tofsee | 61df65948553b5e1e385bcfa866cae9a30ace0e427ab57e455985988d30eee20

General

Target

519a4bd72f7bc8a67c137c34d411b5be.exe
Size

312KB
MD5

519a4bd72f7bc8a67c137c34d411b5be
SHA1

37ca60f3bf1a4d7068cd19b1e3e9cf69afa269dc
SHA256

61df65948553b5e1e385bcfa866cae9a30ace0e427ab57e455985988d30eee20
SHA512

7b66bb5843e7b7f2ca95429c0bfd3dd049dc95346507cd0acb23947473daaf6e6b6cc45d59c7625f7e7e8c7a4ff6b00a3e8a7e25441865782f02b104b1db55e8
SSDEEP

3072:hpX6/jiqnsLTpqy0ZXRtmYoGLA5///Px8S5gJXga5MydPAv7wqqTM:T6/jXsLT4y0ZXRtmUA5HXx150wa87a

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\qlavxuzo = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1212 netsh.exe

pid	process
1212	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\qlavxuzo\ImagePath = "C:\\Windows\\SysWOW64\\qlavxuzo\\szgjymfp.exe"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

1096 svchost.exe
Executes dropped EXE 1 IoCs

Processes:

szgjymfp.exe

pid process

1760 szgjymfp.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

szgjymfp.exe

description pid process target process

PID 1760 set thread context of 1096 1760 szgjymfp.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2044 sc.exe
1064 sc.exe
564 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1096	svchost.exe

pid	process
1760	szgjymfp.exe

description	pid	process	target process
PID 1760 set thread context of 1096	1760	szgjymfp.exe	svchost.exe

pid	process
2044	sc.exe
1064	sc.exe
564	sc.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

519a4bd72f7bc8a67c137c34d411b5be.exeszgjymfp.exe

description	pid	process	target process
PID 920 wrote to memory of 1160	920	519a4bd72f7bc8a67c137c34d411b5be.exe	cmd.exe
PID 920 wrote to memory of 1160	920	519a4bd72f7bc8a67c137c34d411b5be.exe	cmd.exe
PID 920 wrote to memory of 1160	920	519a4bd72f7bc8a67c137c34d411b5be.exe	cmd.exe
PID 920 wrote to memory of 1160	920	519a4bd72f7bc8a67c137c34d411b5be.exe	cmd.exe
PID 920 wrote to memory of 2040	920	519a4bd72f7bc8a67c137c34d411b5be.exe	cmd.exe
PID 920 wrote to memory of 2040	920	519a4bd72f7bc8a67c137c34d411b5be.exe	cmd.exe
PID 920 wrote to memory of 2040	920	519a4bd72f7bc8a67c137c34d411b5be.exe	cmd.exe
PID 920 wrote to memory of 2040	920	519a4bd72f7bc8a67c137c34d411b5be.exe	cmd.exe
PID 920 wrote to memory of 1064	920	519a4bd72f7bc8a67c137c34d411b5be.exe	sc.exe
PID 920 wrote to memory of 1064	920	519a4bd72f7bc8a67c137c34d411b5be.exe	sc.exe
PID 920 wrote to memory of 1064	920	519a4bd72f7bc8a67c137c34d411b5be.exe	sc.exe
PID 920 wrote to memory of 1064	920	519a4bd72f7bc8a67c137c34d411b5be.exe	sc.exe
PID 920 wrote to memory of 564	920	519a4bd72f7bc8a67c137c34d411b5be.exe	sc.exe
PID 920 wrote to memory of 564	920	519a4bd72f7bc8a67c137c34d411b5be.exe	sc.exe
PID 920 wrote to memory of 564	920	519a4bd72f7bc8a67c137c34d411b5be.exe	sc.exe
PID 920 wrote to memory of 564	920	519a4bd72f7bc8a67c137c34d411b5be.exe	sc.exe
PID 920 wrote to memory of 2044	920	519a4bd72f7bc8a67c137c34d411b5be.exe	sc.exe
PID 920 wrote to memory of 2044	920	519a4bd72f7bc8a67c137c34d411b5be.exe	sc.exe
PID 920 wrote to memory of 2044	920	519a4bd72f7bc8a67c137c34d411b5be.exe	sc.exe
PID 920 wrote to memory of 2044	920	519a4bd72f7bc8a67c137c34d411b5be.exe	sc.exe
PID 920 wrote to memory of 1212	920	519a4bd72f7bc8a67c137c34d411b5be.exe	netsh.exe
PID 920 wrote to memory of 1212	920	519a4bd72f7bc8a67c137c34d411b5be.exe	netsh.exe
PID 920 wrote to memory of 1212	920	519a4bd72f7bc8a67c137c34d411b5be.exe	netsh.exe
PID 920 wrote to memory of 1212	920	519a4bd72f7bc8a67c137c34d411b5be.exe	netsh.exe
PID 1760 wrote to memory of 1096	1760	szgjymfp.exe	svchost.exe
PID 1760 wrote to memory of 1096	1760	szgjymfp.exe	svchost.exe
PID 1760 wrote to memory of 1096	1760	szgjymfp.exe	svchost.exe
PID 1760 wrote to memory of 1096	1760	szgjymfp.exe	svchost.exe
PID 1760 wrote to memory of 1096	1760	szgjymfp.exe	svchost.exe
PID 1760 wrote to memory of 1096	1760	szgjymfp.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\519a4bd72f7bc8a67c137c34d411b5be.exe
"C:\Users\Admin\AppData\Local\Temp\519a4bd72f7bc8a67c137c34d411b5be.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qlavxuzo\
2⤵
PID:1160

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\szgjymfp.exe" C:\Windows\SysWOW64\qlavxuzo\
2⤵
PID:2040

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create qlavxuzo binPath= "C:\Windows\SysWOW64\qlavxuzo\szgjymfp.exe /d\"C:\Users\Admin\AppData\Local\Temp\519a4bd72f7bc8a67c137c34d411b5be.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:1064

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description qlavxuzo "wifi internet conection"
2⤵
- Launches sc.exe
PID:564

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start qlavxuzo
2⤵
- Launches sc.exe
PID:2044

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:1212

C:\Windows\SysWOW64\qlavxuzo\szgjymfp.exe
C:\Windows\SysWOW64\qlavxuzo\szgjymfp.exe /d"C:\Users\Admin\AppData\Local\Temp\519a4bd72f7bc8a67c137c34d411b5be.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:1096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgjymfp.exe
Filesize
11.6MB

MD5
1684c62b3dec4b911f6199d1d718f94b

SHA1
acadac4ba0439a2aeaf59ecd94298829e61871a7

SHA256
ddd6c3d5c07f11bc61c5af1be1a81885d6c836473dc1fd2b2edd7201a112704c

SHA512
5bdbde60dc0d7a021b041af520047ec9cc4a98d5ddb87dc0ee8cb61bb1a25858e4a9899d4d0feab6801a339a2f80f91f52d748590dd8ef7661efa8e201e5ba9e

Download Submit
C:\Windows\SysWOW64\qlavxuzo\szgjymfp.exe
Filesize
11.6MB

MD5
1684c62b3dec4b911f6199d1d718f94b

SHA1
acadac4ba0439a2aeaf59ecd94298829e61871a7

SHA256
ddd6c3d5c07f11bc61c5af1be1a81885d6c836473dc1fd2b2edd7201a112704c

SHA512
5bdbde60dc0d7a021b041af520047ec9cc4a98d5ddb87dc0ee8cb61bb1a25858e4a9899d4d0feab6801a339a2f80f91f52d748590dd8ef7661efa8e201e5ba9e

Download Submit
memory/920-56-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download
memory/920-60-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/1096-61-0x00000000000D0000-0x00000000000E5000-memory.dmp

Filesize
84KB

Download
memory/1096-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1096-63-0x00000000000D0000-0x00000000000E5000-memory.dmp

Filesize
84KB

Download
memory/1096-67-0x00000000000D0000-0x00000000000E5000-memory.dmp

Filesize
84KB

Download
memory/1096-68-0x00000000000D0000-0x00000000000E5000-memory.dmp

Filesize
84KB

Download
memory/1096-69-0x00000000000D0000-0x00000000000E5000-memory.dmp

Filesize
84KB

Download
memory/1096-70-0x00000000000D0000-0x00000000000E5000-memory.dmp

Filesize
84KB

Download
memory/1760-64-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads