tofsee | 7dcf006ee2cc77b93ea32f21abf7cdf57032186f9a5bc5d9d7654179ff6e0170

General

Target

2087dcbdd917f0c96f2e4067b4e63d49.exe
Size

13.1MB
MD5

2087dcbdd917f0c96f2e4067b4e63d49
SHA1

1b39f885512cf99e1f10a51308631a96f982f970
SHA256

7dcf006ee2cc77b93ea32f21abf7cdf57032186f9a5bc5d9d7654179ff6e0170
SHA512

6feba0192685c4c959b0d87c1501c4e7231a7a5bc20fda842fea9248c9a69e530b039cb7da5bed20cae25bd6dadf75a5df46bbf87da6273c72c52eb2f83fb29b
SSDEEP

196608:PXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXH:

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2020	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	2087dcbdd917f0c96f2e4067b4e63d49.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1064	sc.exe
928	sc.exe
1352	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4672	1460	WerFault.exe	91

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 3408	1460	2087dcbdd917f0c96f2e4067b4e63d49.exe	98
PID 1460 wrote to memory of 3408	1460	2087dcbdd917f0c96f2e4067b4e63d49.exe	98
PID 1460 wrote to memory of 3408	1460	2087dcbdd917f0c96f2e4067b4e63d49.exe	98
PID 1460 wrote to memory of 1448	1460	2087dcbdd917f0c96f2e4067b4e63d49.exe	101
PID 1460 wrote to memory of 1448	1460	2087dcbdd917f0c96f2e4067b4e63d49.exe	101
PID 1460 wrote to memory of 1448	1460	2087dcbdd917f0c96f2e4067b4e63d49.exe	101
PID 1460 wrote to memory of 1064	1460	2087dcbdd917f0c96f2e4067b4e63d49.exe	103
PID 1460 wrote to memory of 1064	1460	2087dcbdd917f0c96f2e4067b4e63d49.exe	103
PID 1460 wrote to memory of 1064	1460	2087dcbdd917f0c96f2e4067b4e63d49.exe	103
PID 1460 wrote to memory of 928	1460	2087dcbdd917f0c96f2e4067b4e63d49.exe	105
PID 1460 wrote to memory of 928	1460	2087dcbdd917f0c96f2e4067b4e63d49.exe	105
PID 1460 wrote to memory of 928	1460	2087dcbdd917f0c96f2e4067b4e63d49.exe	105
PID 1460 wrote to memory of 1352	1460	2087dcbdd917f0c96f2e4067b4e63d49.exe	108
PID 1460 wrote to memory of 1352	1460	2087dcbdd917f0c96f2e4067b4e63d49.exe	108
PID 1460 wrote to memory of 1352	1460	2087dcbdd917f0c96f2e4067b4e63d49.exe	108
PID 1460 wrote to memory of 2020	1460	2087dcbdd917f0c96f2e4067b4e63d49.exe	109
PID 1460 wrote to memory of 2020	1460	2087dcbdd917f0c96f2e4067b4e63d49.exe	109
PID 1460 wrote to memory of 2020	1460	2087dcbdd917f0c96f2e4067b4e63d49.exe	109

C:\Users\Admin\AppData\Local\Temp\2087dcbdd917f0c96f2e4067b4e63d49.exe
"C:\Users\Admin\AppData\Local\Temp\2087dcbdd917f0c96f2e4067b4e63d49.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ftglhbpd\
  2⤵
  PID:3408
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gghpvqse.exe" C:\Windows\SysWOW64\ftglhbpd\
  2⤵
  PID:1448
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create ftglhbpd binPath= "C:\Windows\SysWOW64\ftglhbpd\gghpvqse.exe /d\"C:\Users\Admin\AppData\Local\Temp\2087dcbdd917f0c96f2e4067b4e63d49.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:1064
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description ftglhbpd "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:928
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start ftglhbpd
  2⤵
  - Launches sc.exe
  PID:1352
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 600
  2⤵
  - Program crash
  PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1460 -ip 1460
1⤵
PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gghpvqse.exe

Filesize
738KB

MD5
3973c38c330329dede5506fa0c5cc917

SHA1
430343af8f7081c97e508913ea07c2d8e2704448

SHA256
950607d198cfeb40b219c42283551536f295062183ad58a49b328214f8c0ad5f

SHA512
70d8802a1e8c87cc02e7f662306d4cb876d187f3602b93e3f6cf6d2addd81f6057e1f7837b607c44a59e00ce1f7574281a74466256ddf85fa7ed00190d31dbc5

Download Submit
memory/1460-1-0x0000000000B00000-0x0000000000C00000-memory.dmp

Filesize
1024KB

Download
memory/1460-2-0x0000000000A50000-0x0000000000A63000-memory.dmp

Filesize
76KB

Download
memory/1460-3-0x0000000000400000-0x00000000008EA000-memory.dmp

Filesize
4.9MB

Download
memory/1460-5-0x0000000000400000-0x00000000008EA000-memory.dmp

Filesize
4.9MB

Download
memory/1460-7-0x0000000000400000-0x00000000008EA000-memory.dmp

Filesize
4.9MB

Download
memory/1460-8-0x0000000000400000-0x00000000008EA000-memory.dmp

Filesize
4.9MB

Download
memory/1460-9-0x0000000000A50000-0x0000000000A63000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads