tofsee | f7f52a420f5a91365172d5aa150fa8ddb332683a2ceaa77048383aa90ad89edb

General

Target

07c1216f0059bf50de173ee5a373b5e5.exe
Size

10.5MB
MD5

07c1216f0059bf50de173ee5a373b5e5
SHA1

cbbe88d0baeb5ee7531b070ac9f8379644879f6b
SHA256

f7f52a420f5a91365172d5aa150fa8ddb332683a2ceaa77048383aa90ad89edb
SHA512

bc69b4efbbd539527162338afc997b2a50cc1bdb8e75aa24a403f8a616ecffd0c144e030178857ad242f9284a1d53c76803f6c3739805204131366aaec4392bd
SSDEEP

98304:bjhd88888888888888888888888888888888888888888888888888888888888H:b

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

176.111.174.19

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2172	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	07c1216f0059bf50de173ee5a373b5e5.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3384	sc.exe
2180	sc.exe
3452	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2004	4036	WerFault.exe	17
2656	4756	WerFault.exe	100

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 3184	4036	07c1216f0059bf50de173ee5a373b5e5.exe	80
PID 4036 wrote to memory of 3184	4036	07c1216f0059bf50de173ee5a373b5e5.exe	80
PID 4036 wrote to memory of 3184	4036	07c1216f0059bf50de173ee5a373b5e5.exe	80

C:\Users\Admin\AppData\Local\Temp\07c1216f0059bf50de173ee5a373b5e5.exe
"C:\Users\Admin\AppData\Local\Temp\07c1216f0059bf50de173ee5a373b5e5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jrfhbzow\
  2⤵
  PID:3184
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ihhofbef.exe" C:\Windows\SysWOW64\jrfhbzow\
  2⤵
  PID:1592
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create jrfhbzow binPath= "C:\Windows\SysWOW64\jrfhbzow\ihhofbef.exe /d\"C:\Users\Admin\AppData\Local\Temp\07c1216f0059bf50de173ee5a373b5e5.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:3452
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description jrfhbzow "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:3384
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start jrfhbzow
  2⤵
  - Launches sc.exe
  PID:2180
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 1028
  2⤵
  - Program crash
  PID:2004
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2172

C:\Windows\SysWOW64\jrfhbzow\ihhofbef.exe
C:\Windows\SysWOW64\jrfhbzow\ihhofbef.exe /d"C:\Users\Admin\AppData\Local\Temp\07c1216f0059bf50de173ee5a373b5e5.exe"
1⤵
PID:4756
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 512
  2⤵
  - Program crash
  PID:2656
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4036 -ip 4036
1⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4756 -ip 4756
1⤵
PID:3420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ihhofbef.exe

Filesize
14KB

MD5
37d2a43849189ca5b61efa2349f8b8dc

SHA1
9a8564e18b38c5e85379717b848b1c08bc62d4e5

SHA256
9c471fb1c51b1695a7c6438a857d92c14abd7ff53d135513b0ebc27f871bd8d5

SHA512
e5216b2cb2ae565284c1b00eaf4e6af3b6d1146b81ffc84a63425f6c1225c1ccf25b5156d7404c94708d7eb6d23982d61fd5b245c4b423a7b9e6793ecccb211c

Download Submit
C:\Windows\SysWOW64\jrfhbzow\ihhofbef.exe

Filesize
38KB

MD5
3a519d8e67012db69cc258221bf4e80e

SHA1
0c8919c7e803cca8f11668eec71d4a118dc008b8

SHA256
cf0345564573add5d416a3b2b444fff02f68eb2500b645e344f436cdb3a63264

SHA512
765788259a1ef138bd4cceb6fa9f130e5db4ff4dce72a1501d9c39606eee65f7ddda2eb2e640019ede6bbf6286b221d896a6129cdd4975dafd8ff92b41ac46aa

Download Submit
memory/4036-7-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4036-1-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/4036-4-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4036-8-0x0000000000610000-0x0000000000623000-memory.dmp

Filesize
76KB

Download
memory/4036-2-0x0000000000610000-0x0000000000623000-memory.dmp

Filesize
76KB

Download
memory/4612-15-0x0000000000E60000-0x0000000000E75000-memory.dmp

Filesize
84KB

Download
memory/4612-18-0x0000000000E60000-0x0000000000E75000-memory.dmp

Filesize
84KB

Download
memory/4612-16-0x0000000000E60000-0x0000000000E75000-memory.dmp

Filesize
84KB

Download
memory/4612-11-0x0000000000E60000-0x0000000000E75000-memory.dmp

Filesize
84KB

Download
memory/4612-19-0x0000000000E60000-0x0000000000E75000-memory.dmp

Filesize
84KB

Download
memory/4756-10-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/4756-17-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4756-12-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads