tofsee | 79940b2f535b1111facb217b7f3ed439eb91003b345e0e6bc049af42fbbe9b13

General

Target

a2118c67534664afde234ba2dab7c02e.exe
Size

10.2MB
MD5

a2118c67534664afde234ba2dab7c02e
SHA1

c398da3954e3d68ba1f05876d867ce57f9efbb34
SHA256

79940b2f535b1111facb217b7f3ed439eb91003b345e0e6bc049af42fbbe9b13
SHA512

cf20f6b7adfe95968ea411a4945f7460e72a234efb541cfd937105f7a8aa03f4ce93f5d09b341e37db65cb23e1f7304aacfe4f5d4ee72bdc5c0c04d2e4dbc79f
SSDEEP

24576:UlxdvCcpOKCtBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBv:UlzOR

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4532	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\uwmcdpdo\ImagePath = "C:\\Windows\\SysWOW64\\uwmcdpdo\\yqzherdx.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	a2118c67534664afde234ba2dab7c02e.exe

Deletes itself 1 IoCs

pid	Process
680	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
3648	yqzherdx.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3648 set thread context of 680	3648	yqzherdx.exe	102

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5032	sc.exe
720	sc.exe
4536	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1696	3972	WerFault.exe	83
916	3648	WerFault.exe	99

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 4372	3972	a2118c67534664afde234ba2dab7c02e.exe	86
PID 3972 wrote to memory of 4372	3972	a2118c67534664afde234ba2dab7c02e.exe	86
PID 3972 wrote to memory of 4372	3972	a2118c67534664afde234ba2dab7c02e.exe	86
PID 3972 wrote to memory of 3300	3972	a2118c67534664afde234ba2dab7c02e.exe	88
PID 3972 wrote to memory of 3300	3972	a2118c67534664afde234ba2dab7c02e.exe	88
PID 3972 wrote to memory of 3300	3972	a2118c67534664afde234ba2dab7c02e.exe	88
PID 3972 wrote to memory of 5032	3972	a2118c67534664afde234ba2dab7c02e.exe	90
PID 3972 wrote to memory of 5032	3972	a2118c67534664afde234ba2dab7c02e.exe	90
PID 3972 wrote to memory of 5032	3972	a2118c67534664afde234ba2dab7c02e.exe	90
PID 3972 wrote to memory of 720	3972	a2118c67534664afde234ba2dab7c02e.exe	93
PID 3972 wrote to memory of 720	3972	a2118c67534664afde234ba2dab7c02e.exe	93
PID 3972 wrote to memory of 720	3972	a2118c67534664afde234ba2dab7c02e.exe	93
PID 3972 wrote to memory of 4536	3972	a2118c67534664afde234ba2dab7c02e.exe	94
PID 3972 wrote to memory of 4536	3972	a2118c67534664afde234ba2dab7c02e.exe	94
PID 3972 wrote to memory of 4536	3972	a2118c67534664afde234ba2dab7c02e.exe	94
PID 3972 wrote to memory of 4532	3972	a2118c67534664afde234ba2dab7c02e.exe	96
PID 3972 wrote to memory of 4532	3972	a2118c67534664afde234ba2dab7c02e.exe	96
PID 3972 wrote to memory of 4532	3972	a2118c67534664afde234ba2dab7c02e.exe	96
PID 3648 wrote to memory of 680	3648	yqzherdx.exe	102
PID 3648 wrote to memory of 680	3648	yqzherdx.exe	102
PID 3648 wrote to memory of 680	3648	yqzherdx.exe	102
PID 3648 wrote to memory of 680	3648	yqzherdx.exe	102
PID 3648 wrote to memory of 680	3648	yqzherdx.exe	102

C:\Users\Admin\AppData\Local\Temp\a2118c67534664afde234ba2dab7c02e.exe
"C:\Users\Admin\AppData\Local\Temp\a2118c67534664afde234ba2dab7c02e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\uwmcdpdo\
  2⤵
  PID:4372
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\yqzherdx.exe" C:\Windows\SysWOW64\uwmcdpdo\
  2⤵
  PID:3300
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create uwmcdpdo binPath= "C:\Windows\SysWOW64\uwmcdpdo\yqzherdx.exe /d\"C:\Users\Admin\AppData\Local\Temp\a2118c67534664afde234ba2dab7c02e.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:5032
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description uwmcdpdo "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:720
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start uwmcdpdo
  2⤵
  - Launches sc.exe
  PID:4536
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:4532
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 1032
  2⤵
  - Program crash
  PID:1696

C:\Windows\SysWOW64\uwmcdpdo\yqzherdx.exe
C:\Windows\SysWOW64\uwmcdpdo\yqzherdx.exe /d"C:\Users\Admin\AppData\Local\Temp\a2118c67534664afde234ba2dab7c02e.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Deletes itself
  PID:680
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 532
  2⤵
  - Program crash
  PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3972 -ip 3972
1⤵
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3648 -ip 3648
1⤵
PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yqzherdx.exe

Filesize
10.1MB

MD5
a97009b0aaa919cf37c9d2565249f0f5

SHA1
e2169995542d3bf300b9be50f4cde800451fa01b

SHA256
72a22196f310a3744d04927e159483f39a8207ea991fbf3691f1d65fa16ee9b6

SHA512
a262971274c82ee1bebdac5b3c2fc56f7d5db2c2f97d2aeaeb4dc2502c22c83e0f8f6396f482eaacf92d0e2c4fe0ea445ce63bbd372c80e2c69633ee8fa23e37

Download Submit
C:\Windows\SysWOW64\uwmcdpdo\yqzherdx.exe

Filesize
9.1MB

MD5
2bb572540bce396e3fb3ededb000780d

SHA1
fabe406e422ce93d5607c9bf261f1bf906c902e6

SHA256
0ffdedf6f8b5bc4d806b5a7b0440a8dd498ce1ec27c95fd1b70b94df92ac3db8

SHA512
f44b302e91826f440864c75a60a240114f53483c736aa03efcde61dfd3e6eddff576a08757293d056434ca64e0abab5f026913573da6d9db619008f671c7b2bc

Download Submit
memory/680-12-0x0000000000D50000-0x0000000000D65000-memory.dmp

Filesize
84KB

Download
memory/680-16-0x0000000000D50000-0x0000000000D65000-memory.dmp

Filesize
84KB

Download
memory/680-18-0x0000000000D50000-0x0000000000D65000-memory.dmp

Filesize
84KB

Download
memory/680-19-0x0000000000D50000-0x0000000000D65000-memory.dmp

Filesize
84KB

Download
memory/3648-10-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/3648-11-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3648-17-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3972-3-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3972-2-0x00000000021B0000-0x00000000021C3000-memory.dmp

Filesize
76KB

Download
memory/3972-9-0x00000000021B0000-0x00000000021C3000-memory.dmp

Filesize
76KB

Download
memory/3972-8-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3972-1-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads