SysWOW64\\sbfjbcgi\\hxtidvtb.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

file.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation file.exe
Executes dropped EXE 1 IoCs

Processes:

hxtidvtb.exe

pid process

1652 hxtidvtb.exe
Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

hxtidvtb.exe

description pid process target process

PID 1652 set thread context of 4008 1652 hxtidvtb.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

3908 sc.exe
320 sc.exe
3376 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	file.exe

pid	process
1652	hxtidvtb.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

description	pid	process	target process
PID 1652 set thread context of 4008	1652	hxtidvtb.exe	svchost.exe

pid	process
3908	sc.exe
320	sc.exe
3376	sc.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Buses	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 14be773c8570580124edb47d450dd49d084297dce82e72baa4c07b8a9047001d3c02794585cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56811db8d4f753ae6a8644490bdb77d20eb935d03fdace40b7480ad590b34ffad6513df8d484461bbfc004886e2ed2914e9a40444fdf6bc662bd29d4d083cf9942e569beb092d60b19d5515c68bb5792de99c5a3491abee3571bbd91d5061cda56811db8d4f753ae6a464c9d40784cca911f86d34fdc48c541de4da1b4f6f92e72f52edb47d440dd49d645a9e34920814dda46d3731d68e541de4ac4c0d2afba27313d89a4f7139d49d642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad973c04cd	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

file.exehxtidvtb.exe

description	pid	process	target process
PID 2792 wrote to memory of 2180	2792	file.exe	cmd.exe
PID 2792 wrote to memory of 2180	2792	file.exe	cmd.exe
PID 2792 wrote to memory of 2180	2792	file.exe	cmd.exe
PID 2792 wrote to memory of 1768	2792	file.exe	cmd.exe
PID 2792 wrote to memory of 1768	2792	file.exe	cmd.exe
PID 2792 wrote to memory of 1768	2792	file.exe	cmd.exe
PID 2792 wrote to memory of 3376	2792	file.exe	sc.exe
PID 2792 wrote to memory of 3376	2792	file.exe	sc.exe
PID 2792 wrote to memory of 3376	2792	file.exe	sc.exe
PID 2792 wrote to memory of 3908	2792	file.exe	sc.exe
PID 2792 wrote to memory of 3908	2792	file.exe	sc.exe
PID 2792 wrote to memory of 3908	2792	file.exe	sc.exe
PID 2792 wrote to memory of 320	2792	file.exe	sc.exe
PID 2792 wrote to memory of 320	2792	file.exe	sc.exe
PID 2792 wrote to memory of 320	2792	file.exe	sc.exe
PID 2792 wrote to memory of 3272	2792	file.exe	netsh.exe
PID 2792 wrote to memory of 3272	2792	file.exe	netsh.exe
PID 2792 wrote to memory of 3272	2792	file.exe	netsh.exe
PID 1652 wrote to memory of 4008	1652	hxtidvtb.exe	svchost.exe
PID 1652 wrote to memory of 4008	1652	hxtidvtb.exe	svchost.exe
PID 1652 wrote to memory of 4008	1652	hxtidvtb.exe	svchost.exe
PID 1652 wrote to memory of 4008	1652	hxtidvtb.exe	svchost.exe
PID 1652 wrote to memory of 4008	1652	hxtidvtb.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\sbfjbcgi\
  2⤵
  PID:2180
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hxtidvtb.exe" C:\Windows\SysWOW64\sbfjbcgi\
  2⤵
  PID:1768
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create sbfjbcgi binPath= "C:\Windows\SysWOW64\sbfjbcgi\hxtidvtb.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:3376
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description sbfjbcgi "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:3908
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start sbfjbcgi
  2⤵
  - Launches sc.exe
  PID:320
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:3272

C:\Windows\SysWOW64\sbfjbcgi\hxtidvtb.exe
C:\Windows\SysWOW64\sbfjbcgi\hxtidvtb.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:4008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hxtidvtb.exe

Filesize
13.0MB

MD5
442d7067b11062495b2570bb88e6a84b

SHA1
41c8824ffc721e9615b76028956f1a169b3eaec5

SHA256
b4d5d6d46d95cfd3344a3aea8321898a3772b27f61c275a5eaf13fb0335355d5

SHA512
d40ce842178316598682345119b00dabbea3e5f94dbf77a1cec9908525fbe2ab6ae2e36682dfbe731f8eed87f814318e21aa7d5bd3c71e7ebee04f9cb3f49e99

Download Submit
C:\Windows\SysWOW64\sbfjbcgi\hxtidvtb.exe

Filesize
13.0MB

MD5
442d7067b11062495b2570bb88e6a84b

SHA1
41c8824ffc721e9615b76028956f1a169b3eaec5

SHA256
b4d5d6d46d95cfd3344a3aea8321898a3772b27f61c275a5eaf13fb0335355d5

SHA512
d40ce842178316598682345119b00dabbea3e5f94dbf77a1cec9908525fbe2ab6ae2e36682dfbe731f8eed87f814318e21aa7d5bd3c71e7ebee04f9cb3f49e99

Download Submit
memory/1652-141-0x0000000000400000-0x00000000006BD000-memory.dmp

Filesize
2.7MB

Download
memory/2792-134-0x0000000000920000-0x0000000000933000-memory.dmp

Filesize
76KB

Download
memory/2792-138-0x0000000000400000-0x00000000006BD000-memory.dmp

Filesize
2.7MB

Download
memory/4008-140-0x0000000000B90000-0x0000000000BA5000-memory.dmp

Filesize
84KB

Download
memory/4008-144-0x0000000000B90000-0x0000000000BA5000-memory.dmp

Filesize
84KB

Download
memory/4008-145-0x0000000000B90000-0x0000000000BA5000-memory.dmp

Filesize
84KB

Download
memory/4008-146-0x0000000000B90000-0x0000000000BA5000-memory.dmp

Filesize
84KB

Download
memory/4008-148-0x0000000000B90000-0x0000000000BA5000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads