tofsee | bbcbc46423a4de598202fb1eb951a6889a14f5a00f4ce2d5a17cc077e72a8b86

General

Target

04247444c63e4da32d03fd19d206dc7b.exe
Size

13.2MB
MD5

04247444c63e4da32d03fd19d206dc7b
SHA1

fce62816cc19fe0b77f7d271da20ba21233b2537
SHA256

bbcbc46423a4de598202fb1eb951a6889a14f5a00f4ce2d5a17cc077e72a8b86
SHA512

eac1585568e6a0bb7fef0aaac97f8210a7a4e2ea5aec26a01ea8b76ee2305938e650e49abe03f0ed85ca7e43f416e054f7b2a6b183c347945fcb35b50e65b5d6
SSDEEP

49152:o8KGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG2:o8

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
3264	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mqtbqyqb\ImagePath = "C:\\Windows\\SysWOW64\\mqtbqyqb\\hnyjbqkw.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	04247444c63e4da32d03fd19d206dc7b.exe

Deletes itself 1 IoCs

pid	Process
2480	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1484	hnyjbqkw.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1484 set thread context of 2480	1484	hnyjbqkw.exe	113

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4908	sc.exe
2288	sc.exe
4936	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3344	3580	WerFault.exe	89
3536	1484	WerFault.exe	105

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 3984	3580	04247444c63e4da32d03fd19d206dc7b.exe	95
PID 3580 wrote to memory of 3984	3580	04247444c63e4da32d03fd19d206dc7b.exe	95
PID 3580 wrote to memory of 3984	3580	04247444c63e4da32d03fd19d206dc7b.exe	95
PID 3580 wrote to memory of 2484	3580	04247444c63e4da32d03fd19d206dc7b.exe	97
PID 3580 wrote to memory of 2484	3580	04247444c63e4da32d03fd19d206dc7b.exe	97
PID 3580 wrote to memory of 2484	3580	04247444c63e4da32d03fd19d206dc7b.exe	97
PID 3580 wrote to memory of 4936	3580	04247444c63e4da32d03fd19d206dc7b.exe	100
PID 3580 wrote to memory of 4936	3580	04247444c63e4da32d03fd19d206dc7b.exe	100
PID 3580 wrote to memory of 4936	3580	04247444c63e4da32d03fd19d206dc7b.exe	100
PID 3580 wrote to memory of 4908	3580	04247444c63e4da32d03fd19d206dc7b.exe	101
PID 3580 wrote to memory of 4908	3580	04247444c63e4da32d03fd19d206dc7b.exe	101
PID 3580 wrote to memory of 4908	3580	04247444c63e4da32d03fd19d206dc7b.exe	101
PID 3580 wrote to memory of 2288	3580	04247444c63e4da32d03fd19d206dc7b.exe	104
PID 3580 wrote to memory of 2288	3580	04247444c63e4da32d03fd19d206dc7b.exe	104
PID 3580 wrote to memory of 2288	3580	04247444c63e4da32d03fd19d206dc7b.exe	104
PID 3580 wrote to memory of 3264	3580	04247444c63e4da32d03fd19d206dc7b.exe	106
PID 3580 wrote to memory of 3264	3580	04247444c63e4da32d03fd19d206dc7b.exe	106
PID 3580 wrote to memory of 3264	3580	04247444c63e4da32d03fd19d206dc7b.exe	106
PID 1484 wrote to memory of 2480	1484	hnyjbqkw.exe	113
PID 1484 wrote to memory of 2480	1484	hnyjbqkw.exe	113
PID 1484 wrote to memory of 2480	1484	hnyjbqkw.exe	113
PID 1484 wrote to memory of 2480	1484	hnyjbqkw.exe	113
PID 1484 wrote to memory of 2480	1484	hnyjbqkw.exe	113

C:\Users\Admin\AppData\Local\Temp\04247444c63e4da32d03fd19d206dc7b.exe
"C:\Users\Admin\AppData\Local\Temp\04247444c63e4da32d03fd19d206dc7b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\mqtbqyqb\
  2⤵
  PID:3984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hnyjbqkw.exe" C:\Windows\SysWOW64\mqtbqyqb\
  2⤵
  PID:2484
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create mqtbqyqb binPath= "C:\Windows\SysWOW64\mqtbqyqb\hnyjbqkw.exe /d\"C:\Users\Admin\AppData\Local\Temp\04247444c63e4da32d03fd19d206dc7b.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:4936
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description mqtbqyqb "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:4908
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start mqtbqyqb
  2⤵
  - Launches sc.exe
  PID:2288
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:3264
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 796
  2⤵
  - Program crash
  PID:3344

C:\Windows\SysWOW64\mqtbqyqb\hnyjbqkw.exe
C:\Windows\SysWOW64\mqtbqyqb\hnyjbqkw.exe /d"C:\Users\Admin\AppData\Local\Temp\04247444c63e4da32d03fd19d206dc7b.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 532
  2⤵
  - Program crash
  PID:3536
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Deletes itself
  PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3580 -ip 3580
1⤵
PID:712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1484 -ip 1484
1⤵
PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hnyjbqkw.exe

Filesize
937KB

MD5
90fba08c9340a5abed44702f3a698bdc

SHA1
7c198324a3a55b4f45e85b636cc688d9be049efd

SHA256
eaab57c4813739567b2e4c91ec19586f7491c82d52154cb98b04e7d3d2c764e2

SHA512
0d721034607f43bb3b822cd26a9aebd72860762e0b2968ef1c6bd746df6681b2dd11083aa065c620caccbe58c930fb2a7b82ad85de0169b10ff5e4d787c316b3

Download Submit
C:\Windows\SysWOW64\mqtbqyqb\hnyjbqkw.exe

Filesize
723KB

MD5
25436b68b94dd586f56ef7fdec7a1d8e

SHA1
37ec6be080a901f6807c6906a44746efd272724c

SHA256
778ece2be4cdc734237962da2e4d5fb18b16229b28ffa34ee1ddd0ee1e4a084f

SHA512
9b4c6795e63d00822f95a987e4b031e3985c262e39bf0d51ba6ad9a7e1cb029e06147702036340fd4c0592b35351b92161524d1c75d0503d38a2c15ec9a82aea

Download Submit
memory/1484-14-0x0000000000400000-0x0000000000C14000-memory.dmp

Filesize
8.1MB

Download
memory/1484-12-0x0000000000E00000-0x0000000000F00000-memory.dmp

Filesize
1024KB

Download
memory/2480-16-0x0000000000480000-0x0000000000495000-memory.dmp

Filesize
84KB

Download
memory/2480-10-0x0000000000480000-0x0000000000495000-memory.dmp

Filesize
84KB

Download
memory/2480-15-0x0000000000480000-0x0000000000495000-memory.dmp

Filesize
84KB

Download
memory/2480-18-0x0000000000480000-0x0000000000495000-memory.dmp

Filesize
84KB

Download
memory/2480-19-0x0000000000480000-0x0000000000495000-memory.dmp

Filesize
84KB

Download
memory/3580-7-0x0000000000400000-0x0000000000C14000-memory.dmp

Filesize
8.1MB

Download
memory/3580-8-0x0000000000DD0000-0x0000000000DE3000-memory.dmp

Filesize
76KB

Download
memory/3580-4-0x0000000000400000-0x0000000000C14000-memory.dmp

Filesize
8.1MB

Download
memory/3580-1-0x0000000000EA0000-0x0000000000FA0000-memory.dmp

Filesize
1024KB

Download
memory/3580-2-0x0000000000DD0000-0x0000000000DE3000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads