tofsee | 630806b20660578f81ad037cbc49029aa8abd16251f56737b4d7f92ec9864858

General

Target

9ab434eaec334cd3c7ad3de7860f50e9.exe
Size

14.1MB
MD5

9ab434eaec334cd3c7ad3de7860f50e9
SHA1

ef2f800d35b1c03d831cadd0097bb0f902b52e2b
SHA256

630806b20660578f81ad037cbc49029aa8abd16251f56737b4d7f92ec9864858
SHA512

4fca6dde32468c4fa04ef22dd97550b62bfed8fb91982d722fb7385ebc380018f3e2428bf1f4c45a05e334b61a2890001e495e6623c1bb3059b50524a93aaab9
SSDEEP

49152:HQsPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP:HQ

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3568	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\exitgfwx\ImagePath = "C:\\Windows\\SysWOW64\\exitgfwx\\hbdauqaf.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	9ab434eaec334cd3c7ad3de7860f50e9.exe

Deletes itself 1 IoCs

pid	Process
1432	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1564	hbdauqaf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1564 set thread context of 1432	1564	hbdauqaf.exe	103

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
892	sc.exe
1524	sc.exe
2156	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 4444	3104	9ab434eaec334cd3c7ad3de7860f50e9.exe	89
PID 3104 wrote to memory of 4444	3104	9ab434eaec334cd3c7ad3de7860f50e9.exe	89
PID 3104 wrote to memory of 4444	3104	9ab434eaec334cd3c7ad3de7860f50e9.exe	89
PID 3104 wrote to memory of 2388	3104	9ab434eaec334cd3c7ad3de7860f50e9.exe	91
PID 3104 wrote to memory of 2388	3104	9ab434eaec334cd3c7ad3de7860f50e9.exe	91
PID 3104 wrote to memory of 2388	3104	9ab434eaec334cd3c7ad3de7860f50e9.exe	91
PID 3104 wrote to memory of 892	3104	9ab434eaec334cd3c7ad3de7860f50e9.exe	93
PID 3104 wrote to memory of 892	3104	9ab434eaec334cd3c7ad3de7860f50e9.exe	93
PID 3104 wrote to memory of 892	3104	9ab434eaec334cd3c7ad3de7860f50e9.exe	93
PID 3104 wrote to memory of 1524	3104	9ab434eaec334cd3c7ad3de7860f50e9.exe	95
PID 3104 wrote to memory of 1524	3104	9ab434eaec334cd3c7ad3de7860f50e9.exe	95
PID 3104 wrote to memory of 1524	3104	9ab434eaec334cd3c7ad3de7860f50e9.exe	95
PID 3104 wrote to memory of 2156	3104	9ab434eaec334cd3c7ad3de7860f50e9.exe	97
PID 3104 wrote to memory of 2156	3104	9ab434eaec334cd3c7ad3de7860f50e9.exe	97
PID 3104 wrote to memory of 2156	3104	9ab434eaec334cd3c7ad3de7860f50e9.exe	97
PID 3104 wrote to memory of 3568	3104	9ab434eaec334cd3c7ad3de7860f50e9.exe	99
PID 3104 wrote to memory of 3568	3104	9ab434eaec334cd3c7ad3de7860f50e9.exe	99
PID 3104 wrote to memory of 3568	3104	9ab434eaec334cd3c7ad3de7860f50e9.exe	99
PID 1564 wrote to memory of 1432	1564	hbdauqaf.exe	103
PID 1564 wrote to memory of 1432	1564	hbdauqaf.exe	103
PID 1564 wrote to memory of 1432	1564	hbdauqaf.exe	103
PID 1564 wrote to memory of 1432	1564	hbdauqaf.exe	103
PID 1564 wrote to memory of 1432	1564	hbdauqaf.exe	103

C:\Users\Admin\AppData\Local\Temp\9ab434eaec334cd3c7ad3de7860f50e9.exe
"C:\Users\Admin\AppData\Local\Temp\9ab434eaec334cd3c7ad3de7860f50e9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\exitgfwx\
  2⤵
  PID:4444
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hbdauqaf.exe" C:\Windows\SysWOW64\exitgfwx\
  2⤵
  PID:2388
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create exitgfwx binPath= "C:\Windows\SysWOW64\exitgfwx\hbdauqaf.exe /d\"C:\Users\Admin\AppData\Local\Temp\9ab434eaec334cd3c7ad3de7860f50e9.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:892
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description exitgfwx "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:1524
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start exitgfwx
  2⤵
  - Launches sc.exe
  PID:2156
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:3568

C:\Windows\SysWOW64\exitgfwx\hbdauqaf.exe
C:\Windows\SysWOW64\exitgfwx\hbdauqaf.exe /d"C:\Users\Admin\AppData\Local\Temp\9ab434eaec334cd3c7ad3de7860f50e9.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Deletes itself
  PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hbdauqaf.exe

Filesize
14.4MB

MD5
55f0eb52e70eb96340654b6a8680cc37

SHA1
9c09297e94728277878b670d0c77c3a4de67c197

SHA256
e366cd080c25f2dd15ea48f5f1480f00dab510b6c557dbaf27a6ef6aac482a73

SHA512
45fe658cf19b4f01575ba87ce004a3211164e3dd144fe16b1c0e0c1422cb46bb807781cc63ea2e07bfd4e0a0a3e39909ce99a5f15ca1dc7ff326535d1b486019

Download Submit
C:\Windows\SysWOW64\exitgfwx\hbdauqaf.exe

Filesize
1.6MB

MD5
951daa3d439025343fd4d218471d9333

SHA1
7337c86bd6b21fbef51ebc79997bab56618ea757

SHA256
1bbbfc2a134955af13f31a0ae0f464c6e3ca33d8620019c6189a9a803b7e5b18

SHA512
ea3ea7ce7113895c3b1386a4a4b1d22a1bc8975c34e1995cecb810744a86523ac172db2f166c266000759d3b9ca83dd162743c8c9f574338e70cc1becb386e72

Download Submit
memory/1432-12-0x0000000001270000-0x0000000001285000-memory.dmp

Filesize
84KB

Download
memory/1432-16-0x0000000001270000-0x0000000001285000-memory.dmp

Filesize
84KB

Download
memory/1432-17-0x0000000001270000-0x0000000001285000-memory.dmp

Filesize
84KB

Download
memory/1432-18-0x0000000001270000-0x0000000001285000-memory.dmp

Filesize
84KB

Download
memory/1432-19-0x0000000001270000-0x0000000001285000-memory.dmp

Filesize
84KB

Download
memory/1564-8-0x0000000000400000-0x0000000000C56000-memory.dmp

Filesize
8.3MB

Download
memory/1564-10-0x0000000000CC0000-0x0000000000DC0000-memory.dmp

Filesize
1024KB

Download
memory/1564-11-0x0000000000400000-0x0000000000C56000-memory.dmp

Filesize
8.3MB

Download
memory/1564-13-0x0000000000400000-0x0000000000C56000-memory.dmp

Filesize
8.3MB

Download
memory/3104-4-0x0000000000400000-0x0000000000C56000-memory.dmp

Filesize
8.3MB

Download
memory/3104-6-0x0000000000400000-0x0000000000C56000-memory.dmp

Filesize
8.3MB

Download
memory/3104-2-0x0000000000C90000-0x0000000000D90000-memory.dmp

Filesize
1024KB

Download
memory/3104-0-0x0000000000400000-0x0000000000C56000-memory.dmp

Filesize
8.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads