tofsee | 94822641c01bf60fce29c05b2eaa530b73346acbf888869cc7205451139ded16

General

Target

190fbee46a1824feee06569aa79f651f.exe
Size

12.2MB
MD5

190fbee46a1824feee06569aa79f651f
SHA1

53ad94314c6b0cd4cddce50a73c629cdc8fbf4a0
SHA256

94822641c01bf60fce29c05b2eaa530b73346acbf888869cc7205451139ded16
SHA512

002637e504dcff6a25f5689f001edf08c43566ba8cf34387d072e9245c4f00704721e6c8b53c2e741d76789f68927af3e30a35dcf30bff05ea1dc1ea7439f6f1
SSDEEP

49152:sHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHn:

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
4744	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	190fbee46a1824feee06569aa79f651f.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4172	sc.exe
3664	sc.exe
4432	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3676	4616	WerFault.exe	18
3632	4476	WerFault.exe	106

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 4900	4616	190fbee46a1824feee06569aa79f651f.exe	94
PID 4616 wrote to memory of 4900	4616	190fbee46a1824feee06569aa79f651f.exe	94
PID 4616 wrote to memory of 4900	4616	190fbee46a1824feee06569aa79f651f.exe	94

C:\Users\Admin\AppData\Local\Temp\190fbee46a1824feee06569aa79f651f.exe
"C:\Users\Admin\AppData\Local\Temp\190fbee46a1824feee06569aa79f651f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nxgepedb\
  2⤵
  PID:4900
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zwofbsom.exe" C:\Windows\SysWOW64\nxgepedb\
  2⤵
  PID:4836
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create nxgepedb binPath= "C:\Windows\SysWOW64\nxgepedb\zwofbsom.exe /d\"C:\Users\Admin\AppData\Local\Temp\190fbee46a1824feee06569aa79f651f.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:4172
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description nxgepedb "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:3664
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start nxgepedb
  2⤵
  - Launches sc.exe
  PID:4432
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:4744
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 1028
  2⤵
  - Program crash
  PID:3676

C:\Windows\SysWOW64\nxgepedb\zwofbsom.exe
C:\Windows\SysWOW64\nxgepedb\zwofbsom.exe /d"C:\Users\Admin\AppData\Local\Temp\190fbee46a1824feee06569aa79f651f.exe"
1⤵
PID:4476
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:464
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 516
  2⤵
  - Program crash
  PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4616 -ip 4616
1⤵
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4476 -ip 4476
1⤵
PID:3936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zwofbsom.exe

Filesize
149KB

MD5
be2b35a6d32b51f70c8eb6f14cf6d953

SHA1
00ade82dd81184efe3292a10480d15bb58c09275

SHA256
6369c258ec7055749e90dbc7a95f77fccaee3001bed5f86f95b8ddab8488b3fa

SHA512
cb632ce2dbf1e895074b730d3e07818393a88fc3ccdd8f728d860c4cc8e5da22b5f84d3ad661a8fe4eac9afb43dbbaad1914182c41cd597458e805b81c968866

Download Submit
C:\Windows\SysWOW64\nxgepedb\zwofbsom.exe

Filesize
17KB

MD5
161a3dc2ff40374ee0353ae7532d8021

SHA1
65e9ef28ee6fe1aff0e07be4b3cd199d5adff0d3

SHA256
efa1a670c24b15dc183e1ac9dd6631e1456133e6a8e0173b8bf25cdca5d4719a

SHA512
592ecf45d619fbe4df3ec9ba8adebc11c36320789cb7e2f83ae07df775794bc7e6178487d61a3916de4f10b5da2dbc22637c7b4006f50da5e58f1907a38f5e0e

Download Submit
memory/464-17-0x0000000001000000-0x0000000001015000-memory.dmp

Filesize
84KB

Download
memory/464-16-0x0000000001000000-0x0000000001015000-memory.dmp

Filesize
84KB

Download
memory/464-10-0x0000000001000000-0x0000000001015000-memory.dmp

Filesize
84KB

Download
memory/464-19-0x0000000001000000-0x0000000001015000-memory.dmp

Filesize
84KB

Download
memory/4476-11-0x0000000000E70000-0x0000000000F70000-memory.dmp

Filesize
1024KB

Download
memory/4476-14-0x0000000000400000-0x0000000000C19000-memory.dmp

Filesize
8.1MB

Download
memory/4616-4-0x0000000000400000-0x0000000000C19000-memory.dmp

Filesize
8.1MB

Download
memory/4616-2-0x0000000002960000-0x0000000002973000-memory.dmp

Filesize
76KB

Download
memory/4616-7-0x0000000000400000-0x0000000000C19000-memory.dmp

Filesize
8.1MB

Download
memory/4616-8-0x0000000002960000-0x0000000002973000-memory.dmp

Filesize
76KB

Download
memory/4616-1-0x0000000000C30000-0x0000000000D30000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads