tofsee | 6838dc249ad16a62aa7dded33837e4f04a3467359f7d571a0c4e59e963b6eea2

General

Target

0967dfa48bd1d2d0e282f762e9be80315cc6ea75b6e1b34d73f066c47ab46612.exe
Size

318KB
MD5

b101be318ab44ddbbabf025ef02e9a29
SHA1

0e3d67a5c6f97f6f1d23a9540336b3ded4eaa13f
SHA256

0967dfa48bd1d2d0e282f762e9be80315cc6ea75b6e1b34d73f066c47ab46612
SHA512

79533d9d92770221a5631f942d48f893ec5cf0d3c8af899465b2cc4b4b92da5c3787cc65425c34d026fcb646b08348dd68ec14a3c9f56cdd914591594f8aa001
SSDEEP

3072:TpXtNfDL3hmn5585BYMpYEvLDWPS5Z2wg3z2zxBUb5EpMYNY0lKRfeJ:RnLL3h45VMpYi2czjlpxPcQJ

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\vtvrmogu = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1820 netsh.exe

pid	process
1820	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\vtvrmogu\ImagePath = "C:\\Windows\\SysWOW64\\vtvrmogu\\pjjbeose.exe"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

1376 svchost.exe
Executes dropped EXE 1 IoCs

Processes:

pjjbeose.exe

pid process

1624 pjjbeose.exe
Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

pjjbeose.exe

description pid process target process

PID 1624 set thread context of 1376 1624 pjjbeose.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

656 sc.exe
1340 sc.exe
648 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1376	svchost.exe

pid	process
1624	pjjbeose.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

description	pid	process	target process
PID 1624 set thread context of 1376	1624	pjjbeose.exe	svchost.exe

pid	process
656	sc.exe
1340	sc.exe
648	sc.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Buses	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 3cc81f3d872b4c0124edb47d450dd49d084297dce82e72baa49f12fde47e721d47369d0287cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56811da834c7c3be1a8644490bdb5792ce99c550cc8f58d3c74bbc4103d29fca46415df81457c39e09d084295d9e13f4bb4c06d00fdadfd5424d798400f33ffa065249ec60b1b79bdf0012dc58bb27821ee975e01cec4e13b7e85c12b496da0f15d15d8814a733cecab5114f459a447145e42b568fdc48d541ce4ad744a6bbfff02579fc27d440dd49d642df4caeec40298a46d34fdc741461ee4ad743c3cfdba6b12c383486a3fe1a9642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743de7cc945d	svchost.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

0967dfa48bd1d2d0e282f762e9be80315cc6ea75b6e1b34d73f066c47ab46612.exepjjbeose.exe

description	pid	process	target process
PID 1680 wrote to memory of 108	1680	0967dfa48bd1d2d0e282f762e9be80315cc6ea75b6e1b34d73f066c47ab46612.exe	cmd.exe
PID 1680 wrote to memory of 108	1680	0967dfa48bd1d2d0e282f762e9be80315cc6ea75b6e1b34d73f066c47ab46612.exe	cmd.exe
PID 1680 wrote to memory of 108	1680	0967dfa48bd1d2d0e282f762e9be80315cc6ea75b6e1b34d73f066c47ab46612.exe	cmd.exe
PID 1680 wrote to memory of 108	1680	0967dfa48bd1d2d0e282f762e9be80315cc6ea75b6e1b34d73f066c47ab46612.exe	cmd.exe
PID 1680 wrote to memory of 1560	1680	0967dfa48bd1d2d0e282f762e9be80315cc6ea75b6e1b34d73f066c47ab46612.exe	cmd.exe
PID 1680 wrote to memory of 1560	1680	0967dfa48bd1d2d0e282f762e9be80315cc6ea75b6e1b34d73f066c47ab46612.exe	cmd.exe
PID 1680 wrote to memory of 1560	1680	0967dfa48bd1d2d0e282f762e9be80315cc6ea75b6e1b34d73f066c47ab46612.exe	cmd.exe
PID 1680 wrote to memory of 1560	1680	0967dfa48bd1d2d0e282f762e9be80315cc6ea75b6e1b34d73f066c47ab46612.exe	cmd.exe
PID 1680 wrote to memory of 656	1680	0967dfa48bd1d2d0e282f762e9be80315cc6ea75b6e1b34d73f066c47ab46612.exe	sc.exe
PID 1680 wrote to memory of 656	1680	0967dfa48bd1d2d0e282f762e9be80315cc6ea75b6e1b34d73f066c47ab46612.exe	sc.exe
PID 1680 wrote to memory of 656	1680	0967dfa48bd1d2d0e282f762e9be80315cc6ea75b6e1b34d73f066c47ab46612.exe	sc.exe
PID 1680 wrote to memory of 656	1680	0967dfa48bd1d2d0e282f762e9be80315cc6ea75b6e1b34d73f066c47ab46612.exe	sc.exe
PID 1680 wrote to memory of 1340	1680	0967dfa48bd1d2d0e282f762e9be80315cc6ea75b6e1b34d73f066c47ab46612.exe	sc.exe
PID 1680 wrote to memory of 1340	1680	0967dfa48bd1d2d0e282f762e9be80315cc6ea75b6e1b34d73f066c47ab46612.exe	sc.exe
PID 1680 wrote to memory of 1340	1680	0967dfa48bd1d2d0e282f762e9be80315cc6ea75b6e1b34d73f066c47ab46612.exe	sc.exe
PID 1680 wrote to memory of 1340	1680	0967dfa48bd1d2d0e282f762e9be80315cc6ea75b6e1b34d73f066c47ab46612.exe	sc.exe
PID 1680 wrote to memory of 648	1680	0967dfa48bd1d2d0e282f762e9be80315cc6ea75b6e1b34d73f066c47ab46612.exe	sc.exe
PID 1680 wrote to memory of 648	1680	0967dfa48bd1d2d0e282f762e9be80315cc6ea75b6e1b34d73f066c47ab46612.exe	sc.exe
PID 1680 wrote to memory of 648	1680	0967dfa48bd1d2d0e282f762e9be80315cc6ea75b6e1b34d73f066c47ab46612.exe	sc.exe
PID 1680 wrote to memory of 648	1680	0967dfa48bd1d2d0e282f762e9be80315cc6ea75b6e1b34d73f066c47ab46612.exe	sc.exe
PID 1680 wrote to memory of 1820	1680	0967dfa48bd1d2d0e282f762e9be80315cc6ea75b6e1b34d73f066c47ab46612.exe	netsh.exe
PID 1680 wrote to memory of 1820	1680	0967dfa48bd1d2d0e282f762e9be80315cc6ea75b6e1b34d73f066c47ab46612.exe	netsh.exe
PID 1680 wrote to memory of 1820	1680	0967dfa48bd1d2d0e282f762e9be80315cc6ea75b6e1b34d73f066c47ab46612.exe	netsh.exe
PID 1680 wrote to memory of 1820	1680	0967dfa48bd1d2d0e282f762e9be80315cc6ea75b6e1b34d73f066c47ab46612.exe	netsh.exe
PID 1624 wrote to memory of 1376	1624	pjjbeose.exe	svchost.exe
PID 1624 wrote to memory of 1376	1624	pjjbeose.exe	svchost.exe
PID 1624 wrote to memory of 1376	1624	pjjbeose.exe	svchost.exe
PID 1624 wrote to memory of 1376	1624	pjjbeose.exe	svchost.exe
PID 1624 wrote to memory of 1376	1624	pjjbeose.exe	svchost.exe
PID 1624 wrote to memory of 1376	1624	pjjbeose.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\0967dfa48bd1d2d0e282f762e9be80315cc6ea75b6e1b34d73f066c47ab46612.exe
"C:\Users\Admin\AppData\Local\Temp\0967dfa48bd1d2d0e282f762e9be80315cc6ea75b6e1b34d73f066c47ab46612.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\vtvrmogu\
  2⤵
  PID:108
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pjjbeose.exe" C:\Windows\SysWOW64\vtvrmogu\
  2⤵
  PID:1560
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create vtvrmogu binPath= "C:\Windows\SysWOW64\vtvrmogu\pjjbeose.exe /d\"C:\Users\Admin\AppData\Local\Temp\0967dfa48bd1d2d0e282f762e9be80315cc6ea75b6e1b34d73f066c47ab46612.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:656
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description vtvrmogu "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:1340
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start vtvrmogu
  2⤵
  - Launches sc.exe
  PID:648
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:1820

C:\Windows\SysWOW64\vtvrmogu\pjjbeose.exe
C:\Windows\SysWOW64\vtvrmogu\pjjbeose.exe /d"C:\Users\Admin\AppData\Local\Temp\0967dfa48bd1d2d0e282f762e9be80315cc6ea75b6e1b34d73f066c47ab46612.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Windows security bypass
  - Sets service image path in registry
  - Deletes itself
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pjjbeose.exe

Filesize
14.5MB

MD5
5ab10ba1b946e93b3e25d4a724b88184

SHA1
290cc435270ae492373a9a331948396475f35a15

SHA256
ad9ca1d5483ee1d8da5982ea316a22ed6f7775af629dae1f04dd70d8ef119b7f

SHA512
61edd1e3ea1e269f1b1402b3b9efb64a294afcef04904f98f555b7cfe3ff8c93068a39db72ec06d75c0c2aed79dbf2d90466af4e78dc1727905f2b455c71aa07

Download Submit
C:\Windows\SysWOW64\vtvrmogu\pjjbeose.exe

Filesize
14.5MB

MD5
5ab10ba1b946e93b3e25d4a724b88184

SHA1
290cc435270ae492373a9a331948396475f35a15

SHA256
ad9ca1d5483ee1d8da5982ea316a22ed6f7775af629dae1f04dd70d8ef119b7f

SHA512
61edd1e3ea1e269f1b1402b3b9efb64a294afcef04904f98f555b7cfe3ff8c93068a39db72ec06d75c0c2aed79dbf2d90466af4e78dc1727905f2b455c71aa07

Download Submit
memory/1376-61-0x0000000000090000-0x00000000000A5000-memory.dmp

Filesize
84KB

Download
memory/1376-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1376-63-0x0000000000090000-0x00000000000A5000-memory.dmp

Filesize
84KB

Download
memory/1376-67-0x0000000000090000-0x00000000000A5000-memory.dmp

Filesize
84KB

Download
memory/1376-68-0x0000000000090000-0x00000000000A5000-memory.dmp

Filesize
84KB

Download
memory/1376-69-0x0000000000090000-0x00000000000A5000-memory.dmp

Filesize
84KB

Download
memory/1376-71-0x0000000000090000-0x00000000000A5000-memory.dmp

Filesize
84KB

Download
memory/1624-65-0x0000000000400000-0x000000000236D000-memory.dmp

Filesize
31.4MB

Download
memory/1680-56-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download
memory/1680-60-0x0000000000400000-0x000000000236D000-memory.dmp

Filesize
31.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads