tofsee | 5081506feb46f06efc15eb14a7deff7618a7bfbe0a42363c6478540002647c7e

General

Target

2368aa18bcdbe7be7eb90add30b17d35.exe
Size

11.8MB
MD5

2368aa18bcdbe7be7eb90add30b17d35
SHA1

39952f16bba27c35d4c8825d7ce59e01afc8daae
SHA256

5081506feb46f06efc15eb14a7deff7618a7bfbe0a42363c6478540002647c7e
SHA512

9d29520e8a23be63274687e4fa22a557d864b1161dd1e75f765bddd2b96aa2e82423ccde3b5eecc909ffd004339a46f152e8c44fd1fdbe71fcf2d617992854da
SSDEEP

12288:CKBz1FxKfGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG2:JBz1Fx

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
512	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	2368aa18bcdbe7be7eb90add30b17d35.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1548	sc.exe
620	sc.exe
3488	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1692	3528	WerFault.exe	104
3364	752	WerFault.exe	90

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 5088	752	2368aa18bcdbe7be7eb90add30b17d35.exe	94
PID 752 wrote to memory of 5088	752	2368aa18bcdbe7be7eb90add30b17d35.exe	94
PID 752 wrote to memory of 5088	752	2368aa18bcdbe7be7eb90add30b17d35.exe	94
PID 752 wrote to memory of 4792	752	2368aa18bcdbe7be7eb90add30b17d35.exe	97
PID 752 wrote to memory of 4792	752	2368aa18bcdbe7be7eb90add30b17d35.exe	97
PID 752 wrote to memory of 4792	752	2368aa18bcdbe7be7eb90add30b17d35.exe	97
PID 752 wrote to memory of 1548	752	2368aa18bcdbe7be7eb90add30b17d35.exe	99
PID 752 wrote to memory of 1548	752	2368aa18bcdbe7be7eb90add30b17d35.exe	99
PID 752 wrote to memory of 1548	752	2368aa18bcdbe7be7eb90add30b17d35.exe	99

C:\Users\Admin\AppData\Local\Temp\2368aa18bcdbe7be7eb90add30b17d35.exe
"C:\Users\Admin\AppData\Local\Temp\2368aa18bcdbe7be7eb90add30b17d35.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:752
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hayoborz\
  2⤵
  PID:5088
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zttkvevx.exe" C:\Windows\SysWOW64\hayoborz\
  2⤵
  PID:4792
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create hayoborz binPath= "C:\Windows\SysWOW64\hayoborz\zttkvevx.exe /d\"C:\Users\Admin\AppData\Local\Temp\2368aa18bcdbe7be7eb90add30b17d35.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:1548
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description hayoborz "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:620
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start hayoborz
  2⤵
  - Launches sc.exe
  PID:3488
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 580
  2⤵
  - Program crash
  PID:3364
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:512

C:\Windows\SysWOW64\hayoborz\zttkvevx.exe
C:\Windows\SysWOW64\hayoborz\zttkvevx.exe /d"C:\Users\Admin\AppData\Local\Temp\2368aa18bcdbe7be7eb90add30b17d35.exe"
1⤵
PID:3528
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 176
  2⤵
  - Program crash
  PID:1692
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3528 -ip 3528
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 752 -ip 752
1⤵
PID:224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zttkvevx.exe

Filesize
58KB

MD5
a5e5c68bef15e3b65051d1d08c21dfff

SHA1
cfb0eb06737aed4dff105b404c8124be39aa1021

SHA256
edf776ba879a4820b43bdde3caec0551aa7cbb049819c2cace0480b7f9788a77

SHA512
dd47bcbad59db7649c2c3ac144210b15ce8f9bfa6a35c9705660735ac68d548254bcfb5b2af6bea2e781b12586540549f316e91e21e6f8dec13e6a567cd65694

Download Submit
C:\Windows\SysWOW64\hayoborz\zttkvevx.exe

Filesize
252KB

MD5
d9b78ef0231a9008542ec15d3dcdd7e3

SHA1
f9954f709be83344679ebe697c2c8dfc6bc09676

SHA256
7baa8c599ae8ab87c6ff58cf74c01834473c2e67d1b4592ffdef3ed6d86202dc

SHA512
8af2332235a878b5cd94e48b936c64b27cffd5e609b0f2a325d0e9890172927e56717ca0c4719ac3f0be52abd5799809c39eab07f62df7aa50f87a11702e0586

Download Submit
memory/752-14-0x0000000000400000-0x0000000003348000-memory.dmp

Filesize
47.3MB

Download
memory/752-3-0x0000000003460000-0x0000000003473000-memory.dmp

Filesize
76KB

Download
memory/752-4-0x0000000000400000-0x0000000003348000-memory.dmp

Filesize
47.3MB

Download
memory/752-5-0x0000000003690000-0x0000000003790000-memory.dmp

Filesize
1024KB

Download
memory/752-2-0x0000000000400000-0x0000000003348000-memory.dmp

Filesize
47.3MB

Download
memory/2380-9-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/2380-17-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/2380-18-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/2380-19-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/2380-20-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/3528-15-0x0000000000400000-0x0000000003348000-memory.dmp

Filesize
47.3MB

Download
memory/3528-12-0x0000000000400000-0x0000000003348000-memory.dmp

Filesize
47.3MB

Download
memory/3528-16-0x0000000003665000-0x0000000003672000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads