tofsee | 63e235b92d97d6c3d5a5dca42f31279b674d3140affc1e26c5971d12fc1d7667

General

Target

file.exe
Size

298KB
MD5

b7c137a18093f43fa0ac50865cc34f9c
SHA1

93727de39d92f6934d4ddee26728b207a212428e
SHA256

63e235b92d97d6c3d5a5dca42f31279b674d3140affc1e26c5971d12fc1d7667
SHA512

40683347b6f3dd2f18d15d5bfaa64d98f6ca88d1497bac811483366c59e5c786914dd32445981f774666b20053390f18d5a01f278162ba85bf75866edf6c95d6
SSDEEP

3072:/UgGk8D2CKiH+U3XmE5kDOXkqVDE/zpUp+rqdyy76kgREiwUP7A6qVxWm5iT/Hrq:Ret/X/GDwpELm04B710Ej2qVA8i

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\gnisupef = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

924 netsh.exe

pid	process
924	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\gnisupef\ImagePath = "C:\\Windows\\SysWOW64\\gnisupef\\mggyblpb.exe"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

1788 svchost.exe
Executes dropped EXE 1 IoCs

Processes:

mggyblpb.exe

pid process

1760 mggyblpb.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

mggyblpb.exe

description pid process target process

PID 1760 set thread context of 1788 1760 mggyblpb.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

340 sc.exe
672 sc.exe
1376 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1788	svchost.exe

pid	process
1760	mggyblpb.exe

description	pid	process	target process
PID 1760 set thread context of 1788	1760	mggyblpb.exe	svchost.exe

pid	process
340	sc.exe
672	sc.exe
1376	sc.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

file.exemggyblpb.exe

description	pid	process	target process
PID 1556 wrote to memory of 1356	1556	file.exe	cmd.exe
PID 1556 wrote to memory of 1356	1556	file.exe	cmd.exe
PID 1556 wrote to memory of 1356	1556	file.exe	cmd.exe
PID 1556 wrote to memory of 1356	1556	file.exe	cmd.exe
PID 1556 wrote to memory of 1092	1556	file.exe	cmd.exe
PID 1556 wrote to memory of 1092	1556	file.exe	cmd.exe
PID 1556 wrote to memory of 1092	1556	file.exe	cmd.exe
PID 1556 wrote to memory of 1092	1556	file.exe	cmd.exe
PID 1556 wrote to memory of 340	1556	file.exe	sc.exe
PID 1556 wrote to memory of 340	1556	file.exe	sc.exe
PID 1556 wrote to memory of 340	1556	file.exe	sc.exe
PID 1556 wrote to memory of 340	1556	file.exe	sc.exe
PID 1556 wrote to memory of 672	1556	file.exe	sc.exe
PID 1556 wrote to memory of 672	1556	file.exe	sc.exe
PID 1556 wrote to memory of 672	1556	file.exe	sc.exe
PID 1556 wrote to memory of 672	1556	file.exe	sc.exe
PID 1556 wrote to memory of 1376	1556	file.exe	sc.exe
PID 1556 wrote to memory of 1376	1556	file.exe	sc.exe
PID 1556 wrote to memory of 1376	1556	file.exe	sc.exe
PID 1556 wrote to memory of 1376	1556	file.exe	sc.exe
PID 1556 wrote to memory of 924	1556	file.exe	netsh.exe
PID 1556 wrote to memory of 924	1556	file.exe	netsh.exe
PID 1556 wrote to memory of 924	1556	file.exe	netsh.exe
PID 1556 wrote to memory of 924	1556	file.exe	netsh.exe
PID 1760 wrote to memory of 1788	1760	mggyblpb.exe	svchost.exe
PID 1760 wrote to memory of 1788	1760	mggyblpb.exe	svchost.exe
PID 1760 wrote to memory of 1788	1760	mggyblpb.exe	svchost.exe
PID 1760 wrote to memory of 1788	1760	mggyblpb.exe	svchost.exe
PID 1760 wrote to memory of 1788	1760	mggyblpb.exe	svchost.exe
PID 1760 wrote to memory of 1788	1760	mggyblpb.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gnisupef\
2⤵
PID:1356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\mggyblpb.exe" C:\Windows\SysWOW64\gnisupef\
2⤵
PID:1092

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create gnisupef binPath= "C:\Windows\SysWOW64\gnisupef\mggyblpb.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:340

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description gnisupef "wifi internet conection"
2⤵
- Launches sc.exe
PID:672

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start gnisupef
2⤵
- Launches sc.exe
PID:1376

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:924

C:\Windows\SysWOW64\gnisupef\mggyblpb.exe
C:\Windows\SysWOW64\gnisupef\mggyblpb.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:1788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mggyblpb.exe
Filesize
12.6MB

MD5
7374c61396592bcb0ed557aa2e10eae4

SHA1
9036454303086bca9ba05f3bf27ff0c93b438d35

SHA256
cd2d5fedd4f5dd1bc7559aa719dc350630889bbdfba95c2e367a74ffe66586eb

SHA512
297ab13c84257879d3f5bb3729c67f1e30d27f4ec7ca01ceab148fe6a0a8ef46626b719910dc49aad6e4df51ca1229cb9e94d836e2df86d7d0c52d3612e9895e

Download Submit
C:\Windows\SysWOW64\gnisupef\mggyblpb.exe
Filesize
12.6MB

MD5
7374c61396592bcb0ed557aa2e10eae4

SHA1
9036454303086bca9ba05f3bf27ff0c93b438d35

SHA256
cd2d5fedd4f5dd1bc7559aa719dc350630889bbdfba95c2e367a74ffe66586eb

SHA512
297ab13c84257879d3f5bb3729c67f1e30d27f4ec7ca01ceab148fe6a0a8ef46626b719910dc49aad6e4df51ca1229cb9e94d836e2df86d7d0c52d3612e9895e

Download Submit
memory/1556-56-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download
memory/1556-59-0x0000000000400000-0x00000000006C8000-memory.dmp

Filesize
2.8MB

Download
memory/1760-64-0x0000000000400000-0x00000000006C8000-memory.dmp

Filesize
2.8MB

Download
memory/1788-63-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1788-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1788-61-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1788-66-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1788-67-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1788-68-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1788-69-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1788-70-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads