tofsee | 70744b1608394252692343b9e70caa0e5c62c293d0346be00ca03d4797d7eebd

General

Target

4c4c357d02bffaa62641f0b634afebff.exe
Size

14.8MB
MD5

4c4c357d02bffaa62641f0b634afebff
SHA1

ea5a5aa03cc225f166a7345693c4332d0e6794ff
SHA256

70744b1608394252692343b9e70caa0e5c62c293d0346be00ca03d4797d7eebd
SHA512

7fd79a34c0733022a8a2acb1f4f4e03267100899dc358755ba175fbded1c9bfbe5682538d681ab795f265778d09ab74d0d62a07d76dced02af8ae9a211977d64
SSDEEP

6144:Tq5GpsuCvQJUYCnXy+QpxxKPQaOaeZ4PybPsFG86f:TqONJUYCnXyJzwEa6LsA8K

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

176.111.174.19

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
4992	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\uqbzrhoo\ImagePath = "C:\\Windows\\SysWOW64\\uqbzrhoo\\zcuwrhls.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	4c4c357d02bffaa62641f0b634afebff.exe

Deletes itself 1 IoCs

pid	Process
4492	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
4984	zcuwrhls.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4984 set thread context of 4492	4984	zcuwrhls.exe	119

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4580	sc.exe
3160	sc.exe
4684	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1972	3192	WerFault.exe	89
1532	4984	WerFault.exe	115

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 2256	3192	4c4c357d02bffaa62641f0b634afebff.exe	100
PID 3192 wrote to memory of 2256	3192	4c4c357d02bffaa62641f0b634afebff.exe	100
PID 3192 wrote to memory of 2256	3192	4c4c357d02bffaa62641f0b634afebff.exe	100
PID 3192 wrote to memory of 4952	3192	4c4c357d02bffaa62641f0b634afebff.exe	102
PID 3192 wrote to memory of 4952	3192	4c4c357d02bffaa62641f0b634afebff.exe	102
PID 3192 wrote to memory of 4952	3192	4c4c357d02bffaa62641f0b634afebff.exe	102
PID 3192 wrote to memory of 4684	3192	4c4c357d02bffaa62641f0b634afebff.exe	104
PID 3192 wrote to memory of 4684	3192	4c4c357d02bffaa62641f0b634afebff.exe	104
PID 3192 wrote to memory of 4684	3192	4c4c357d02bffaa62641f0b634afebff.exe	104
PID 3192 wrote to memory of 4580	3192	4c4c357d02bffaa62641f0b634afebff.exe	107
PID 3192 wrote to memory of 4580	3192	4c4c357d02bffaa62641f0b634afebff.exe	107
PID 3192 wrote to memory of 4580	3192	4c4c357d02bffaa62641f0b634afebff.exe	107
PID 3192 wrote to memory of 3160	3192	4c4c357d02bffaa62641f0b634afebff.exe	109
PID 3192 wrote to memory of 3160	3192	4c4c357d02bffaa62641f0b634afebff.exe	109
PID 3192 wrote to memory of 3160	3192	4c4c357d02bffaa62641f0b634afebff.exe	109
PID 3192 wrote to memory of 4992	3192	4c4c357d02bffaa62641f0b634afebff.exe	112
PID 3192 wrote to memory of 4992	3192	4c4c357d02bffaa62641f0b634afebff.exe	112
PID 3192 wrote to memory of 4992	3192	4c4c357d02bffaa62641f0b634afebff.exe	112
PID 4984 wrote to memory of 4492	4984	zcuwrhls.exe	119
PID 4984 wrote to memory of 4492	4984	zcuwrhls.exe	119
PID 4984 wrote to memory of 4492	4984	zcuwrhls.exe	119
PID 4984 wrote to memory of 4492	4984	zcuwrhls.exe	119
PID 4984 wrote to memory of 4492	4984	zcuwrhls.exe	119

C:\Users\Admin\AppData\Local\Temp\4c4c357d02bffaa62641f0b634afebff.exe
"C:\Users\Admin\AppData\Local\Temp\4c4c357d02bffaa62641f0b634afebff.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\uqbzrhoo\
  2⤵
  PID:2256
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zcuwrhls.exe" C:\Windows\SysWOW64\uqbzrhoo\
  2⤵
  PID:4952
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create uqbzrhoo binPath= "C:\Windows\SysWOW64\uqbzrhoo\zcuwrhls.exe /d\"C:\Users\Admin\AppData\Local\Temp\4c4c357d02bffaa62641f0b634afebff.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:4684
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description uqbzrhoo "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:4580
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start uqbzrhoo
  2⤵
  - Launches sc.exe
  PID:3160
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:4992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1180
  2⤵
  - Program crash
  PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3192 -ip 3192
1⤵
PID:2004

C:\Windows\SysWOW64\uqbzrhoo\zcuwrhls.exe
C:\Windows\SysWOW64\uqbzrhoo\zcuwrhls.exe /d"C:\Users\Admin\AppData\Local\Temp\4c4c357d02bffaa62641f0b634afebff.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Deletes itself
  PID:4492
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 520
  2⤵
  - Program crash
  PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4984 -ip 4984
1⤵
PID:4804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zcuwrhls.exe

Filesize
13.4MB

MD5
7f121746644161db300afec78d71014a

SHA1
cd18cfbe1217ab7171ec4d669e827acea167e941

SHA256
f3d5a316ab78039f6a435dee2928451f2eabb8e4332a60edfe97140c5c32d1cf

SHA512
84f528423117245b1d593b7199ece8a753fb053871138acf0e28c10fbd41ce7999ffb527b243d12698951b55a039d86afa548c8b9106b1ca42d5c2b060f3b3b2

Download Submit
C:\Windows\SysWOW64\uqbzrhoo\zcuwrhls.exe

Filesize
6.4MB

MD5
b19ae6ae0f666b9e4ef9c36715f97b24

SHA1
486aa92a57859f80573126d290a6fbe35d59f720

SHA256
5cea739bbd2c1c0c0bcee9dcdecb764bdd4b3cf03b79e8b6f2d9c2153565fd0f

SHA512
ebd42a3676fe4f30dee559ee97a8c3b4bf78211d2af7656c39ffcd8ffa1d4fb06138ae00d98edd1cb3d50045555c306ec1bbe68a5445a6b8852b5759184f9274

Download Submit
memory/3192-14-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3192-2-0x0000000000600000-0x0000000000613000-memory.dmp

Filesize
76KB

Download
memory/3192-6-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3192-7-0x00000000006C0000-0x00000000007C0000-memory.dmp

Filesize
1024KB

Download
memory/3192-8-0x0000000000600000-0x0000000000613000-memory.dmp

Filesize
76KB

Download
memory/3192-3-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3192-1-0x00000000006C0000-0x00000000007C0000-memory.dmp

Filesize
1024KB

Download
memory/3192-4-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4492-20-0x00000000006A0000-0x00000000006B5000-memory.dmp

Filesize
84KB

Download
memory/4492-24-0x00000000006A0000-0x00000000006B5000-memory.dmp

Filesize
84KB

Download
memory/4492-26-0x00000000006A0000-0x00000000006B5000-memory.dmp

Filesize
84KB

Download
memory/4492-27-0x00000000006A0000-0x00000000006B5000-memory.dmp

Filesize
84KB

Download
memory/4984-18-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/4984-19-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4984-25-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads