tofsee | 89fb1911ddfe210dbc22eaed8208dd730ff5f81b79180e613017d9ea1154f218

General

Target

048dbb13d456e5edb0852bb0be9a2fd7.exe
Size

14.0MB
MD5

048dbb13d456e5edb0852bb0be9a2fd7
SHA1

e03626c61c1502d35c4bb47a01de533c10382b4e
SHA256

89fb1911ddfe210dbc22eaed8208dd730ff5f81b79180e613017d9ea1154f218
SHA512

2de5516bc8aa144ed18a50797a35d9085a4bfda647a33ec20a5cce9d3dcbde12d93e5a5c9e22a1ab01dbcb8e2992e4bde28debb8b35483e6e646fa131f4e5f5d
SSDEEP

24576:mjCj10HSqGgeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeP:m/D

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
3572	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\oahmnagn\ImagePath = "C:\\Windows\\SysWOW64\\oahmnagn\\bfmqsvlx.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	048dbb13d456e5edb0852bb0be9a2fd7.exe

Executes dropped EXE 1 IoCs

pid	Process
4164	bfmqsvlx.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4164 set thread context of 1864	4164	bfmqsvlx.exe	103

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
540	sc.exe
2632	sc.exe
4040	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3360 wrote to memory of 4724	3360	048dbb13d456e5edb0852bb0be9a2fd7.exe	91
PID 3360 wrote to memory of 4724	3360	048dbb13d456e5edb0852bb0be9a2fd7.exe	91
PID 3360 wrote to memory of 4724	3360	048dbb13d456e5edb0852bb0be9a2fd7.exe	91
PID 3360 wrote to memory of 1600	3360	048dbb13d456e5edb0852bb0be9a2fd7.exe	93
PID 3360 wrote to memory of 1600	3360	048dbb13d456e5edb0852bb0be9a2fd7.exe	93
PID 3360 wrote to memory of 1600	3360	048dbb13d456e5edb0852bb0be9a2fd7.exe	93
PID 3360 wrote to memory of 540	3360	048dbb13d456e5edb0852bb0be9a2fd7.exe	94
PID 3360 wrote to memory of 540	3360	048dbb13d456e5edb0852bb0be9a2fd7.exe	94
PID 3360 wrote to memory of 540	3360	048dbb13d456e5edb0852bb0be9a2fd7.exe	94
PID 3360 wrote to memory of 2632	3360	048dbb13d456e5edb0852bb0be9a2fd7.exe	96
PID 3360 wrote to memory of 2632	3360	048dbb13d456e5edb0852bb0be9a2fd7.exe	96
PID 3360 wrote to memory of 2632	3360	048dbb13d456e5edb0852bb0be9a2fd7.exe	96
PID 3360 wrote to memory of 4040	3360	048dbb13d456e5edb0852bb0be9a2fd7.exe	98
PID 3360 wrote to memory of 4040	3360	048dbb13d456e5edb0852bb0be9a2fd7.exe	98
PID 3360 wrote to memory of 4040	3360	048dbb13d456e5edb0852bb0be9a2fd7.exe	98
PID 3360 wrote to memory of 3572	3360	048dbb13d456e5edb0852bb0be9a2fd7.exe	100
PID 3360 wrote to memory of 3572	3360	048dbb13d456e5edb0852bb0be9a2fd7.exe	100
PID 3360 wrote to memory of 3572	3360	048dbb13d456e5edb0852bb0be9a2fd7.exe	100
PID 4164 wrote to memory of 1864	4164	bfmqsvlx.exe	103
PID 4164 wrote to memory of 1864	4164	bfmqsvlx.exe	103
PID 4164 wrote to memory of 1864	4164	bfmqsvlx.exe	103
PID 4164 wrote to memory of 1864	4164	bfmqsvlx.exe	103
PID 4164 wrote to memory of 1864	4164	bfmqsvlx.exe	103

C:\Users\Admin\AppData\Local\Temp\048dbb13d456e5edb0852bb0be9a2fd7.exe
"C:\Users\Admin\AppData\Local\Temp\048dbb13d456e5edb0852bb0be9a2fd7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3360
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\oahmnagn\
  2⤵
  PID:4724
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\bfmqsvlx.exe" C:\Windows\SysWOW64\oahmnagn\
  2⤵
  PID:1600
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create oahmnagn binPath= "C:\Windows\SysWOW64\oahmnagn\bfmqsvlx.exe /d\"C:\Users\Admin\AppData\Local\Temp\048dbb13d456e5edb0852bb0be9a2fd7.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:540
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description oahmnagn "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:2632
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start oahmnagn
  2⤵
  - Launches sc.exe
  PID:4040
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:3572

C:\Windows\SysWOW64\oahmnagn\bfmqsvlx.exe
C:\Windows\SysWOW64\oahmnagn\bfmqsvlx.exe /d"C:\Users\Admin\AppData\Local\Temp\048dbb13d456e5edb0852bb0be9a2fd7.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bfmqsvlx.exe

Filesize
222KB

MD5
4bfcdec945da0bdc8bee5714c0f00ba3

SHA1
548bdefaa9eb2aac665557f2b90a4c90bcb07cb9

SHA256
9250e963dcd0cd727fd16b7420e56567e9184da7c907259fe618ac6ec144d2b3

SHA512
b39f4ade1d51d360588b4349a1288cb067211cae785a9d8511d2d46fab6458a6a2bf4f1fd8e0da1a84e25c924d54f08b9c568a3c78f3afa7dda75787959a9fe8

Download Submit
C:\Windows\SysWOW64\oahmnagn\bfmqsvlx.exe

Filesize
112KB

MD5
0c5d3118e281b1fa5d71cebca066e45f

SHA1
107523a5e071c99f8275b47b49cdcb63d68b8506

SHA256
ddfe518dd39ac55a075fba661d360fbde04c3f6f8e38379b8c134af5e4bacd66

SHA512
426d704377bfec2a6e73741adc9624c97e20d3751e88c1e9b7480448ad4bbc25fe43ad547948e2cb74343cc5c495649be20f652af6556f68e4e6cda3b846d520

Download Submit
memory/1864-13-0x0000000001080000-0x0000000001095000-memory.dmp

Filesize
84KB

Download
memory/1864-26-0x0000000001080000-0x0000000001095000-memory.dmp

Filesize
84KB

Download
memory/1864-10-0x0000000001080000-0x0000000001095000-memory.dmp

Filesize
84KB

Download
memory/1864-15-0x0000000001080000-0x0000000001095000-memory.dmp

Filesize
84KB

Download
memory/1864-16-0x0000000001080000-0x0000000001095000-memory.dmp

Filesize
84KB

Download
memory/3360-23-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/3360-1-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/3360-3-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3360-2-0x00000000005C0000-0x00000000005D3000-memory.dmp

Filesize
76KB

Download
memory/3360-14-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4164-9-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4164-22-0x0000000000820000-0x0000000000833000-memory.dmp

Filesize
76KB

Download
memory/4164-18-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4164-8-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads