tofsee | 9c7030dfcb2bd5c4ef20d8b9280edf48189f3c0dd6dc08914a7e6a1c96690a35

General

Target

8da541692d6b266d5917ed8c678b9cf6.exe
Size

11.7MB
MD5

8da541692d6b266d5917ed8c678b9cf6
SHA1

fe43e391f697fc87f12b9f5f10dd084d883b919c
SHA256

9c7030dfcb2bd5c4ef20d8b9280edf48189f3c0dd6dc08914a7e6a1c96690a35
SHA512

a1de4e825b86d2a11669a58bfebc08dce906ad75291405a4bb89b03359b20d73aaa5e083571f84a6e64a7373ec2a2a9b4abb828441a75ba1c1a86e3e2407f17a
SSDEEP

196608:5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4840	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dyxdohow\ImagePath = "C:\\Windows\\SysWOW64\\dyxdohow\\smorkjj.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	8da541692d6b266d5917ed8c678b9cf6.exe

Deletes itself 1 IoCs

pid	Process
1940	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
868	smorkjj.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 868 set thread context of 1940	868	smorkjj.exe	112

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3656	sc.exe
1644	sc.exe
1284	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3908	3196	WerFault.exe	17
4164	868	WerFault.exe	102

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3196 wrote to memory of 952	3196	8da541692d6b266d5917ed8c678b9cf6.exe	91
PID 3196 wrote to memory of 952	3196	8da541692d6b266d5917ed8c678b9cf6.exe	91
PID 3196 wrote to memory of 952	3196	8da541692d6b266d5917ed8c678b9cf6.exe	91
PID 3196 wrote to memory of 1620	3196	8da541692d6b266d5917ed8c678b9cf6.exe	94
PID 3196 wrote to memory of 1620	3196	8da541692d6b266d5917ed8c678b9cf6.exe	94
PID 3196 wrote to memory of 1620	3196	8da541692d6b266d5917ed8c678b9cf6.exe	94
PID 3196 wrote to memory of 3656	3196	8da541692d6b266d5917ed8c678b9cf6.exe	98
PID 3196 wrote to memory of 3656	3196	8da541692d6b266d5917ed8c678b9cf6.exe	98
PID 3196 wrote to memory of 3656	3196	8da541692d6b266d5917ed8c678b9cf6.exe	98
PID 3196 wrote to memory of 1644	3196	8da541692d6b266d5917ed8c678b9cf6.exe	100
PID 3196 wrote to memory of 1644	3196	8da541692d6b266d5917ed8c678b9cf6.exe	100
PID 3196 wrote to memory of 1644	3196	8da541692d6b266d5917ed8c678b9cf6.exe	100
PID 3196 wrote to memory of 1284	3196	8da541692d6b266d5917ed8c678b9cf6.exe	103
PID 3196 wrote to memory of 1284	3196	8da541692d6b266d5917ed8c678b9cf6.exe	103
PID 3196 wrote to memory of 1284	3196	8da541692d6b266d5917ed8c678b9cf6.exe	103
PID 3196 wrote to memory of 4840	3196	8da541692d6b266d5917ed8c678b9cf6.exe	104
PID 3196 wrote to memory of 4840	3196	8da541692d6b266d5917ed8c678b9cf6.exe	104
PID 3196 wrote to memory of 4840	3196	8da541692d6b266d5917ed8c678b9cf6.exe	104
PID 868 wrote to memory of 1940	868	smorkjj.exe	112
PID 868 wrote to memory of 1940	868	smorkjj.exe	112
PID 868 wrote to memory of 1940	868	smorkjj.exe	112
PID 868 wrote to memory of 1940	868	smorkjj.exe	112
PID 868 wrote to memory of 1940	868	smorkjj.exe	112

C:\Users\Admin\AppData\Local\Temp\8da541692d6b266d5917ed8c678b9cf6.exe
"C:\Users\Admin\AppData\Local\Temp\8da541692d6b266d5917ed8c678b9cf6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dyxdohow\
  2⤵
  PID:952
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\smorkjj.exe" C:\Windows\SysWOW64\dyxdohow\
  2⤵
  PID:1620
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create dyxdohow binPath= "C:\Windows\SysWOW64\dyxdohow\smorkjj.exe /d\"C:\Users\Admin\AppData\Local\Temp\8da541692d6b266d5917ed8c678b9cf6.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:3656
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description dyxdohow "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:1644
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start dyxdohow
  2⤵
  - Launches sc.exe
  PID:1284
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:4840
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1252
  2⤵
  - Program crash
  PID:3908

C:\Windows\SysWOW64\dyxdohow\smorkjj.exe
C:\Windows\SysWOW64\dyxdohow\smorkjj.exe /d"C:\Users\Admin\AppData\Local\Temp\8da541692d6b266d5917ed8c678b9cf6.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 552
  2⤵
  - Program crash
  PID:4164
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Deletes itself
  PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3196 -ip 3196
1⤵
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 868 -ip 868
1⤵
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\smorkjj.exe

Filesize
395KB

MD5
c8b85892c2a08e5e7531bd48dad4234b

SHA1
19df938aa8649dacfa7d1051747dcdb388cef3f1

SHA256
22a75d8b6a6ca5d47983b93f486e619446abc6268e4974b01072e0afd077e5fa

SHA512
203ad912ab1345610c5797f60d5967dea782b2c3d59cb8ce65166a01a3990c9e0416ccfd877fa09d3f5327e0272aaa44894eb2a85e5171a164a5fbd43ab4fa6d

Download Submit
C:\Windows\SysWOW64\dyxdohow\smorkjj.exe

Filesize
124KB

MD5
3bf69a22d98a50258a6c8dca8aff4412

SHA1
1518f01783da0f4ddf81e0d4c2516169ab8ecebd

SHA256
931ff8d031525fddccb25cc431add20fdc4b5e7d8f83135db4cd2a3d43ae0d44

SHA512
ccfdcb84cc6e0ace27fb7380bbf1d8d93c7de93038d9f60aa9712cdeada87a079c7fce510f934ed7eac46e55794a9d363d7fff64f2f4866eb28543df37ad31d8

Download Submit
memory/868-12-0x0000000000B10000-0x0000000000C10000-memory.dmp

Filesize
1024KB

Download
memory/868-14-0x0000000000400000-0x00000000008EA000-memory.dmp

Filesize
4.9MB

Download
memory/1940-16-0x0000000000F40000-0x0000000000F55000-memory.dmp

Filesize
84KB

Download
memory/1940-15-0x0000000000F40000-0x0000000000F55000-memory.dmp

Filesize
84KB

Download
memory/1940-18-0x0000000000F40000-0x0000000000F55000-memory.dmp

Filesize
84KB

Download
memory/1940-10-0x0000000000F40000-0x0000000000F55000-memory.dmp

Filesize
84KB

Download
memory/1940-19-0x0000000000F40000-0x0000000000F55000-memory.dmp

Filesize
84KB

Download
memory/3196-7-0x0000000000400000-0x00000000008EA000-memory.dmp

Filesize
4.9MB

Download
memory/3196-8-0x0000000000C90000-0x0000000000CA3000-memory.dmp

Filesize
76KB

Download
memory/3196-2-0x0000000000C90000-0x0000000000CA3000-memory.dmp

Filesize
76KB

Download
memory/3196-1-0x0000000000CB0000-0x0000000000DB0000-memory.dmp

Filesize
1024KB

Download
memory/3196-4-0x0000000000400000-0x00000000008EA000-memory.dmp

Filesize
4.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads