tofsee | 19882daeac9da32308cd3340417db32d07bad3b023c78da4eacca0b948d17827

General

Target

0af220cda97fd59612ef2fd9d66807a0.exe
Size

11.5MB
MD5

0af220cda97fd59612ef2fd9d66807a0
SHA1

43701d2d5005e29bece43c006569925ee418f21a
SHA256

19882daeac9da32308cd3340417db32d07bad3b023c78da4eacca0b948d17827
SHA512

da9648742532a61e07177423c3423c6de6494ed1db2e045e8f76b3886c5a6207fee7576f643eca6b559ff2c78a5e3f401961afb0782b88de40cb842332dfb629
SSDEEP

49152:FVwj1RzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzT:bM1

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2440	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dhxktguw\ImagePath = "C:\\Windows\\SysWOW64\\dhxktguw\\uxvqkrbl.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	0af220cda97fd59612ef2fd9d66807a0.exe

Deletes itself 1 IoCs

pid	Process
2372	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2284	uxvqkrbl.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2284 set thread context of 2372	2284	uxvqkrbl.exe	108

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3784	sc.exe
2944	sc.exe
2604	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2124	4020	WerFault.exe	19

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 2024	4020	0af220cda97fd59612ef2fd9d66807a0.exe	65
PID 4020 wrote to memory of 2024	4020	0af220cda97fd59612ef2fd9d66807a0.exe	65
PID 4020 wrote to memory of 2024	4020	0af220cda97fd59612ef2fd9d66807a0.exe	65
PID 4020 wrote to memory of 3812	4020	0af220cda97fd59612ef2fd9d66807a0.exe	76
PID 4020 wrote to memory of 3812	4020	0af220cda97fd59612ef2fd9d66807a0.exe	76
PID 4020 wrote to memory of 3812	4020	0af220cda97fd59612ef2fd9d66807a0.exe	76
PID 4020 wrote to memory of 3784	4020	0af220cda97fd59612ef2fd9d66807a0.exe	85
PID 4020 wrote to memory of 3784	4020	0af220cda97fd59612ef2fd9d66807a0.exe	85
PID 4020 wrote to memory of 3784	4020	0af220cda97fd59612ef2fd9d66807a0.exe	85
PID 4020 wrote to memory of 2944	4020	0af220cda97fd59612ef2fd9d66807a0.exe	97
PID 4020 wrote to memory of 2944	4020	0af220cda97fd59612ef2fd9d66807a0.exe	97
PID 4020 wrote to memory of 2944	4020	0af220cda97fd59612ef2fd9d66807a0.exe	97
PID 4020 wrote to memory of 2604	4020	0af220cda97fd59612ef2fd9d66807a0.exe	103
PID 4020 wrote to memory of 2604	4020	0af220cda97fd59612ef2fd9d66807a0.exe	103
PID 4020 wrote to memory of 2604	4020	0af220cda97fd59612ef2fd9d66807a0.exe	103
PID 4020 wrote to memory of 2440	4020	0af220cda97fd59612ef2fd9d66807a0.exe	107
PID 4020 wrote to memory of 2440	4020	0af220cda97fd59612ef2fd9d66807a0.exe	107
PID 4020 wrote to memory of 2440	4020	0af220cda97fd59612ef2fd9d66807a0.exe	107
PID 2284 wrote to memory of 2372	2284	uxvqkrbl.exe	108
PID 2284 wrote to memory of 2372	2284	uxvqkrbl.exe	108
PID 2284 wrote to memory of 2372	2284	uxvqkrbl.exe	108
PID 2284 wrote to memory of 2372	2284	uxvqkrbl.exe	108
PID 2284 wrote to memory of 2372	2284	uxvqkrbl.exe	108

C:\Users\Admin\AppData\Local\Temp\0af220cda97fd59612ef2fd9d66807a0.exe
"C:\Users\Admin\AppData\Local\Temp\0af220cda97fd59612ef2fd9d66807a0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dhxktguw\
  2⤵
  PID:2024
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\uxvqkrbl.exe" C:\Windows\SysWOW64\dhxktguw\
  2⤵
  PID:3812
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create dhxktguw binPath= "C:\Windows\SysWOW64\dhxktguw\uxvqkrbl.exe /d\"C:\Users\Admin\AppData\Local\Temp\0af220cda97fd59612ef2fd9d66807a0.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:3784
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description dhxktguw "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:2944
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start dhxktguw
  2⤵
  - Launches sc.exe
  PID:2604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 656
  2⤵
  - Program crash
  PID:2124
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2440

C:\Windows\SysWOW64\dhxktguw\uxvqkrbl.exe
C:\Windows\SysWOW64\dhxktguw\uxvqkrbl.exe /d"C:\Users\Admin\AppData\Local\Temp\0af220cda97fd59612ef2fd9d66807a0.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Deletes itself
  PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4020 -ip 4020
1⤵
PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\uxvqkrbl.exe

Filesize
47KB

MD5
38d1bee1c36e3bbf34f6ebdd2f9e7ec8

SHA1
a3ca0a83fdba6d68b14049741c16f9b344f57b6f

SHA256
82fc227f8f6d905f167d78d5c53c2622ff6ce6ba786a87c541ff315d43716a86

SHA512
72e922ea254a2deb0901510afabccc585584dd9e80d3f77e10acb7c96be8bdd0b79843c05d0191c003806f4c1b157879e6052721eeb37b1c61a10859fc2819d6

Download Submit
C:\Windows\SysWOW64\dhxktguw\uxvqkrbl.exe

Filesize
57KB

MD5
f04e23195bca3349d155420fb171689f

SHA1
11ecca48a8ee6020783a5d6e31027a9641e8c8af

SHA256
8be9215fbaa88afc7241ace00a1751d81d3366319966d4a9e19f5a3db761cd6d

SHA512
6289036b0e6bc2a0e7ccf27bd76c2b6605dbd8466e9bf9ce210e1c24de70bee51d4b673430fb64a145decb963b58240c45264371254f1898c6e4b0799d579166

Download Submit
memory/2284-12-0x0000000002C60000-0x0000000002D60000-memory.dmp

Filesize
1024KB

Download
memory/2284-18-0x0000000000400000-0x0000000002B75000-memory.dmp

Filesize
39.5MB

Download
memory/2284-13-0x0000000000400000-0x0000000002B75000-memory.dmp

Filesize
39.5MB

Download
memory/2372-17-0x0000000000800000-0x0000000000815000-memory.dmp

Filesize
84KB

Download
memory/2372-15-0x0000000000800000-0x0000000000815000-memory.dmp

Filesize
84KB

Download
memory/2372-16-0x0000000000800000-0x0000000000815000-memory.dmp

Filesize
84KB

Download
memory/2372-10-0x0000000000800000-0x0000000000815000-memory.dmp

Filesize
84KB

Download
memory/2372-19-0x0000000000800000-0x0000000000815000-memory.dmp

Filesize
84KB

Download
memory/4020-9-0x00000000001C0000-0x00000000001D3000-memory.dmp

Filesize
76KB

Download
memory/4020-8-0x0000000000400000-0x0000000002B75000-memory.dmp

Filesize
39.5MB

Download
memory/4020-2-0x00000000001C0000-0x00000000001D3000-memory.dmp

Filesize
76KB

Download
memory/4020-4-0x0000000000400000-0x0000000002B75000-memory.dmp

Filesize
39.5MB

Download
memory/4020-1-0x0000000002EB0000-0x0000000002FB0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads