tofsee | 790ff7291e4267aeaffdd71ea6767353b0f46ee27dc9b1d287797d2f403b0715

General

Target

0a6f8d6155ae1fd81f089e2f2459d79a.exe
Size

10.5MB
MD5

0a6f8d6155ae1fd81f089e2f2459d79a
SHA1

9ed665dcff37925024f78a80001e88e230054146
SHA256

790ff7291e4267aeaffdd71ea6767353b0f46ee27dc9b1d287797d2f403b0715
SHA512

fa27d4bef6d28d06f326b236fd0f02679074c5fe8a24f7a796a79acfdf3a28fff91fd22dd7bd83e538813d67c4cf894f7114c41a8c384280943f8d77130f3646
SSDEEP

98304:xbxPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPn:xb

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

176.111.174.19

defeatwax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
4916	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\xosdbwxu\ImagePath = "C:\\Windows\\SysWOW64\\xosdbwxu\\seqnwud.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	0a6f8d6155ae1fd81f089e2f2459d79a.exe

Deletes itself 1 IoCs

pid	Process
3624	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
956	seqnwud.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 956 set thread context of 3624	956	seqnwud.exe	113

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3488	sc.exe
488	sc.exe
644	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4396	5004	WerFault.exe	87
5072	956	WerFault.exe	101

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 4832	5004	0a6f8d6155ae1fd81f089e2f2459d79a.exe	91
PID 5004 wrote to memory of 4832	5004	0a6f8d6155ae1fd81f089e2f2459d79a.exe	91
PID 5004 wrote to memory of 4832	5004	0a6f8d6155ae1fd81f089e2f2459d79a.exe	91
PID 5004 wrote to memory of 3712	5004	0a6f8d6155ae1fd81f089e2f2459d79a.exe	93
PID 5004 wrote to memory of 3712	5004	0a6f8d6155ae1fd81f089e2f2459d79a.exe	93
PID 5004 wrote to memory of 3712	5004	0a6f8d6155ae1fd81f089e2f2459d79a.exe	93
PID 5004 wrote to memory of 3488	5004	0a6f8d6155ae1fd81f089e2f2459d79a.exe	96
PID 5004 wrote to memory of 3488	5004	0a6f8d6155ae1fd81f089e2f2459d79a.exe	96
PID 5004 wrote to memory of 3488	5004	0a6f8d6155ae1fd81f089e2f2459d79a.exe	96
PID 5004 wrote to memory of 488	5004	0a6f8d6155ae1fd81f089e2f2459d79a.exe	97
PID 5004 wrote to memory of 488	5004	0a6f8d6155ae1fd81f089e2f2459d79a.exe	97
PID 5004 wrote to memory of 488	5004	0a6f8d6155ae1fd81f089e2f2459d79a.exe	97
PID 5004 wrote to memory of 644	5004	0a6f8d6155ae1fd81f089e2f2459d79a.exe	99
PID 5004 wrote to memory of 644	5004	0a6f8d6155ae1fd81f089e2f2459d79a.exe	99
PID 5004 wrote to memory of 644	5004	0a6f8d6155ae1fd81f089e2f2459d79a.exe	99
PID 5004 wrote to memory of 4916	5004	0a6f8d6155ae1fd81f089e2f2459d79a.exe	104
PID 5004 wrote to memory of 4916	5004	0a6f8d6155ae1fd81f089e2f2459d79a.exe	104
PID 5004 wrote to memory of 4916	5004	0a6f8d6155ae1fd81f089e2f2459d79a.exe	104
PID 956 wrote to memory of 3624	956	seqnwud.exe	113
PID 956 wrote to memory of 3624	956	seqnwud.exe	113
PID 956 wrote to memory of 3624	956	seqnwud.exe	113
PID 956 wrote to memory of 3624	956	seqnwud.exe	113
PID 956 wrote to memory of 3624	956	seqnwud.exe	113

C:\Users\Admin\AppData\Local\Temp\0a6f8d6155ae1fd81f089e2f2459d79a.exe
"C:\Users\Admin\AppData\Local\Temp\0a6f8d6155ae1fd81f089e2f2459d79a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xosdbwxu\
  2⤵
  PID:4832
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\seqnwud.exe" C:\Windows\SysWOW64\xosdbwxu\
  2⤵
  PID:3712
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create xosdbwxu binPath= "C:\Windows\SysWOW64\xosdbwxu\seqnwud.exe /d\"C:\Users\Admin\AppData\Local\Temp\0a6f8d6155ae1fd81f089e2f2459d79a.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:3488
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description xosdbwxu "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:488
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start xosdbwxu
  2⤵
  - Launches sc.exe
  PID:644
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:4916
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 1036
  2⤵
  - Program crash
  PID:4396

C:\Windows\SysWOW64\xosdbwxu\seqnwud.exe
C:\Windows\SysWOW64\xosdbwxu\seqnwud.exe /d"C:\Users\Admin\AppData\Local\Temp\0a6f8d6155ae1fd81f089e2f2459d79a.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Deletes itself
  PID:3624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 520
  2⤵
  - Program crash
  PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5004 -ip 5004
1⤵
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 956 -ip 956
1⤵
PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\seqnwud.exe

Filesize
2.5MB

MD5
715f190dc0b4ca66cae54962ed74da6a

SHA1
0f17c5bfbeaecd34b254e0ce180b722f5667f96d

SHA256
ad3354aee43893aacc7f496f3669c98ffdb20177bfa7ecd5f0be5ae0715f1838

SHA512
436b9bed34616136c5508f18f38da883ec581366ec2068f05126e90d6ff2218954516675fd8f3a591605ebc1f39cf8bd3d3ca5e27c5094842980836696c5f753

Download Submit
C:\Windows\SysWOW64\xosdbwxu\seqnwud.exe

Filesize
139KB

MD5
cfee8257afc1bf8cfccb51df2bfef5c8

SHA1
14756db64effe1a30b8c22762ea4300405cd1a05

SHA256
bd63124d50b7fc81d24a2bae2452c1d7daee3f9f1ff66d86a7c34ca472bb49f6

SHA512
dff141068821771dba1f30ec58222586771168b0d45c8f525deee9166cd63f4f0ee830c4bfb716985f3d969ca28a8834e3d397898d5782aa7f0a73128adc400f

Download Submit
memory/956-13-0x0000000000400000-0x00000000009B1000-memory.dmp

Filesize
5.7MB

Download
memory/956-11-0x0000000000B70000-0x0000000000C70000-memory.dmp

Filesize
1024KB

Download
memory/3624-10-0x0000000000F50000-0x0000000000F65000-memory.dmp

Filesize
84KB

Download
memory/3624-16-0x0000000000F50000-0x0000000000F65000-memory.dmp

Filesize
84KB

Download
memory/3624-17-0x0000000000F50000-0x0000000000F65000-memory.dmp

Filesize
84KB

Download
memory/3624-19-0x0000000000F50000-0x0000000000F65000-memory.dmp

Filesize
84KB

Download
memory/5004-8-0x0000000000400000-0x00000000009B1000-memory.dmp

Filesize
5.7MB

Download
memory/5004-9-0x0000000000B20000-0x0000000000B33000-memory.dmp

Filesize
76KB

Download
memory/5004-4-0x0000000000400000-0x00000000009B1000-memory.dmp

Filesize
5.7MB

Download
memory/5004-2-0x0000000000B20000-0x0000000000B33000-memory.dmp

Filesize
76KB

Download
memory/5004-1-0x0000000000B60000-0x0000000000C60000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads