tofsee | 7b7e8d4b97439bbb4b4e84f76abe0ab65b7952e6d77954f73ecc4aa8aaca0368

General

Target

266901a548588b9f1b220e7b57831b0e.exe
Size

10.8MB
MD5

266901a548588b9f1b220e7b57831b0e
SHA1

215017a2f19f678d864db773349addc17de580b1
SHA256

7b7e8d4b97439bbb4b4e84f76abe0ab65b7952e6d77954f73ecc4aa8aaca0368
SHA512

56f823948da80600fa254bba936d86672f62efb5ed383e1c644878f93f054620f0c3a7cd3fcaeaf53dcfa0df3bea9ba0e7966214b504bcdc064d04327884882d
SSDEEP

98304:cbxPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP:cb

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

176.111.174.19

defeatwax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
1360	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	266901a548588b9f1b220e7b57831b0e.exe

Executes dropped EXE 1 IoCs

pid	Process
2400	pvysjeid.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2272	sc.exe
1352	sc.exe
3152	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2764	3676	WerFault.exe	16
4724	2400	WerFault.exe	100

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 3892	3676	266901a548588b9f1b220e7b57831b0e.exe	56
PID 3676 wrote to memory of 3892	3676	266901a548588b9f1b220e7b57831b0e.exe	56
PID 3676 wrote to memory of 3892	3676	266901a548588b9f1b220e7b57831b0e.exe	56
PID 3676 wrote to memory of 4980	3676	266901a548588b9f1b220e7b57831b0e.exe	67
PID 3676 wrote to memory of 4980	3676	266901a548588b9f1b220e7b57831b0e.exe	67
PID 3676 wrote to memory of 4980	3676	266901a548588b9f1b220e7b57831b0e.exe	67
PID 3676 wrote to memory of 2272	3676	266901a548588b9f1b220e7b57831b0e.exe	77
PID 3676 wrote to memory of 2272	3676	266901a548588b9f1b220e7b57831b0e.exe	77
PID 3676 wrote to memory of 2272	3676	266901a548588b9f1b220e7b57831b0e.exe	77
PID 3676 wrote to memory of 1352	3676	266901a548588b9f1b220e7b57831b0e.exe	89
PID 3676 wrote to memory of 1352	3676	266901a548588b9f1b220e7b57831b0e.exe	89
PID 3676 wrote to memory of 1352	3676	266901a548588b9f1b220e7b57831b0e.exe	89
PID 3676 wrote to memory of 3152	3676	266901a548588b9f1b220e7b57831b0e.exe	99
PID 3676 wrote to memory of 3152	3676	266901a548588b9f1b220e7b57831b0e.exe	99
PID 3676 wrote to memory of 3152	3676	266901a548588b9f1b220e7b57831b0e.exe	99
PID 3676 wrote to memory of 1360	3676	266901a548588b9f1b220e7b57831b0e.exe	105
PID 3676 wrote to memory of 1360	3676	266901a548588b9f1b220e7b57831b0e.exe	105
PID 3676 wrote to memory of 1360	3676	266901a548588b9f1b220e7b57831b0e.exe	105

C:\Users\Admin\AppData\Local\Temp\266901a548588b9f1b220e7b57831b0e.exe
"C:\Users\Admin\AppData\Local\Temp\266901a548588b9f1b220e7b57831b0e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\husnmihe\
  2⤵
  PID:3892
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pvysjeid.exe" C:\Windows\SysWOW64\husnmihe\
  2⤵
  PID:4980
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create husnmihe binPath= "C:\Windows\SysWOW64\husnmihe\pvysjeid.exe /d\"C:\Users\Admin\AppData\Local\Temp\266901a548588b9f1b220e7b57831b0e.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:2272
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description husnmihe "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:1352
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start husnmihe
  2⤵
  - Launches sc.exe
  PID:3152
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 596
  2⤵
  - Program crash
  PID:2764
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:1360

C:\Windows\SysWOW64\husnmihe\pvysjeid.exe
C:\Windows\SysWOW64\husnmihe\pvysjeid.exe /d"C:\Users\Admin\AppData\Local\Temp\266901a548588b9f1b220e7b57831b0e.exe"
1⤵
- Executes dropped EXE
PID:2400
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:4964
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 348
  2⤵
  - Program crash
  PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3676 -ip 3676
1⤵
PID:932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2400 -ip 2400
1⤵
PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\husnmihe\pvysjeid.exe

Filesize
95KB

MD5
180d32e945464c18dbc9d1997e511e44

SHA1
872ddad1e4f6deb4ad9c7ed604831aee0e3e0b02

SHA256
93428056fc5357cd2f680749365429106054c31d49715d334676ad5e9b669594

SHA512
202dc6ae526e9734ffa7990c8ac59ca1caba01cdad12e42eea04a8a3e1cf3035b2d7e40d0d2e48d59b5586aa1b9e7cc8246b44e49265f8adb88d7730f92ab33f

Download Submit
memory/2400-17-0x0000000000400000-0x00000000009B1000-memory.dmp

Filesize
5.7MB

Download
memory/2400-12-0x0000000000400000-0x00000000009B1000-memory.dmp

Filesize
5.7MB

Download
memory/2400-10-0x00000000009C0000-0x0000000000AC0000-memory.dmp

Filesize
1024KB

Download
memory/3676-1-0x0000000000C60000-0x0000000000D60000-memory.dmp

Filesize
1024KB

Download
memory/3676-4-0x0000000000400000-0x00000000009B1000-memory.dmp

Filesize
5.7MB

Download
memory/3676-8-0x0000000000400000-0x00000000009B1000-memory.dmp

Filesize
5.7MB

Download
memory/3676-9-0x0000000000C20000-0x0000000000C33000-memory.dmp

Filesize
76KB

Download
memory/3676-2-0x0000000000C20000-0x0000000000C33000-memory.dmp

Filesize
76KB

Download
memory/4964-11-0x0000000000BA0000-0x0000000000BB5000-memory.dmp

Filesize
84KB

Download
memory/4964-15-0x0000000000BA0000-0x0000000000BB5000-memory.dmp

Filesize
84KB

Download
memory/4964-18-0x0000000000BA0000-0x0000000000BB5000-memory.dmp

Filesize
84KB

Download
memory/4964-16-0x0000000000BA0000-0x0000000000BB5000-memory.dmp

Filesize
84KB

Download
memory/4964-19-0x0000000000BA0000-0x0000000000BB5000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads