tofsee | b4dd0c183d3d1773fa1c7d8bea616c7f1dfb88a976d3cf830e51a603d8ae2357

General

Target

3ca8c8d37aaf196e64823ea50c99f31b.exe
Size

13.0MB
MD5

3ca8c8d37aaf196e64823ea50c99f31b
SHA1

77e4c78731986023345c93aae45916607be812b8
SHA256

b4dd0c183d3d1773fa1c7d8bea616c7f1dfb88a976d3cf830e51a603d8ae2357
SHA512

1ba499d0e8f3c253f4a5f16e7770150154f71809636e7967c74cc2caf1072da459c41aae6379f8e8d0d6e65f62daada99242e561fab2c25a6fa376bcb4c64709
SSDEEP

6144:IxbQq7asTdx16ifogWuQK4ZpG3XQ4L0hlDF5r:8ashxM05WewpmAljr

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
3120	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\uueqfctt\ImagePath = "C:\\Windows\\SysWOW64\\uueqfctt\\eilhtczv.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	3ca8c8d37aaf196e64823ea50c99f31b.exe

Deletes itself 1 IoCs

pid	Process
2256	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
3768	eilhtczv.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3768 set thread context of 2256	3768	eilhtczv.exe	109

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4120	sc.exe
2660	sc.exe
4380	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1624	4052	WerFault.exe	87
1388	3768	WerFault.exe	101

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 3964	4052	3ca8c8d37aaf196e64823ea50c99f31b.exe	92
PID 4052 wrote to memory of 3964	4052	3ca8c8d37aaf196e64823ea50c99f31b.exe	92
PID 4052 wrote to memory of 3964	4052	3ca8c8d37aaf196e64823ea50c99f31b.exe	92
PID 4052 wrote to memory of 4876	4052	3ca8c8d37aaf196e64823ea50c99f31b.exe	94
PID 4052 wrote to memory of 4876	4052	3ca8c8d37aaf196e64823ea50c99f31b.exe	94
PID 4052 wrote to memory of 4876	4052	3ca8c8d37aaf196e64823ea50c99f31b.exe	94
PID 4052 wrote to memory of 4120	4052	3ca8c8d37aaf196e64823ea50c99f31b.exe	96
PID 4052 wrote to memory of 4120	4052	3ca8c8d37aaf196e64823ea50c99f31b.exe	96
PID 4052 wrote to memory of 4120	4052	3ca8c8d37aaf196e64823ea50c99f31b.exe	96
PID 4052 wrote to memory of 2660	4052	3ca8c8d37aaf196e64823ea50c99f31b.exe	98
PID 4052 wrote to memory of 2660	4052	3ca8c8d37aaf196e64823ea50c99f31b.exe	98
PID 4052 wrote to memory of 2660	4052	3ca8c8d37aaf196e64823ea50c99f31b.exe	98
PID 4052 wrote to memory of 4380	4052	3ca8c8d37aaf196e64823ea50c99f31b.exe	100
PID 4052 wrote to memory of 4380	4052	3ca8c8d37aaf196e64823ea50c99f31b.exe	100
PID 4052 wrote to memory of 4380	4052	3ca8c8d37aaf196e64823ea50c99f31b.exe	100
PID 4052 wrote to memory of 3120	4052	3ca8c8d37aaf196e64823ea50c99f31b.exe	105
PID 4052 wrote to memory of 3120	4052	3ca8c8d37aaf196e64823ea50c99f31b.exe	105
PID 4052 wrote to memory of 3120	4052	3ca8c8d37aaf196e64823ea50c99f31b.exe	105
PID 3768 wrote to memory of 2256	3768	eilhtczv.exe	109
PID 3768 wrote to memory of 2256	3768	eilhtczv.exe	109
PID 3768 wrote to memory of 2256	3768	eilhtczv.exe	109
PID 3768 wrote to memory of 2256	3768	eilhtczv.exe	109
PID 3768 wrote to memory of 2256	3768	eilhtczv.exe	109

C:\Users\Admin\AppData\Local\Temp\3ca8c8d37aaf196e64823ea50c99f31b.exe
"C:\Users\Admin\AppData\Local\Temp\3ca8c8d37aaf196e64823ea50c99f31b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\uueqfctt\
  2⤵
  PID:3964
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\eilhtczv.exe" C:\Windows\SysWOW64\uueqfctt\
  2⤵
  PID:4876
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create uueqfctt binPath= "C:\Windows\SysWOW64\uueqfctt\eilhtczv.exe /d\"C:\Users\Admin\AppData\Local\Temp\3ca8c8d37aaf196e64823ea50c99f31b.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:4120
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description uueqfctt "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:2660
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start uueqfctt
  2⤵
  - Launches sc.exe
  PID:4380
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:3120
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 580
  2⤵
  - Program crash
  PID:1624

C:\Windows\SysWOW64\uueqfctt\eilhtczv.exe
C:\Windows\SysWOW64\uueqfctt\eilhtczv.exe /d"C:\Users\Admin\AppData\Local\Temp\3ca8c8d37aaf196e64823ea50c99f31b.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Deletes itself
  PID:2256
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 516
  2⤵
  - Program crash
  PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4052 -ip 4052
1⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3768 -ip 3768
1⤵
PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eilhtczv.exe

Filesize
1.2MB

MD5
aa0cde174a68d52e8f1e51d9528d9079

SHA1
ff4c450c25f006bbd4bf0d1aa441fb9c91a2ab07

SHA256
edac5848e60626839666bac9cd5c419122d55c5d30321e0a3502bc4bb0057154

SHA512
8dbe43f37319d598f0db49325a9dec9c59cad0516c6f9375695f5587d2ab041d06958c2848bc528cba0305b38b773c6ed38bee46cdd64a0d1676809a68d8e98e

Download Submit
C:\Windows\SysWOW64\uueqfctt\eilhtczv.exe

Filesize
701KB

MD5
fc20010b6161cd62cb170a6edf570dc2

SHA1
90b59d7abb3a075390add8f05319edc4fb22cecb

SHA256
d04e075302a100a70d0eb87f60b30afe9ba2fa4238df38f169e53cc0f918404a

SHA512
20929e6b4c4e0f622c184252638a1915f8a96ad9d7fafdc7346aa45000ba54a66470d71fb23f56a608448ea9a2cea94061b829c6117023424b8045f789ce7e2d

Download Submit
memory/2256-10-0x0000000000F00000-0x0000000000F15000-memory.dmp

Filesize
84KB

Download
memory/2256-18-0x0000000000F00000-0x0000000000F15000-memory.dmp

Filesize
84KB

Download
memory/2256-16-0x0000000000F00000-0x0000000000F15000-memory.dmp

Filesize
84KB

Download
memory/2256-14-0x0000000000F00000-0x0000000000F15000-memory.dmp

Filesize
84KB

Download
memory/3768-15-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3768-13-0x0000000000650000-0x0000000000750000-memory.dmp

Filesize
1024KB

Download
memory/4052-9-0x0000000000550000-0x0000000000563000-memory.dmp

Filesize
76KB

Download
memory/4052-1-0x0000000000650000-0x0000000000750000-memory.dmp

Filesize
1024KB

Download
memory/4052-8-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4052-3-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4052-2-0x0000000000550000-0x0000000000563000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads