tofsee | e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30

Analysis

max time kernel
300s
max time network
304s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe
Size

282KB
MD5

bf884222d475c45abe8cd88d39b6f84a
SHA1

3819e4744d82d9dc895c13bdeeabd6c13003fa69
SHA256

e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30
SHA512

3e7c2d42a82269492e21ee18add80da57943d7a310ad6df453e8a838b52150e6acfc885afc377e417c24ebd0d72bf5c19596c701139ef02748f993fad6d1cb82
SSDEEP

3072:2CxBPmvf4gRns9F1xleC9bynC/Q65W0oBQ5LlxG:txmnL8F1+C9WnCyFE

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

vanaheim.cn

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\ewtpwntc = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2684	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ewtpwntc\ImagePath = "C:\\Windows\\SysWOW64\\ewtpwntc\\wflwujb.exe"	svchost.exe

Deletes itself 1 IoCs

pid	Process
2648	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2524	wflwujb.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2524 set thread context of 2648	2524	wflwujb.exe	41

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2864	sc.exe
2952	sc.exe
2872	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Buses	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 7cab2d3de02aac0324edb47d450dd49d084297dce82e72baa49813fde47b731d7847696c80cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda5681cdd8345733be3a4644490bdb57f24ea915801ccf5b954758df21d5904e0a56f17d484497134e49d084295d9e13f4bb4c06d00fdadfd5430d69a420c34f4a66e11edc70f3252a0f40948f48cb17d26e59d5902cff58d387287cc186270a4f93824dc8145743aecaa5215c0bd606d1ddd418a0ca3c48d541de5ad743d73a2e6367b9ec60b440dd49d642df4bde5de2622e16d34fdc48e980fe7ad743d05fba67315df86537535e0b35115f4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743d042f955d24	svchost.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2352	2908	e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe	28
PID 2908 wrote to memory of 2352	2908	e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe	28
PID 2908 wrote to memory of 2352	2908	e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe	28
PID 2908 wrote to memory of 2352	2908	e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe	28
PID 2908 wrote to memory of 2776	2908	e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe	30
PID 2908 wrote to memory of 2776	2908	e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe	30
PID 2908 wrote to memory of 2776	2908	e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe	30
PID 2908 wrote to memory of 2776	2908	e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe	30
PID 2908 wrote to memory of 2872	2908	e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe	32
PID 2908 wrote to memory of 2872	2908	e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe	32
PID 2908 wrote to memory of 2872	2908	e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe	32
PID 2908 wrote to memory of 2872	2908	e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe	32
PID 2908 wrote to memory of 2864	2908	e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe	34
PID 2908 wrote to memory of 2864	2908	e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe	34
PID 2908 wrote to memory of 2864	2908	e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe	34
PID 2908 wrote to memory of 2864	2908	e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe	34
PID 2908 wrote to memory of 2952	2908	e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe	36
PID 2908 wrote to memory of 2952	2908	e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe	36
PID 2908 wrote to memory of 2952	2908	e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe	36
PID 2908 wrote to memory of 2952	2908	e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe	36
PID 2908 wrote to memory of 2684	2908	e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe	39
PID 2908 wrote to memory of 2684	2908	e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe	39
PID 2908 wrote to memory of 2684	2908	e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe	39
PID 2908 wrote to memory of 2684	2908	e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe	39
PID 2524 wrote to memory of 2648	2524	wflwujb.exe	41
PID 2524 wrote to memory of 2648	2524	wflwujb.exe	41
PID 2524 wrote to memory of 2648	2524	wflwujb.exe	41
PID 2524 wrote to memory of 2648	2524	wflwujb.exe	41
PID 2524 wrote to memory of 2648	2524	wflwujb.exe	41
PID 2524 wrote to memory of 2648	2524	wflwujb.exe	41

C:\Users\Admin\AppData\Local\Temp\e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe
"C:\Users\Admin\AppData\Local\Temp\e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ewtpwntc\
  2⤵
  PID:2352
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\wflwujb.exe" C:\Windows\SysWOW64\ewtpwntc\
  2⤵
  PID:2776
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create ewtpwntc binPath= "C:\Windows\SysWOW64\ewtpwntc\wflwujb.exe /d\"C:\Users\Admin\AppData\Local\Temp\e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:2872
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description ewtpwntc "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:2864
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start ewtpwntc
  2⤵
  - Launches sc.exe
  PID:2952
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2684

C:\Windows\SysWOW64\ewtpwntc\wflwujb.exe
C:\Windows\SysWOW64\ewtpwntc\wflwujb.exe /d"C:\Users\Admin\AppData\Local\Temp\e0e24affaba5cb879452bd90e5689284b1eed33dd87dfe8ca145397b9d5bbb30.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Windows security bypass
  - Sets service image path in registry
  - Deletes itself
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wflwujb.exe

Filesize
10.9MB

MD5
394d0f85e2d3162ba1d27d69f089e423

SHA1
d752c8991090353b5b7d5ba2e2c0fae9f3bf779a

SHA256
57810a2b147d37f4277eae5eb905e60bdda2292c8aae6838d40f1cdcb09a0ef7

SHA512
f5f6764f522d0271e8d34559ffa35bae688d9eeaa3c1b7adbed9a518b95b2294dc31e2d2e287060973f73306eb2b4d7867ede191e00536b675d8454d1334578e

Download Submit
C:\Windows\SysWOW64\ewtpwntc\wflwujb.exe

Filesize
512KB

MD5
79503011d53a2cb6bb200c61d81cfb39

SHA1
e4500b4fb556f581fd03a84e6c1a501ca2ebfee7

SHA256
33db4a3e985ecc261685fec96b1114ef8ee06414867f417204ff4b74fe7ccae4

SHA512
51d943cfb549f19c5c23c0604872006538df51a2e202d23dfa3ee77aa4d774273c58faa1816945f6571c60a7a11c025d2d1e5642856a8ff18d1fe962015caef1

Download Submit
memory/2524-9-0x0000000002B90000-0x0000000002C90000-memory.dmp

Filesize
1024KB

Download
memory/2524-17-0x0000000000400000-0x0000000002ABC000-memory.dmp

Filesize
38.7MB

Download
memory/2524-15-0x0000000000400000-0x0000000002ABC000-memory.dmp

Filesize
38.7MB

Download
memory/2648-22-0x0000000001900000-0x0000000001B0F000-memory.dmp

Filesize
2.1MB

Download
memory/2648-19-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2648-10-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2648-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2648-13-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2648-32-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2648-18-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2648-29-0x00000000001A0000-0x00000000001B0000-memory.dmp

Filesize
64KB

Download
memory/2648-26-0x00000000000E0000-0x00000000000E6000-memory.dmp

Filesize
24KB

Download
memory/2648-20-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2648-25-0x0000000001900000-0x0000000001B0F000-memory.dmp

Filesize
2.1MB

Download
memory/2908-3-0x00000000002B0000-0x00000000002C3000-memory.dmp

Filesize
76KB

Download
memory/2908-1-0x0000000002B40000-0x0000000002C40000-memory.dmp

Filesize
1024KB

Download
memory/2908-7-0x0000000000400000-0x0000000002ABC000-memory.dmp

Filesize
38.7MB

Download
memory/2908-4-0x0000000000400000-0x0000000002ABC000-memory.dmp

Filesize
38.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads