tofsee | a72fe0e974100d0d8d1bf79aed12e9ced6d30e1858d02d2cfa96346073de4555

General

Target

6579b65897fd523a9df7f1f271b83937.exe
Size

12.9MB
MD5

6579b65897fd523a9df7f1f271b83937
SHA1

74efe89236c786277be4c231e3d0e31f37515cc9
SHA256

a72fe0e974100d0d8d1bf79aed12e9ced6d30e1858d02d2cfa96346073de4555
SHA512

479c3899f74cf5a7739532998edc1dddf274c74824f4ac4fa38a5b212700838ae0e2452ed17d1fc6bbc2ba274af9b1e45c142ca909f6078d3c52db2537e05396
SSDEEP

24576:KUqa71YB5DHlommmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmn:KF15

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
3100	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nilyfwli\ImagePath = "C:\\Windows\\SysWOW64\\nilyfwli\\mzqzrega.exe"	mzqzrega.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	6579b65897fd523a9df7f1f271b83937.exe

Deletes itself 1 IoCs

pid	Process
4388	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2940	mzqzrega.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2940 set thread context of 4388	2940	mzqzrega.exe	116

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
464	sc.exe
1000	sc.exe
1596	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5080	1732	WerFault.exe	90
1540	2940	WerFault.exe	108

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2276	1732	6579b65897fd523a9df7f1f271b83937.exe	95
PID 1732 wrote to memory of 2276	1732	6579b65897fd523a9df7f1f271b83937.exe	95
PID 1732 wrote to memory of 2276	1732	6579b65897fd523a9df7f1f271b83937.exe	95
PID 1732 wrote to memory of 1904	1732	6579b65897fd523a9df7f1f271b83937.exe	99
PID 1732 wrote to memory of 1904	1732	6579b65897fd523a9df7f1f271b83937.exe	99
PID 1732 wrote to memory of 1904	1732	6579b65897fd523a9df7f1f271b83937.exe	99
PID 1732 wrote to memory of 464	1732	6579b65897fd523a9df7f1f271b83937.exe	101
PID 1732 wrote to memory of 464	1732	6579b65897fd523a9df7f1f271b83937.exe	101
PID 1732 wrote to memory of 464	1732	6579b65897fd523a9df7f1f271b83937.exe	101
PID 1732 wrote to memory of 1000	1732	6579b65897fd523a9df7f1f271b83937.exe	104
PID 1732 wrote to memory of 1000	1732	6579b65897fd523a9df7f1f271b83937.exe	104
PID 1732 wrote to memory of 1000	1732	6579b65897fd523a9df7f1f271b83937.exe	104
PID 1732 wrote to memory of 1596	1732	6579b65897fd523a9df7f1f271b83937.exe	107
PID 1732 wrote to memory of 1596	1732	6579b65897fd523a9df7f1f271b83937.exe	107
PID 1732 wrote to memory of 1596	1732	6579b65897fd523a9df7f1f271b83937.exe	107
PID 1732 wrote to memory of 3100	1732	6579b65897fd523a9df7f1f271b83937.exe	111
PID 1732 wrote to memory of 3100	1732	6579b65897fd523a9df7f1f271b83937.exe	111
PID 1732 wrote to memory of 3100	1732	6579b65897fd523a9df7f1f271b83937.exe	111
PID 2940 wrote to memory of 4388	2940	mzqzrega.exe	116
PID 2940 wrote to memory of 4388	2940	mzqzrega.exe	116
PID 2940 wrote to memory of 4388	2940	mzqzrega.exe	116
PID 2940 wrote to memory of 4388	2940	mzqzrega.exe	116
PID 2940 wrote to memory of 4388	2940	mzqzrega.exe	116

C:\Users\Admin\AppData\Local\Temp\6579b65897fd523a9df7f1f271b83937.exe
"C:\Users\Admin\AppData\Local\Temp\6579b65897fd523a9df7f1f271b83937.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nilyfwli\
  2⤵
  PID:2276
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\mzqzrega.exe" C:\Windows\SysWOW64\nilyfwli\
  2⤵
  PID:1904
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create nilyfwli binPath= "C:\Windows\SysWOW64\nilyfwli\mzqzrega.exe /d\"C:\Users\Admin\AppData\Local\Temp\6579b65897fd523a9df7f1f271b83937.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:464
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description nilyfwli "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:1000
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start nilyfwli
  2⤵
  - Launches sc.exe
  PID:1596
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:3100
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 1028
  2⤵
  - Program crash
  PID:5080

C:\Windows\SysWOW64\nilyfwli\mzqzrega.exe
C:\Windows\SysWOW64\nilyfwli\mzqzrega.exe /d"C:\Users\Admin\AppData\Local\Temp\6579b65897fd523a9df7f1f271b83937.exe"
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 512
  2⤵
  - Program crash
  PID:1540
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Deletes itself
  PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1732 -ip 1732
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 2940 -ip 2940
1⤵
PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mzqzrega.exe

Filesize
1005KB

MD5
e42003855d8b3bd5f8d3d140a97e6ce1

SHA1
051889108ce15b74648e3b46a5c44f266003991c

SHA256
704b40893727b1d11b07a7c1350fc95efd7fa11ec33550dd3d494fb23346804e

SHA512
c7fcb97648d1553916b03b810f3305ad589eabbd1dbd03f0469ac807bcc67cda19dd6e3d32581c9de2231b904354816561938196fa9f4d97f3fb291ac532e624

Download Submit
C:\Windows\SysWOW64\nilyfwli\mzqzrega.exe

Filesize
849KB

MD5
10e9a409de457088da318135737c4c2f

SHA1
f8d5a0d24fd05b888312550e769cfd92db04818a

SHA256
35ea2efdeb74774fd380357f56f319aa138e59659b725b7b2a04e88a84fbc7a6

SHA512
31798463668e81decddda7dec58582868fac0f44ca1168959d94aeda56a670f6c3640538601cc2e0fe94ac6cbadb8c8eb083dae793a8bbfc8141bdb7c8a65519

Download Submit
memory/1732-8-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1732-3-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1732-1-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/1732-9-0x00000000021C0000-0x00000000021D3000-memory.dmp

Filesize
76KB

Download
memory/1732-2-0x00000000021C0000-0x00000000021D3000-memory.dmp

Filesize
76KB

Download
memory/2940-18-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2940-11-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2940-10-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/4388-12-0x00000000012E0000-0x00000000012F5000-memory.dmp

Filesize
84KB

Download
memory/4388-17-0x00000000012E0000-0x00000000012F5000-memory.dmp

Filesize
84KB

Download
memory/4388-16-0x00000000012E0000-0x00000000012F5000-memory.dmp

Filesize
84KB

Download
memory/4388-19-0x00000000012E0000-0x00000000012F5000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads