tofsee | 28485c139a6355cb8429d01defe5cb89e8c0c8bfc1ad5f5520341812478000b1

General

Target

78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe
Size

154KB
MD5

5e867ae4a78726523d91eaea386fce6d
SHA1

c9ee64774b15ada9cbd52f88bb47057647978fac
SHA256

78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d
SHA512

74d7fbb706839e32432abb761dbb02dd0e3d85e8f2f22412549d379f42027a99c4af39febb448b150e6d701d25fab4be698eb9439bcb5a247659dbf888bbb344
SSDEEP

1536:n9Hnxm+W0eDrB6CjnMQSoWp0MYS3+MpHiCUywyJqbgoVtcdnA+QA5Hs5W0+MWVO4:npQDBDjnLSZp3+6iCUyw6oVtrA5He1

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

3840 netsh.exe

pid	process
3840	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\koplspzc\ImagePath = "C:\\Windows\\SysWOW64\\koplspzc\\qyrhmjbl.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe

Executes dropped EXE 1 IoCs

Processes:

qyrhmjbl.exe

pid process

3908 qyrhmjbl.exe

pid	process
3908	qyrhmjbl.exe

Drops file in System32 directory 11 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

qyrhmjbl.exe

description pid process target process

PID 3908 set thread context of 4940 3908 qyrhmjbl.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2528 sc.exe
4192 sc.exe
1100 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 3908 set thread context of 4940	3908	qyrhmjbl.exe	svchost.exe

pid	process
2528	sc.exe
4192	sc.exe
1100	sc.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 6 IoCs

Processes:

explorer.exemspaint.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

mspaint.exe

pid process

3088 mspaint.exe
3088 mspaint.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

mspaint.exeOpenWith.exe

pid process

3088 mspaint.exe
4472 OpenWith.exe

pid	process
3088	mspaint.exe
3088	mspaint.exe

pid	process
3088	mspaint.exe
4472	OpenWith.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exeqyrhmjbl.exe

description	pid	process	target process
PID 3476 wrote to memory of 1216	3476	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	cmd.exe
PID 3476 wrote to memory of 1216	3476	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	cmd.exe
PID 3476 wrote to memory of 1216	3476	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	cmd.exe
PID 3476 wrote to memory of 780	3476	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	cmd.exe
PID 3476 wrote to memory of 780	3476	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	cmd.exe
PID 3476 wrote to memory of 780	3476	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	cmd.exe
PID 3476 wrote to memory of 2528	3476	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	sc.exe
PID 3476 wrote to memory of 2528	3476	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	sc.exe
PID 3476 wrote to memory of 2528	3476	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	sc.exe
PID 3476 wrote to memory of 4192	3476	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	sc.exe
PID 3476 wrote to memory of 4192	3476	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	sc.exe
PID 3476 wrote to memory of 4192	3476	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	sc.exe
PID 3476 wrote to memory of 1100	3476	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	sc.exe
PID 3476 wrote to memory of 1100	3476	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	sc.exe
PID 3476 wrote to memory of 1100	3476	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	sc.exe
PID 3476 wrote to memory of 3840	3476	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	netsh.exe
PID 3476 wrote to memory of 3840	3476	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	netsh.exe
PID 3476 wrote to memory of 3840	3476	78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe	netsh.exe
PID 3908 wrote to memory of 4940	3908	qyrhmjbl.exe	svchost.exe
PID 3908 wrote to memory of 4940	3908	qyrhmjbl.exe	svchost.exe
PID 3908 wrote to memory of 4940	3908	qyrhmjbl.exe	svchost.exe
PID 3908 wrote to memory of 4940	3908	qyrhmjbl.exe	svchost.exe
PID 3908 wrote to memory of 4940	3908	qyrhmjbl.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe
"C:\Users\Admin\AppData\Local\Temp\78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\koplspzc\
  2⤵
  PID:1216
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\qyrhmjbl.exe" C:\Windows\SysWOW64\koplspzc\
  2⤵
  PID:780
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create koplspzc binPath= "C:\Windows\SysWOW64\koplspzc\qyrhmjbl.exe /d\"C:\Users\Admin\AppData\Local\Temp\78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:2528
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description koplspzc "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:4192
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start koplspzc
  2⤵
  - Launches sc.exe
  PID:1100
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:3840

C:\Windows\SysWOW64\koplspzc\qyrhmjbl.exe
C:\Windows\SysWOW64\koplspzc\qyrhmjbl.exe /d"C:\Users\Admin\AppData\Local\Temp\78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  PID:4940

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4540

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1800

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3128

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\OptimizeEnter.jfif" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:1560

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qyrhmjbl.exe

Filesize
14.6MB

MD5
b6f6c0d91799f827dd0a61a08d167f3b

SHA1
b11fb9ba718fbd7a02e048fb2247f12c551e2ca4

SHA256
8a100743e736069c41ab1507f67dbea09179446995b1e85040683e508e4d526d

SHA512
ed7f30f3b9d97e830b560855b0d9c4e442f0876745f46044943eb400ac248784333f4cdb2b1dafffaa2b1be8348624c056fab02e6df343a7d9b7f7aaeee40fc6

Download Submit
C:\Windows\SysWOW64\koplspzc\qyrhmjbl.exe

Filesize
14.6MB

MD5
b6f6c0d91799f827dd0a61a08d167f3b

SHA1
b11fb9ba718fbd7a02e048fb2247f12c551e2ca4

SHA256
8a100743e736069c41ab1507f67dbea09179446995b1e85040683e508e4d526d

SHA512
ed7f30f3b9d97e830b560855b0d9c4e442f0876745f46044943eb400ac248784333f4cdb2b1dafffaa2b1be8348624c056fab02e6df343a7d9b7f7aaeee40fc6

Download Submit
memory/1560-151-0x000002AAA4D30000-0x000002AAA4D40000-memory.dmp

Filesize
64KB

Download
memory/1560-170-0x000002AAADAD0000-0x000002AAADAD1000-memory.dmp

Filesize
4KB

Download
memory/1560-169-0x000002AAADAD0000-0x000002AAADAD1000-memory.dmp

Filesize
4KB

Download
memory/1560-168-0x000002AAADAC0000-0x000002AAADAC1000-memory.dmp

Filesize
4KB

Download
memory/1560-167-0x000002AAADAC0000-0x000002AAADAC1000-memory.dmp

Filesize
4KB

Download
memory/1560-166-0x000002AAADA30000-0x000002AAADA31000-memory.dmp

Filesize
4KB

Download
memory/1560-164-0x000002AAADA30000-0x000002AAADA31000-memory.dmp

Filesize
4KB

Download
memory/1560-162-0x000002AAAD9B0000-0x000002AAAD9B1000-memory.dmp

Filesize
4KB

Download
memory/1560-155-0x000002AAA4D70000-0x000002AAA4D80000-memory.dmp

Filesize
64KB

Download
memory/3476-139-0x000000005F000000-0x000000005F011000-memory.dmp

Filesize
68KB

Download
memory/3476-133-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3476-138-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3476-135-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/3476-134-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/3908-145-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3908-141-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4940-149-0x0000000000F20000-0x0000000000F35000-memory.dmp

Filesize
84KB

Download
memory/4940-150-0x0000000000F20000-0x0000000000F35000-memory.dmp

Filesize
84KB

Download
memory/4940-148-0x0000000000F20000-0x0000000000F35000-memory.dmp

Filesize
84KB

Download
memory/4940-146-0x0000000000F20000-0x0000000000F35000-memory.dmp

Filesize
84KB

Download
memory/4940-142-0x0000000000F20000-0x0000000000F35000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads