tofsee | bb19283d50fe702280862d84abb9a72f6546de7d5f030bba4266fc589bb93bd3

General

Target

504365551a406e82ac71872b066960e6.exe
Size

10.5MB
MD5

504365551a406e82ac71872b066960e6
SHA1

03af4ce319ee6b27aa816bb6a24a35ca606c140e
SHA256

bb19283d50fe702280862d84abb9a72f6546de7d5f030bba4266fc589bb93bd3
SHA512

0656f6cfcfc92e94a877dca8f7281576d1a247ce75f81e7ef1b14fe8b2f7edfc2f93a3ef6013f668f994b92dcc019fdc1759f10ef505c64f8e977dec7a56bd9b
SSDEEP

49152:2ckGb22222222222222222222222222222222222222222222222222222222223:2ck

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2284	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ocpzpwbk\ImagePath = "C:\\Windows\\SysWOW64\\ocpzpwbk\\otdysebd.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	504365551a406e82ac71872b066960e6.exe

Deletes itself 1 IoCs

pid	Process
2716	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
680	otdysebd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 680 set thread context of 2716	680	otdysebd.exe	108

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1488	sc.exe
640	sc.exe
4864	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1360	4900	WerFault.exe	88
1676	680	WerFault.exe	102

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 1844	4900	504365551a406e82ac71872b066960e6.exe	93
PID 4900 wrote to memory of 1844	4900	504365551a406e82ac71872b066960e6.exe	93
PID 4900 wrote to memory of 1844	4900	504365551a406e82ac71872b066960e6.exe	93
PID 4900 wrote to memory of 620	4900	504365551a406e82ac71872b066960e6.exe	95
PID 4900 wrote to memory of 620	4900	504365551a406e82ac71872b066960e6.exe	95
PID 4900 wrote to memory of 620	4900	504365551a406e82ac71872b066960e6.exe	95
PID 4900 wrote to memory of 1488	4900	504365551a406e82ac71872b066960e6.exe	97
PID 4900 wrote to memory of 1488	4900	504365551a406e82ac71872b066960e6.exe	97
PID 4900 wrote to memory of 1488	4900	504365551a406e82ac71872b066960e6.exe	97
PID 4900 wrote to memory of 640	4900	504365551a406e82ac71872b066960e6.exe	99
PID 4900 wrote to memory of 640	4900	504365551a406e82ac71872b066960e6.exe	99
PID 4900 wrote to memory of 640	4900	504365551a406e82ac71872b066960e6.exe	99
PID 4900 wrote to memory of 4864	4900	504365551a406e82ac71872b066960e6.exe	101
PID 4900 wrote to memory of 4864	4900	504365551a406e82ac71872b066960e6.exe	101
PID 4900 wrote to memory of 4864	4900	504365551a406e82ac71872b066960e6.exe	101
PID 4900 wrote to memory of 2284	4900	504365551a406e82ac71872b066960e6.exe	110
PID 4900 wrote to memory of 2284	4900	504365551a406e82ac71872b066960e6.exe	110
PID 4900 wrote to memory of 2284	4900	504365551a406e82ac71872b066960e6.exe	110
PID 680 wrote to memory of 2716	680	otdysebd.exe	108
PID 680 wrote to memory of 2716	680	otdysebd.exe	108
PID 680 wrote to memory of 2716	680	otdysebd.exe	108
PID 680 wrote to memory of 2716	680	otdysebd.exe	108
PID 680 wrote to memory of 2716	680	otdysebd.exe	108

C:\Users\Admin\AppData\Local\Temp\504365551a406e82ac71872b066960e6.exe
"C:\Users\Admin\AppData\Local\Temp\504365551a406e82ac71872b066960e6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ocpzpwbk\
  2⤵
  PID:1844
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\otdysebd.exe" C:\Windows\SysWOW64\ocpzpwbk\
  2⤵
  PID:620
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create ocpzpwbk binPath= "C:\Windows\SysWOW64\ocpzpwbk\otdysebd.exe /d\"C:\Users\Admin\AppData\Local\Temp\504365551a406e82ac71872b066960e6.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:1488
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description ocpzpwbk "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:640
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start ocpzpwbk
  2⤵
  - Launches sc.exe
  PID:4864
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 1036
  2⤵
  - Program crash
  PID:1360
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2284

C:\Windows\SysWOW64\ocpzpwbk\otdysebd.exe
C:\Windows\SysWOW64\ocpzpwbk\otdysebd.exe /d"C:\Users\Admin\AppData\Local\Temp\504365551a406e82ac71872b066960e6.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:680
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 508
  2⤵
  - Program crash
  PID:1676
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Deletes itself
  PID:2716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 680 -ip 680
1⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4900 -ip 4900
1⤵
PID:396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\otdysebd.exe

Filesize
150KB

MD5
206cb86d9962a8cc7d5a06ad7130d3f9

SHA1
0498bdd20c8db21ceed962019960d62e6ad9d1e7

SHA256
77c2d637c2ee8b7adffd1678362f9fcbe7a9526916fd056cdffa252c14dae453

SHA512
1005a5c7deaaa4a8139fe0e9c221ed5c9f527464ffeb0f2185785a512680ced987145c974f34b6a9af057b630b20e660ab22978d1e8adcc699bcf05926b944de

Download Submit
C:\Windows\SysWOW64\ocpzpwbk\otdysebd.exe

Filesize
89KB

MD5
4ba9174312a7f18b29b4ed93f3f53baf

SHA1
de61d356fb7026dd9fd045dbae550a82026e6e89

SHA256
4bf11582f011681f54d4a3f60cbb8f7a8be7304b599bf3c6917fa25a1e5f25c8

SHA512
4cc18dfd00643d57719d08d0e442d5a986f1c951b2c32716a7c9293b5a6a3ed4c58546ebc98ad743f6312c42780c3e321da3d52992717ecf0e2c4db2ec6c6582

Download Submit
memory/680-15-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/680-10-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/680-9-0x00000000001C0000-0x00000000001D3000-memory.dmp

Filesize
76KB

Download
memory/680-8-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2716-14-0x0000000000550000-0x0000000000565000-memory.dmp

Filesize
84KB

Download
memory/2716-11-0x0000000000550000-0x0000000000565000-memory.dmp

Filesize
84KB

Download
memory/2716-17-0x0000000000550000-0x0000000000565000-memory.dmp

Filesize
84KB

Download
memory/2716-18-0x0000000000550000-0x0000000000565000-memory.dmp

Filesize
84KB

Download
memory/2716-19-0x0000000000550000-0x0000000000565000-memory.dmp

Filesize
84KB

Download
memory/4900-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4900-1-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/4900-2-0x00000000001C0000-0x00000000001D3000-memory.dmp

Filesize
76KB

Download
memory/4900-16-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads