tofsee | 337fe1ac0900e6a6161126f01830debc25cd8f5affaec0f7aecd637baccc8fce

General

Target

10955b59a370e9f78636a2b3bdda218d.exe
Size

13.1MB
MD5

10955b59a370e9f78636a2b3bdda218d
SHA1

cc4685968302c783df3e1db04c1552af627df611
SHA256

337fe1ac0900e6a6161126f01830debc25cd8f5affaec0f7aecd637baccc8fce
SHA512

62e40e88fa790bc7e9b5297aa4cc98f3b07115905f7e82e1007cab0bb7cd2c1f0b22b058d264a520946080fec05951a2b43f9b50b0cd0e319ccde116c8f930f1
SSDEEP

98304:ANWUlllllllllllllllllllllllllllllllllllllllllllllllllllllllllllT:2W

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2160	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tdodveim\ImagePath = "C:\\Windows\\SysWOW64\\tdodveim\\nnozuvtb.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	10955b59a370e9f78636a2b3bdda218d.exe

Deletes itself 1 IoCs

pid	Process
1560	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
4892	nnozuvtb.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4892 set thread context of 1560	4892	nnozuvtb.exe	109

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2220	sc.exe
2388	sc.exe
952	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 1476	3012	10955b59a370e9f78636a2b3bdda218d.exe	96
PID 3012 wrote to memory of 1476	3012	10955b59a370e9f78636a2b3bdda218d.exe	96
PID 3012 wrote to memory of 1476	3012	10955b59a370e9f78636a2b3bdda218d.exe	96
PID 3012 wrote to memory of 4432	3012	10955b59a370e9f78636a2b3bdda218d.exe	98
PID 3012 wrote to memory of 4432	3012	10955b59a370e9f78636a2b3bdda218d.exe	98
PID 3012 wrote to memory of 4432	3012	10955b59a370e9f78636a2b3bdda218d.exe	98
PID 3012 wrote to memory of 952	3012	10955b59a370e9f78636a2b3bdda218d.exe	100
PID 3012 wrote to memory of 952	3012	10955b59a370e9f78636a2b3bdda218d.exe	100
PID 3012 wrote to memory of 952	3012	10955b59a370e9f78636a2b3bdda218d.exe	100
PID 3012 wrote to memory of 2220	3012	10955b59a370e9f78636a2b3bdda218d.exe	102
PID 3012 wrote to memory of 2220	3012	10955b59a370e9f78636a2b3bdda218d.exe	102
PID 3012 wrote to memory of 2220	3012	10955b59a370e9f78636a2b3bdda218d.exe	102
PID 3012 wrote to memory of 2388	3012	10955b59a370e9f78636a2b3bdda218d.exe	104
PID 3012 wrote to memory of 2388	3012	10955b59a370e9f78636a2b3bdda218d.exe	104
PID 3012 wrote to memory of 2388	3012	10955b59a370e9f78636a2b3bdda218d.exe	104
PID 3012 wrote to memory of 2160	3012	10955b59a370e9f78636a2b3bdda218d.exe	106
PID 3012 wrote to memory of 2160	3012	10955b59a370e9f78636a2b3bdda218d.exe	106
PID 3012 wrote to memory of 2160	3012	10955b59a370e9f78636a2b3bdda218d.exe	106
PID 4892 wrote to memory of 1560	4892	nnozuvtb.exe	109
PID 4892 wrote to memory of 1560	4892	nnozuvtb.exe	109
PID 4892 wrote to memory of 1560	4892	nnozuvtb.exe	109
PID 4892 wrote to memory of 1560	4892	nnozuvtb.exe	109
PID 4892 wrote to memory of 1560	4892	nnozuvtb.exe	109

C:\Users\Admin\AppData\Local\Temp\10955b59a370e9f78636a2b3bdda218d.exe
"C:\Users\Admin\AppData\Local\Temp\10955b59a370e9f78636a2b3bdda218d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tdodveim\
  2⤵
  PID:1476
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nnozuvtb.exe" C:\Windows\SysWOW64\tdodveim\
  2⤵
  PID:4432
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create tdodveim binPath= "C:\Windows\SysWOW64\tdodveim\nnozuvtb.exe /d\"C:\Users\Admin\AppData\Local\Temp\10955b59a370e9f78636a2b3bdda218d.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:952
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description tdodveim "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:2220
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start tdodveim
  2⤵
  - Launches sc.exe
  PID:2388
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2160

C:\Windows\SysWOW64\tdodveim\nnozuvtb.exe
C:\Windows\SysWOW64\tdodveim\nnozuvtb.exe /d"C:\Users\Admin\AppData\Local\Temp\10955b59a370e9f78636a2b3bdda218d.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Deletes itself
  PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nnozuvtb.exe

Filesize
5.2MB

MD5
fd785ec6964b258e097cd5e2b44530eb

SHA1
07c0512dd41ca7f5c4392b2392d2b25f48b600f3

SHA256
c861f2ac04c69945a88198837a2a67f90dd401ea4b3bbac207460a44aaf18fd5

SHA512
ff16f6258ffb15df922ceb320b7a97ed8bb11ed747ea3fd1672c3f9e502f09b751cbb7296a2b319d29438966b830c949df2cd0b32c38bcd4500c85a4968caee4

Download Submit
C:\Windows\SysWOW64\tdodveim\nnozuvtb.exe

Filesize
2.7MB

MD5
058dda15c1b6cebdfbe04404e7621cb8

SHA1
fe28dcc7c022559aa0bb12467e787ec665a7c8f7

SHA256
9ea4a34f1715d690ae0fd27f251dd5533f7933245890eb67c7b2298283598da5

SHA512
3f1a137f08c4958738ddc1ab157594091fd49cefe97280ccadf708163410d001b58ef6aa75bb0d0b5df8e7fb68e367093e10c0f384c871cab4aac957a0230cf4

Download Submit
memory/1560-20-0x0000000000550000-0x0000000000565000-memory.dmp

Filesize
84KB

Download
memory/1560-22-0x0000000000550000-0x0000000000565000-memory.dmp

Filesize
84KB

Download
memory/1560-21-0x0000000000550000-0x0000000000565000-memory.dmp

Filesize
84KB

Download
memory/1560-15-0x0000000000550000-0x0000000000565000-memory.dmp

Filesize
84KB

Download
memory/3012-2-0x0000000003860000-0x0000000003873000-memory.dmp

Filesize
76KB

Download
memory/3012-4-0x0000000000400000-0x00000000036CD000-memory.dmp

Filesize
50.8MB

Download
memory/3012-5-0x0000000000400000-0x00000000036CD000-memory.dmp

Filesize
50.8MB

Download
memory/3012-8-0x0000000000400000-0x00000000036CD000-memory.dmp

Filesize
50.8MB

Download
memory/3012-9-0x0000000003860000-0x0000000003873000-memory.dmp

Filesize
76KB

Download
memory/3012-1-0x0000000003A80000-0x0000000003B80000-memory.dmp

Filesize
1024KB

Download
memory/4892-12-0x0000000000400000-0x00000000036CD000-memory.dmp

Filesize
50.8MB

Download
memory/4892-16-0x0000000000400000-0x00000000036CD000-memory.dmp

Filesize
50.8MB

Download
memory/4892-14-0x0000000000400000-0x00000000036CD000-memory.dmp

Filesize
50.8MB

Download
memory/4892-13-0x00000000038A0000-0x00000000039A0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads