tofsee | f4249609884135f73548ec366d2d6ebf0caef1450c5c2fd29d5f2810572571a5

General

Target

08e2a9bf296ab0b6532f8404b35fa1ee.exe
Size

10.3MB
MD5

08e2a9bf296ab0b6532f8404b35fa1ee
SHA1

813a762623d7a6ee5de265cccef53f95eb1c4842
SHA256

f4249609884135f73548ec366d2d6ebf0caef1450c5c2fd29d5f2810572571a5
SHA512

5cba8e6b8a4848306df21645955c3d55f26810aab2916f59e84178fad1df8817b204e0f25e90ff87c1caccc0d74c7ce0bf5790281ea5ddd468c685c181cf5e17
SSDEEP

49152:Gj55555555555555555555555555555555555555555555555555555555555559:

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
3652	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fzxapxjc\ImagePath = "C:\\Windows\\SysWOW64\\fzxapxjc\\ukqjksir.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	08e2a9bf296ab0b6532f8404b35fa1ee.exe

Deletes itself 1 IoCs

pid	Process
3096	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
3256	ukqjksir.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3256 set thread context of 3096	3256	ukqjksir.exe	85

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2852	sc.exe
4160	sc.exe
4588	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 2608	736	08e2a9bf296ab0b6532f8404b35fa1ee.exe	31
PID 736 wrote to memory of 2608	736	08e2a9bf296ab0b6532f8404b35fa1ee.exe	31
PID 736 wrote to memory of 2608	736	08e2a9bf296ab0b6532f8404b35fa1ee.exe	31
PID 736 wrote to memory of 2200	736	08e2a9bf296ab0b6532f8404b35fa1ee.exe	41
PID 736 wrote to memory of 2200	736	08e2a9bf296ab0b6532f8404b35fa1ee.exe	41
PID 736 wrote to memory of 2200	736	08e2a9bf296ab0b6532f8404b35fa1ee.exe	41
PID 736 wrote to memory of 2852	736	08e2a9bf296ab0b6532f8404b35fa1ee.exe	52
PID 736 wrote to memory of 2852	736	08e2a9bf296ab0b6532f8404b35fa1ee.exe	52
PID 736 wrote to memory of 2852	736	08e2a9bf296ab0b6532f8404b35fa1ee.exe	52
PID 736 wrote to memory of 4160	736	08e2a9bf296ab0b6532f8404b35fa1ee.exe	62
PID 736 wrote to memory of 4160	736	08e2a9bf296ab0b6532f8404b35fa1ee.exe	62
PID 736 wrote to memory of 4160	736	08e2a9bf296ab0b6532f8404b35fa1ee.exe	62
PID 736 wrote to memory of 4588	736	08e2a9bf296ab0b6532f8404b35fa1ee.exe	74
PID 736 wrote to memory of 4588	736	08e2a9bf296ab0b6532f8404b35fa1ee.exe	74
PID 736 wrote to memory of 4588	736	08e2a9bf296ab0b6532f8404b35fa1ee.exe	74
PID 3256 wrote to memory of 3096	3256	ukqjksir.exe	85
PID 3256 wrote to memory of 3096	3256	ukqjksir.exe	85
PID 3256 wrote to memory of 3096	3256	ukqjksir.exe	85
PID 3256 wrote to memory of 3096	3256	ukqjksir.exe	85
PID 3256 wrote to memory of 3096	3256	ukqjksir.exe	85
PID 736 wrote to memory of 3652	736	08e2a9bf296ab0b6532f8404b35fa1ee.exe	84
PID 736 wrote to memory of 3652	736	08e2a9bf296ab0b6532f8404b35fa1ee.exe	84
PID 736 wrote to memory of 3652	736	08e2a9bf296ab0b6532f8404b35fa1ee.exe	84

C:\Users\Admin\AppData\Local\Temp\08e2a9bf296ab0b6532f8404b35fa1ee.exe
"C:\Users\Admin\AppData\Local\Temp\08e2a9bf296ab0b6532f8404b35fa1ee.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:736
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\fzxapxjc\
  2⤵
  PID:2608
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ukqjksir.exe" C:\Windows\SysWOW64\fzxapxjc\
  2⤵
  PID:2200
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create fzxapxjc binPath= "C:\Windows\SysWOW64\fzxapxjc\ukqjksir.exe /d\"C:\Users\Admin\AppData\Local\Temp\08e2a9bf296ab0b6532f8404b35fa1ee.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:2852
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description fzxapxjc "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:4160
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start fzxapxjc
  2⤵
  - Launches sc.exe
  PID:4588
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:3652

C:\Windows\SysWOW64\fzxapxjc\ukqjksir.exe
C:\Windows\SysWOW64\fzxapxjc\ukqjksir.exe /d"C:\Users\Admin\AppData\Local\Temp\08e2a9bf296ab0b6532f8404b35fa1ee.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Deletes itself
  PID:3096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ukqjksir.exe

Filesize
92KB

MD5
02fd2f499cea7dcdfda1c9a1ba2d8742

SHA1
b0e9fc1b5d135ba68a109082ee47a41abc1e5425

SHA256
202a517634fbce128f21aa9b17e9c54dcf6dc816153a501bf5c37e13a5809552

SHA512
28d64bbe6b7093d6fdf83b67898bb46d2130639511d5ad5ad709d24b52003ee213da6d910fef762a5b9d4090f84493a5f4ea3f01c88cd4382c99bde9f2c33f00

Download Submit
memory/736-12-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/736-2-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/736-1-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/736-3-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/736-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3096-16-0x0000000001200000-0x0000000001215000-memory.dmp

Filesize
84KB

Download
memory/3096-17-0x0000000001200000-0x0000000001215000-memory.dmp

Filesize
84KB

Download
memory/3096-15-0x0000000001200000-0x0000000001215000-memory.dmp

Filesize
84KB

Download
memory/3096-10-0x0000000001200000-0x0000000001215000-memory.dmp

Filesize
84KB

Download
memory/3096-18-0x0000000001200000-0x0000000001215000-memory.dmp

Filesize
84KB

Download
memory/3256-8-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3256-14-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3256-7-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads