tofsee | 61df65948553b5e1e385bcfa866cae9a30ace0e427ab57e455985988d30eee20

General

Target

519a4bd72f7bc8a67c137c34d411b5be.exe
Size

312KB
MD5

519a4bd72f7bc8a67c137c34d411b5be
SHA1

37ca60f3bf1a4d7068cd19b1e3e9cf69afa269dc
SHA256

61df65948553b5e1e385bcfa866cae9a30ace0e427ab57e455985988d30eee20
SHA512

7b66bb5843e7b7f2ca95429c0bfd3dd049dc95346507cd0acb23947473daaf6e6b6cc45d59c7625f7e7e8c7a4ff6b00a3e8a7e25441865782f02b104b1db55e8
SSDEEP

3072:hpX6/jiqnsLTpqy0ZXRtmYoGLA5///Px8S5gJXga5MydPAv7wqqTM:T6/jXsLT4y0ZXRtmUA5HXx150wa87a

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4204 netsh.exe

pid	process
4204	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fgrhvgcc\ImagePath = "C:\\Windows\\SysWOW64\\fgrhvgcc\\ykspviom.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

519a4bd72f7bc8a67c137c34d411b5be.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	519a4bd72f7bc8a67c137c34d411b5be.exe

Executes dropped EXE 1 IoCs

Processes:

ykspviom.exe

pid process

4244 ykspviom.exe
Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

ykspviom.exe

description pid process target process

PID 4244 set thread context of 2400 4244 ykspviom.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

1864 sc.exe
3612 sc.exe
2612 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4244	ykspviom.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

description	pid	process	target process
PID 4244 set thread context of 2400	4244	ykspviom.exe	svchost.exe

pid	process
1864	sc.exe
3612	sc.exe
2612	sc.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Buses	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = c4bc573cd7ad460124edb47d450dd49d084297dce82e72baa4c01e8acb64741ddce44eb786cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56811da8644753decaf644490bdb5792cec935c02cff3b954758df21d5904e0a56913da814f7d3ce49d084295d9e13f4bb4c06d00fdadfd542fd69f430a36fba769249ec60b1b79bdf0012dc38ebc7c24eb925c01fda8e2377c88f2005469a8946c11d8834f7d3ce6ac5d2d109d5d4dc0bd763134fdc48d551de4ad035276a6cb2e569bb47d440dd49d642de6b0b1e351dda46d34fe089f571de4ad750534e3a26b0ada81537638e09d642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad74df05cd94	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

519a4bd72f7bc8a67c137c34d411b5be.exeykspviom.exe

description	pid	process	target process
PID 2444 wrote to memory of 4744	2444	519a4bd72f7bc8a67c137c34d411b5be.exe	cmd.exe
PID 2444 wrote to memory of 4744	2444	519a4bd72f7bc8a67c137c34d411b5be.exe	cmd.exe
PID 2444 wrote to memory of 4744	2444	519a4bd72f7bc8a67c137c34d411b5be.exe	cmd.exe
PID 2444 wrote to memory of 4436	2444	519a4bd72f7bc8a67c137c34d411b5be.exe	cmd.exe
PID 2444 wrote to memory of 4436	2444	519a4bd72f7bc8a67c137c34d411b5be.exe	cmd.exe
PID 2444 wrote to memory of 4436	2444	519a4bd72f7bc8a67c137c34d411b5be.exe	cmd.exe
PID 2444 wrote to memory of 1864	2444	519a4bd72f7bc8a67c137c34d411b5be.exe	sc.exe
PID 2444 wrote to memory of 1864	2444	519a4bd72f7bc8a67c137c34d411b5be.exe	sc.exe
PID 2444 wrote to memory of 1864	2444	519a4bd72f7bc8a67c137c34d411b5be.exe	sc.exe
PID 2444 wrote to memory of 3612	2444	519a4bd72f7bc8a67c137c34d411b5be.exe	sc.exe
PID 2444 wrote to memory of 3612	2444	519a4bd72f7bc8a67c137c34d411b5be.exe	sc.exe
PID 2444 wrote to memory of 3612	2444	519a4bd72f7bc8a67c137c34d411b5be.exe	sc.exe
PID 2444 wrote to memory of 2612	2444	519a4bd72f7bc8a67c137c34d411b5be.exe	sc.exe
PID 2444 wrote to memory of 2612	2444	519a4bd72f7bc8a67c137c34d411b5be.exe	sc.exe
PID 2444 wrote to memory of 2612	2444	519a4bd72f7bc8a67c137c34d411b5be.exe	sc.exe
PID 2444 wrote to memory of 4204	2444	519a4bd72f7bc8a67c137c34d411b5be.exe	netsh.exe
PID 2444 wrote to memory of 4204	2444	519a4bd72f7bc8a67c137c34d411b5be.exe	netsh.exe
PID 2444 wrote to memory of 4204	2444	519a4bd72f7bc8a67c137c34d411b5be.exe	netsh.exe
PID 4244 wrote to memory of 2400	4244	ykspviom.exe	svchost.exe
PID 4244 wrote to memory of 2400	4244	ykspviom.exe	svchost.exe
PID 4244 wrote to memory of 2400	4244	ykspviom.exe	svchost.exe
PID 4244 wrote to memory of 2400	4244	ykspviom.exe	svchost.exe
PID 4244 wrote to memory of 2400	4244	ykspviom.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\519a4bd72f7bc8a67c137c34d411b5be.exe
"C:\Users\Admin\AppData\Local\Temp\519a4bd72f7bc8a67c137c34d411b5be.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\fgrhvgcc\
2⤵
PID:4744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ykspviom.exe" C:\Windows\SysWOW64\fgrhvgcc\
2⤵
PID:4436

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create fgrhvgcc binPath= "C:\Windows\SysWOW64\fgrhvgcc\ykspviom.exe /d\"C:\Users\Admin\AppData\Local\Temp\519a4bd72f7bc8a67c137c34d411b5be.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:1864

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description fgrhvgcc "wifi internet conection"
2⤵
- Launches sc.exe
PID:3612

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start fgrhvgcc
2⤵
- Launches sc.exe
PID:2612

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:4204

C:\Windows\SysWOW64\fgrhvgcc\ykspviom.exe
C:\Windows\SysWOW64\fgrhvgcc\ykspviom.exe /d"C:\Users\Admin\AppData\Local\Temp\519a4bd72f7bc8a67c137c34d411b5be.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4244

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ykspviom.exe
Filesize
12.3MB

MD5
6f56718a69347593ad7cb75f27a1608b

SHA1
5f10b4c56370734accfc923f03888681f255da8f

SHA256
bcaa0ba8aa029348da5b4d27afe10b93c9df5bf3e69d90cdbf3c38bd69aa2b7b

SHA512
23880ab0b71b6f40f277df9ebcf294f10c609c5cef126d010038eeadd3e739b79b4adb33ad2dedffe441a8728a0cf1f29f43ed1e2a4fdba98fb442b18e18a409

Download Submit
C:\Windows\SysWOW64\fgrhvgcc\ykspviom.exe
Filesize
12.3MB

MD5
6f56718a69347593ad7cb75f27a1608b

SHA1
5f10b4c56370734accfc923f03888681f255da8f

SHA256
bcaa0ba8aa029348da5b4d27afe10b93c9df5bf3e69d90cdbf3c38bd69aa2b7b

SHA512
23880ab0b71b6f40f277df9ebcf294f10c609c5cef126d010038eeadd3e739b79b4adb33ad2dedffe441a8728a0cf1f29f43ed1e2a4fdba98fb442b18e18a409

Download Submit
memory/2400-140-0x0000000000D80000-0x0000000000D95000-memory.dmp

Filesize
84KB

Download
memory/2400-144-0x0000000000D80000-0x0000000000D95000-memory.dmp

Filesize
84KB

Download
memory/2400-146-0x0000000000D80000-0x0000000000D95000-memory.dmp

Filesize
84KB

Download
memory/2400-145-0x0000000000D80000-0x0000000000D95000-memory.dmp

Filesize
84KB

Download
memory/2400-147-0x0000000000D80000-0x0000000000D95000-memory.dmp

Filesize
84KB

Download
memory/2444-135-0x0000000000880000-0x0000000000893000-memory.dmp

Filesize
76KB

Download
memory/2444-139-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/4244-142-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads