tofsee | 28485c139a6355cb8429d01defe5cb89e8c0c8bfc1ad5f5520341812478000b1

General

Target

78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe
Size

154KB
MD5

5e867ae4a78726523d91eaea386fce6d
SHA1

c9ee64774b15ada9cbd52f88bb47057647978fac
SHA256

78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d
SHA512

74d7fbb706839e32432abb761dbb02dd0e3d85e8f2f22412549d379f42027a99c4af39febb448b150e6d701d25fab4be698eb9439bcb5a247659dbf888bbb344
SSDEEP

1536:n9Hnxm+W0eDrB6CjnMQSoWp0MYS3+MpHiCUywyJqbgoVtcdnA+QA5Hs5W0+MWVO4:npQDBDjnLSZp3+6iCUyw6oVtrA5He1

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1196 netsh.exe

pid	process
1196	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\huagtpqe\ImagePath = "C:\\Windows\\SysWOW64\\huagtpqe\\gtjsdqdx.exe"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

1120 svchost.exe
Executes dropped EXE 1 IoCs

Processes:

gtjsdqdx.exe

pid process

1992 gtjsdqdx.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

gtjsdqdx.exe

description pid process target process

PID 1992 set thread context of 1120 1992 gtjsdqdx.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

472 sc.exe
1916 sc.exe
1820 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1120	svchost.exe

pid	process
1992	gtjsdqdx.exe

description	pid	process	target process
PID 1992 set thread context of 1120	1992	gtjsdqdx.exe	svchost.exe

pid	process
472	sc.exe
1916	sc.exe
1820	sc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	632	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	632	AUDIODG.EXE
Token: 33	632	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	632	AUDIODG.EXE

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exegtjsdqdx.exe

description	pid	process	target process
PID 2000 wrote to memory of 2008	2000	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	cmd.exe
PID 2000 wrote to memory of 2008	2000	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	cmd.exe
PID 2000 wrote to memory of 2008	2000	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	cmd.exe
PID 2000 wrote to memory of 2008	2000	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	cmd.exe
PID 2000 wrote to memory of 1540	2000	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	cmd.exe
PID 2000 wrote to memory of 1540	2000	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	cmd.exe
PID 2000 wrote to memory of 1540	2000	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	cmd.exe
PID 2000 wrote to memory of 1540	2000	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	cmd.exe
PID 2000 wrote to memory of 472	2000	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	sc.exe
PID 2000 wrote to memory of 472	2000	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	sc.exe
PID 2000 wrote to memory of 472	2000	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	sc.exe
PID 2000 wrote to memory of 472	2000	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	sc.exe
PID 2000 wrote to memory of 1916	2000	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	sc.exe
PID 2000 wrote to memory of 1916	2000	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	sc.exe
PID 2000 wrote to memory of 1916	2000	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	sc.exe
PID 2000 wrote to memory of 1916	2000	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	sc.exe
PID 2000 wrote to memory of 1820	2000	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	sc.exe
PID 2000 wrote to memory of 1820	2000	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	sc.exe
PID 2000 wrote to memory of 1820	2000	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	sc.exe
PID 2000 wrote to memory of 1820	2000	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	sc.exe
PID 2000 wrote to memory of 1196	2000	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	netsh.exe
PID 2000 wrote to memory of 1196	2000	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	netsh.exe
PID 2000 wrote to memory of 1196	2000	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	netsh.exe
PID 2000 wrote to memory of 1196	2000	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	netsh.exe
PID 1992 wrote to memory of 1120	1992	gtjsdqdx.exe	svchost.exe
PID 1992 wrote to memory of 1120	1992	gtjsdqdx.exe	svchost.exe
PID 1992 wrote to memory of 1120	1992	gtjsdqdx.exe	svchost.exe
PID 1992 wrote to memory of 1120	1992	gtjsdqdx.exe	svchost.exe
PID 1992 wrote to memory of 1120	1992	gtjsdqdx.exe	svchost.exe
PID 1992 wrote to memory of 1120	1992	gtjsdqdx.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe
"C:\Users\Admin\AppData\Local\Temp\78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\huagtpqe\
2⤵
PID:2008

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gtjsdqdx.exe" C:\Windows\SysWOW64\huagtpqe\
2⤵
PID:1540

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create huagtpqe binPath= "C:\Windows\SysWOW64\huagtpqe\gtjsdqdx.exe /d\"C:\Users\Admin\AppData\Local\Temp\78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:472

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description huagtpqe "wifi internet conection"
2⤵
- Launches sc.exe
PID:1916

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start huagtpqe
2⤵
- Launches sc.exe
PID:1820

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:1196

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:588

C:\Windows\SysWOW64\huagtpqe\gtjsdqdx.exe
C:\Windows\SysWOW64\huagtpqe\gtjsdqdx.exe /d"C:\Users\Admin\AppData\Local\Temp\78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
- Deletes itself
PID:1120

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x52c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gtjsdqdx.exe
Filesize
14.1MB

MD5
6f87bb2bd16eee83b87840368166bcd9

SHA1
4b2c9bd91380d6712aaace1240dd60f8ac703fbf

SHA256
6cf4c7502d099f53f0db3900ca17972a265fea47453f076a17bbf88c754276f1

SHA512
bd6e28217067612307820b8a6d94003c06945c78b2ea6c074933ee9e53313623f8a8d7882f8fe58d40ae468d624bf1a8f48393153dace575c81dcfabf6a88319

Download Submit
C:\Windows\SysWOW64\huagtpqe\gtjsdqdx.exe
Filesize
14.1MB

MD5
6f87bb2bd16eee83b87840368166bcd9

SHA1
4b2c9bd91380d6712aaace1240dd60f8ac703fbf

SHA256
6cf4c7502d099f53f0db3900ca17972a265fea47453f076a17bbf88c754276f1

SHA512
bd6e28217067612307820b8a6d94003c06945c78b2ea6c074933ee9e53313623f8a8d7882f8fe58d40ae468d624bf1a8f48393153dace575c81dcfabf6a88319

Download Submit
memory/1120-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1120-63-0x00000000000D0000-0x00000000000E5000-memory.dmp

Filesize
84KB

Download
memory/1120-73-0x00000000000D0000-0x00000000000E5000-memory.dmp

Filesize
84KB

Download
memory/1120-72-0x00000000000D0000-0x00000000000E5000-memory.dmp

Filesize
84KB

Download
memory/1120-71-0x00000000000D0000-0x00000000000E5000-memory.dmp

Filesize
84KB

Download
memory/1120-70-0x00000000000D0000-0x00000000000E5000-memory.dmp

Filesize
84KB

Download
memory/1120-65-0x00000000000D0000-0x00000000000E5000-memory.dmp

Filesize
84KB

Download
memory/1992-68-0x00000000050E0000-0x00000000050F1000-memory.dmp

Filesize
68KB

Download
memory/1992-66-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1992-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2000-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2000-56-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2000-61-0x00000000050E0000-0x00000000050F1000-memory.dmp

Filesize
68KB

Download
memory/2000-60-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2000-55-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads