tofsee | dab7a0e23822f9014969fb8a9ec8e27c947e7542ef63b0508b34ee6156757875

General

Target

c05cd0f67349fcf3ec9623331ff98469.exe
Size

338KB
MD5

c05cd0f67349fcf3ec9623331ff98469
SHA1

d3d3e7403a28809a427a09a5143ca1f4964b3205
SHA256

dab7a0e23822f9014969fb8a9ec8e27c947e7542ef63b0508b34ee6156757875
SHA512

9c8431a355b72b89f37b5a94c9c95b120c021df3cf8cdb556ccc262ae56a1cb00c025b20915e8b4628c49499d82ef397bb59007e1ea3809de7b80e37377b7069
SSDEEP

6144:dWgNDwgPQcb3+CW948kKmiRZrvdw/GY2mVRkOF:hNMgPQcbuCWOKmUH+GC

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3740	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\uqsbhprr\ImagePath = "C:\\Windows\\SysWOW64\\uqsbhprr\\ylcldqsm.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	c05cd0f67349fcf3ec9623331ff98469.exe

Deletes itself 1 IoCs

pid	Process
3948	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
5072	ylcldqsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5072 set thread context of 3948	5072	ylcldqsm.exe	114

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2980	sc.exe
3584	sc.exe
4328	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 1864	1052	c05cd0f67349fcf3ec9623331ff98469.exe	101
PID 1052 wrote to memory of 1864	1052	c05cd0f67349fcf3ec9623331ff98469.exe	101
PID 1052 wrote to memory of 1864	1052	c05cd0f67349fcf3ec9623331ff98469.exe	101
PID 1052 wrote to memory of 3996	1052	c05cd0f67349fcf3ec9623331ff98469.exe	103
PID 1052 wrote to memory of 3996	1052	c05cd0f67349fcf3ec9623331ff98469.exe	103
PID 1052 wrote to memory of 3996	1052	c05cd0f67349fcf3ec9623331ff98469.exe	103
PID 1052 wrote to memory of 3584	1052	c05cd0f67349fcf3ec9623331ff98469.exe	105
PID 1052 wrote to memory of 3584	1052	c05cd0f67349fcf3ec9623331ff98469.exe	105
PID 1052 wrote to memory of 3584	1052	c05cd0f67349fcf3ec9623331ff98469.exe	105
PID 1052 wrote to memory of 4328	1052	c05cd0f67349fcf3ec9623331ff98469.exe	107
PID 1052 wrote to memory of 4328	1052	c05cd0f67349fcf3ec9623331ff98469.exe	107
PID 1052 wrote to memory of 4328	1052	c05cd0f67349fcf3ec9623331ff98469.exe	107
PID 1052 wrote to memory of 2980	1052	c05cd0f67349fcf3ec9623331ff98469.exe	109
PID 1052 wrote to memory of 2980	1052	c05cd0f67349fcf3ec9623331ff98469.exe	109
PID 1052 wrote to memory of 2980	1052	c05cd0f67349fcf3ec9623331ff98469.exe	109
PID 1052 wrote to memory of 3740	1052	c05cd0f67349fcf3ec9623331ff98469.exe	112
PID 1052 wrote to memory of 3740	1052	c05cd0f67349fcf3ec9623331ff98469.exe	112
PID 1052 wrote to memory of 3740	1052	c05cd0f67349fcf3ec9623331ff98469.exe	112
PID 5072 wrote to memory of 3948	5072	ylcldqsm.exe	114
PID 5072 wrote to memory of 3948	5072	ylcldqsm.exe	114
PID 5072 wrote to memory of 3948	5072	ylcldqsm.exe	114
PID 5072 wrote to memory of 3948	5072	ylcldqsm.exe	114
PID 5072 wrote to memory of 3948	5072	ylcldqsm.exe	114

C:\Users\Admin\AppData\Local\Temp\c05cd0f67349fcf3ec9623331ff98469.exe
"C:\Users\Admin\AppData\Local\Temp\c05cd0f67349fcf3ec9623331ff98469.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\uqsbhprr\
  2⤵
  PID:1864
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ylcldqsm.exe" C:\Windows\SysWOW64\uqsbhprr\
  2⤵
  PID:3996
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create uqsbhprr binPath= "C:\Windows\SysWOW64\uqsbhprr\ylcldqsm.exe /d\"C:\Users\Admin\AppData\Local\Temp\c05cd0f67349fcf3ec9623331ff98469.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:3584
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description uqsbhprr "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:4328
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start uqsbhprr
  2⤵
  - Launches sc.exe
  PID:2980
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:3740

C:\Windows\SysWOW64\uqsbhprr\ylcldqsm.exe
C:\Windows\SysWOW64\uqsbhprr\ylcldqsm.exe /d"C:\Users\Admin\AppData\Local\Temp\c05cd0f67349fcf3ec9623331ff98469.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Deletes itself
  PID:3948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ylcldqsm.exe

Filesize
442KB

MD5
5e540d8e607aadebec0ff92099cd3056

SHA1
15d070473eaf4892a431fa248a171279fe665ea9

SHA256
fba5fd994c451c560cfa8e46ae98c9271c16c3af627265d8b983e39f96bcc8cd

SHA512
96883ca095bba05db98336476bdfb906d65894012d50d8a24506eb531a5645021cf15436cc82a13feb477b1a5d4030e6220f6737bcedeab5c5eade620180aaf9

Download Submit
C:\Windows\SysWOW64\uqsbhprr\ylcldqsm.exe

Filesize
205KB

MD5
59770bf32a6affc60e29983e28527b86

SHA1
303d35dd98054376e17720b6cab20ae9b50e745f

SHA256
1f5eb454e467b9fe401113733827461659ae964cec88dee151129f22c5b679fc

SHA512
fff1f11a62b7428fbc27fe2231e3bb9e4e82c3801d0adc99e9062b542afdc5fe84652f6fdae497c823829653259d798fbb94630affd28355c845e176b2cb12a6

Download Submit
memory/1052-1-0x0000000003310000-0x0000000003410000-memory.dmp

Filesize
1024KB

Download
memory/1052-2-0x00000000032E0000-0x00000000032F3000-memory.dmp

Filesize
76KB

Download
memory/1052-4-0x0000000000400000-0x0000000003250000-memory.dmp

Filesize
46.3MB

Download
memory/1052-5-0x0000000000400000-0x0000000003250000-memory.dmp

Filesize
46.3MB

Download
memory/1052-10-0x00000000032E0000-0x00000000032F3000-memory.dmp

Filesize
76KB

Download
memory/1052-9-0x0000000000400000-0x0000000003250000-memory.dmp

Filesize
46.3MB

Download
memory/3948-19-0x0000000000790000-0x00000000007A5000-memory.dmp

Filesize
84KB

Download
memory/3948-13-0x0000000000790000-0x00000000007A5000-memory.dmp

Filesize
84KB

Download
memory/3948-16-0x0000000000790000-0x00000000007A5000-memory.dmp

Filesize
84KB

Download
memory/3948-20-0x0000000000790000-0x00000000007A5000-memory.dmp

Filesize
84KB

Download
memory/3948-21-0x0000000000790000-0x00000000007A5000-memory.dmp

Filesize
84KB

Download
memory/5072-18-0x0000000000400000-0x0000000003250000-memory.dmp

Filesize
46.3MB

Download
memory/5072-12-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/5072-17-0x0000000000400000-0x0000000003250000-memory.dmp

Filesize
46.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads