tofsee | 19882daeac9da32308cd3340417db32d07bad3b023c78da4eacca0b948d17827

General

Target

0af220cda97fd59612ef2fd9d66807a0.exe
Size

11.5MB
MD5

0af220cda97fd59612ef2fd9d66807a0
SHA1

43701d2d5005e29bece43c006569925ee418f21a
SHA256

19882daeac9da32308cd3340417db32d07bad3b023c78da4eacca0b948d17827
SHA512

da9648742532a61e07177423c3423c6de6494ed1db2e045e8f76b3886c5a6207fee7576f643eca6b559ff2c78a5e3f401961afb0782b88de40cb842332dfb629
SSDEEP

49152:FVwj1RzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzT:bM1

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2548	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
2640	ykrlqwjr.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3000	sc.exe
1376	sc.exe
2544	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2884	1672	0af220cda97fd59612ef2fd9d66807a0.exe	28
PID 1672 wrote to memory of 2884	1672	0af220cda97fd59612ef2fd9d66807a0.exe	28
PID 1672 wrote to memory of 2884	1672	0af220cda97fd59612ef2fd9d66807a0.exe	28
PID 1672 wrote to memory of 2884	1672	0af220cda97fd59612ef2fd9d66807a0.exe	28
PID 1672 wrote to memory of 2192	1672	0af220cda97fd59612ef2fd9d66807a0.exe	31
PID 1672 wrote to memory of 2192	1672	0af220cda97fd59612ef2fd9d66807a0.exe	31
PID 1672 wrote to memory of 2192	1672	0af220cda97fd59612ef2fd9d66807a0.exe	31
PID 1672 wrote to memory of 2192	1672	0af220cda97fd59612ef2fd9d66807a0.exe	31
PID 1672 wrote to memory of 3000	1672	0af220cda97fd59612ef2fd9d66807a0.exe	32
PID 1672 wrote to memory of 3000	1672	0af220cda97fd59612ef2fd9d66807a0.exe	32
PID 1672 wrote to memory of 3000	1672	0af220cda97fd59612ef2fd9d66807a0.exe	32
PID 1672 wrote to memory of 3000	1672	0af220cda97fd59612ef2fd9d66807a0.exe	32
PID 1672 wrote to memory of 1376	1672	0af220cda97fd59612ef2fd9d66807a0.exe	35
PID 1672 wrote to memory of 1376	1672	0af220cda97fd59612ef2fd9d66807a0.exe	35
PID 1672 wrote to memory of 1376	1672	0af220cda97fd59612ef2fd9d66807a0.exe	35
PID 1672 wrote to memory of 1376	1672	0af220cda97fd59612ef2fd9d66807a0.exe	35
PID 1672 wrote to memory of 2544	1672	0af220cda97fd59612ef2fd9d66807a0.exe	37
PID 1672 wrote to memory of 2544	1672	0af220cda97fd59612ef2fd9d66807a0.exe	37
PID 1672 wrote to memory of 2544	1672	0af220cda97fd59612ef2fd9d66807a0.exe	37
PID 1672 wrote to memory of 2544	1672	0af220cda97fd59612ef2fd9d66807a0.exe	37
PID 1672 wrote to memory of 2548	1672	0af220cda97fd59612ef2fd9d66807a0.exe	39
PID 1672 wrote to memory of 2548	1672	0af220cda97fd59612ef2fd9d66807a0.exe	39
PID 1672 wrote to memory of 2548	1672	0af220cda97fd59612ef2fd9d66807a0.exe	39
PID 1672 wrote to memory of 2548	1672	0af220cda97fd59612ef2fd9d66807a0.exe	39

C:\Users\Admin\AppData\Local\Temp\0af220cda97fd59612ef2fd9d66807a0.exe
"C:\Users\Admin\AppData\Local\Temp\0af220cda97fd59612ef2fd9d66807a0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tvglwgor\
  2⤵
  PID:2884
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ykrlqwjr.exe" C:\Windows\SysWOW64\tvglwgor\
  2⤵
  PID:2192
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create tvglwgor binPath= "C:\Windows\SysWOW64\tvglwgor\ykrlqwjr.exe /d\"C:\Users\Admin\AppData\Local\Temp\0af220cda97fd59612ef2fd9d66807a0.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:3000
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description tvglwgor "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:1376
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start tvglwgor
  2⤵
  - Launches sc.exe
  PID:2544
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2548

C:\Windows\SysWOW64\tvglwgor\ykrlqwjr.exe
C:\Windows\SysWOW64\tvglwgor\ykrlqwjr.exe /d"C:\Users\Admin\AppData\Local\Temp\0af220cda97fd59612ef2fd9d66807a0.exe"
1⤵
- Executes dropped EXE
PID:2640
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ykrlqwjr.exe

Filesize
1.0MB

MD5
a199a2da877323b524c278dbdd3b784c

SHA1
91309e7ed554827dc700de329e4298145b223cb8

SHA256
5ee66c15c37ef5052471c96652d8aa9a6e61a9d38d0f8823a9835be4d9f3429b

SHA512
73bedb6a26f8839631f32a796b78d7c550d27b647807ac7024884afe7bc700c2ce50f716644e95fce5f032bff84401b9091b7b607bf210722c4fb1ac07d9cc68

Download Submit
C:\Windows\SysWOW64\tvglwgor\ykrlqwjr.exe

Filesize
877KB

MD5
019a987b6177925d9b5b29d60bc6d85c

SHA1
82128465d62fd36fcb8799c931b9c2ed48254728

SHA256
646373c74563c30d63854fac4615e5467d436eb0037e2c47b1cf094f735a6187

SHA512
c3f178464062d671ceeb9a5f31f6db1eaa315c7725242015e270fd581ae38c2f365bb5eee8fcc54aacafbd7eac3ecbf6834ff82683d44edbbbea2cc87c4419e7

Download Submit
memory/1672-1-0x0000000002FE0000-0x00000000030E0000-memory.dmp

Filesize
1024KB

Download
memory/1672-3-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/1672-4-0x0000000000400000-0x0000000002B75000-memory.dmp

Filesize
39.5MB

Download
memory/1672-8-0x0000000000400000-0x0000000002B75000-memory.dmp

Filesize
39.5MB

Download
memory/2600-12-0x0000000000100000-0x0000000000115000-memory.dmp

Filesize
84KB

Download
memory/2600-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2600-9-0x0000000000100000-0x0000000000115000-memory.dmp

Filesize
84KB

Download
memory/2600-18-0x0000000000100000-0x0000000000115000-memory.dmp

Filesize
84KB

Download
memory/2600-19-0x0000000000100000-0x0000000000115000-memory.dmp

Filesize
84KB

Download
memory/2600-20-0x0000000000100000-0x0000000000115000-memory.dmp

Filesize
84KB

Download
memory/2600-21-0x0000000000100000-0x0000000000115000-memory.dmp

Filesize
84KB

Download
memory/2640-13-0x0000000002D20000-0x0000000002E20000-memory.dmp

Filesize
1024KB

Download
memory/2640-17-0x0000000000400000-0x0000000002B75000-memory.dmp

Filesize
39.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads