tofsee | 61df65948553b5e1e385bcfa866cae9a30ace0e427ab57e455985988d30eee20

General

Target

519a4bd72f7bc8a67c137c34d411b5be.exe
Size

312KB
MD5

519a4bd72f7bc8a67c137c34d411b5be
SHA1

37ca60f3bf1a4d7068cd19b1e3e9cf69afa269dc
SHA256

61df65948553b5e1e385bcfa866cae9a30ace0e427ab57e455985988d30eee20
SHA512

7b66bb5843e7b7f2ca95429c0bfd3dd049dc95346507cd0acb23947473daaf6e6b6cc45d59c7625f7e7e8c7a4ff6b00a3e8a7e25441865782f02b104b1db55e8
SSDEEP

3072:hpX6/jiqnsLTpqy0ZXRtmYoGLA5///Px8S5gJXga5MydPAv7wqqTM:T6/jXsLT4y0ZXRtmUA5HXx150wa87a

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

5000 netsh.exe

pid	process
5000	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\jfufqkey\ImagePath = "C:\\Windows\\SysWOW64\\jfufqkey\\mkuvxtwc.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

519a4bd72f7bc8a67c137c34d411b5be.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	519a4bd72f7bc8a67c137c34d411b5be.exe

Executes dropped EXE 1 IoCs

Processes:

mkuvxtwc.exe

pid process

4940 mkuvxtwc.exe
Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

mkuvxtwc.exe

description pid process target process

PID 4940 set thread context of 1908 4940 mkuvxtwc.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2420 sc.exe
2244 sc.exe
236 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4940	mkuvxtwc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

description	pid	process	target process
PID 4940 set thread context of 1908	4940	mkuvxtwc.exe	svchost.exe

pid	process
2420	sc.exe
2244	sc.exe
236	sc.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Buses	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = acbb973d5cad460124edb47d450dd49d084297dce82e72baa4c02a8add2d891d0639326286cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56811da86447434e1a5644490bdb57b21e59c5e0dc8f6be54758df21d5904f4ac6a10d4844b7538d4f10b4c90d8f6127db9a4593494b48d662fd69a430f32fea05d579fc2223064b9f86400c288b47525e5955d03fda8e2377c88f2005469a8946c11d8834f7d3ce4a4522d109d0b4d4cbd763134fdc48d551de4ad035276a6cb2e569bb47d440dd49d642d83d70d5b51dda46d34fe089f571de4ad750534e3a26b0ada81537638e09d642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad74de05cd94	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

519a4bd72f7bc8a67c137c34d411b5be.exemkuvxtwc.exe

description	pid	process	target process
PID 4928 wrote to memory of 772	4928	519a4bd72f7bc8a67c137c34d411b5be.exe	cmd.exe
PID 4928 wrote to memory of 772	4928	519a4bd72f7bc8a67c137c34d411b5be.exe	cmd.exe
PID 4928 wrote to memory of 772	4928	519a4bd72f7bc8a67c137c34d411b5be.exe	cmd.exe
PID 4928 wrote to memory of 4404	4928	519a4bd72f7bc8a67c137c34d411b5be.exe	cmd.exe
PID 4928 wrote to memory of 4404	4928	519a4bd72f7bc8a67c137c34d411b5be.exe	cmd.exe
PID 4928 wrote to memory of 4404	4928	519a4bd72f7bc8a67c137c34d411b5be.exe	cmd.exe
PID 4928 wrote to memory of 2420	4928	519a4bd72f7bc8a67c137c34d411b5be.exe	sc.exe
PID 4928 wrote to memory of 2420	4928	519a4bd72f7bc8a67c137c34d411b5be.exe	sc.exe
PID 4928 wrote to memory of 2420	4928	519a4bd72f7bc8a67c137c34d411b5be.exe	sc.exe
PID 4928 wrote to memory of 2244	4928	519a4bd72f7bc8a67c137c34d411b5be.exe	sc.exe
PID 4928 wrote to memory of 2244	4928	519a4bd72f7bc8a67c137c34d411b5be.exe	sc.exe
PID 4928 wrote to memory of 2244	4928	519a4bd72f7bc8a67c137c34d411b5be.exe	sc.exe
PID 4928 wrote to memory of 236	4928	519a4bd72f7bc8a67c137c34d411b5be.exe	sc.exe
PID 4928 wrote to memory of 236	4928	519a4bd72f7bc8a67c137c34d411b5be.exe	sc.exe
PID 4928 wrote to memory of 236	4928	519a4bd72f7bc8a67c137c34d411b5be.exe	sc.exe
PID 4928 wrote to memory of 5000	4928	519a4bd72f7bc8a67c137c34d411b5be.exe	netsh.exe
PID 4928 wrote to memory of 5000	4928	519a4bd72f7bc8a67c137c34d411b5be.exe	netsh.exe
PID 4928 wrote to memory of 5000	4928	519a4bd72f7bc8a67c137c34d411b5be.exe	netsh.exe
PID 4940 wrote to memory of 1908	4940	mkuvxtwc.exe	svchost.exe
PID 4940 wrote to memory of 1908	4940	mkuvxtwc.exe	svchost.exe
PID 4940 wrote to memory of 1908	4940	mkuvxtwc.exe	svchost.exe
PID 4940 wrote to memory of 1908	4940	mkuvxtwc.exe	svchost.exe
PID 4940 wrote to memory of 1908	4940	mkuvxtwc.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\519a4bd72f7bc8a67c137c34d411b5be.exe
"C:\Users\Admin\AppData\Local\Temp\519a4bd72f7bc8a67c137c34d411b5be.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jfufqkey\
2⤵
PID:772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\mkuvxtwc.exe" C:\Windows\SysWOW64\jfufqkey\
2⤵
PID:4404

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create jfufqkey binPath= "C:\Windows\SysWOW64\jfufqkey\mkuvxtwc.exe /d\"C:\Users\Admin\AppData\Local\Temp\519a4bd72f7bc8a67c137c34d411b5be.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:2420

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description jfufqkey "wifi internet conection"
2⤵
- Launches sc.exe
PID:2244

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start jfufqkey
2⤵
- Launches sc.exe
PID:236

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:5000

C:\Windows\SysWOW64\jfufqkey\mkuvxtwc.exe
C:\Windows\SysWOW64\jfufqkey\mkuvxtwc.exe /d"C:\Users\Admin\AppData\Local\Temp\519a4bd72f7bc8a67c137c34d411b5be.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4940

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mkuvxtwc.exe
Filesize
12.9MB

MD5
39b72fd450dbdc2b55846dc633726b38

SHA1
553cf6c64fb995ea6949c0ec0cb8c9d271a94647

SHA256
bec5f32f8333f77ba501442bedbee8f49cde90d9406d3bf65715091056a53230

SHA512
c0e8543e9d96fb485d38898cf371999e161e85d9958fed1fd3d98c3a16caf4da324150daac46ae42d5202bfa7efcd1cf82a3e540a1b205ff28286fef0f2b2057

Download Submit
C:\Windows\SysWOW64\jfufqkey\mkuvxtwc.exe
Filesize
12.9MB

MD5
39b72fd450dbdc2b55846dc633726b38

SHA1
553cf6c64fb995ea6949c0ec0cb8c9d271a94647

SHA256
bec5f32f8333f77ba501442bedbee8f49cde90d9406d3bf65715091056a53230

SHA512
c0e8543e9d96fb485d38898cf371999e161e85d9958fed1fd3d98c3a16caf4da324150daac46ae42d5202bfa7efcd1cf82a3e540a1b205ff28286fef0f2b2057

Download Submit
memory/1908-140-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1908-144-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1908-145-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1908-146-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/1908-147-0x00000000008E0000-0x00000000008F5000-memory.dmp

Filesize
84KB

Download
memory/4928-135-0x0000000002440000-0x0000000002453000-memory.dmp

Filesize
76KB

Download
memory/4928-137-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/4940-143-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads