tofsee | 2dd88c2cf5f3ad49a46e6cfb88ec470423992ea5365fb55f7890af7e3d704662

General

Target

c12142a8710fe99c29101f78dd31d5d7.exe
Size

13.5MB
MD5

c12142a8710fe99c29101f78dd31d5d7
SHA1

4c638ca8cdb0c581ba1323101b485973d724b917
SHA256

2dd88c2cf5f3ad49a46e6cfb88ec470423992ea5365fb55f7890af7e3d704662
SHA512

0944f49c54d4f488d55a477ff3767c72a3807148718e63745cf0795b570be48a7baf6fb3d5f19747918897c5cce588d1fcc60bbd6b91bfdc85de0546d9b64100
SSDEEP

49152:RT81MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMk:RT8

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2832	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\lbfumwrk\ImagePath = "C:\\Windows\\SysWOW64\\lbfumwrk\\ziqohjmm.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c12142a8710fe99c29101f78dd31d5d7.exe

Executes dropped EXE 1 IoCs

pid	Process
2272	ziqohjmm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2272 set thread context of 1756	2272	ziqohjmm.exe	110

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
920	sc.exe
708	sc.exe
4084	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2412	2268	c12142a8710fe99c29101f78dd31d5d7.exe	93
PID 2268 wrote to memory of 2412	2268	c12142a8710fe99c29101f78dd31d5d7.exe	93
PID 2268 wrote to memory of 2412	2268	c12142a8710fe99c29101f78dd31d5d7.exe	93
PID 2268 wrote to memory of 2124	2268	c12142a8710fe99c29101f78dd31d5d7.exe	97
PID 2268 wrote to memory of 2124	2268	c12142a8710fe99c29101f78dd31d5d7.exe	97
PID 2268 wrote to memory of 2124	2268	c12142a8710fe99c29101f78dd31d5d7.exe	97
PID 2268 wrote to memory of 920	2268	c12142a8710fe99c29101f78dd31d5d7.exe	99
PID 2268 wrote to memory of 920	2268	c12142a8710fe99c29101f78dd31d5d7.exe	99
PID 2268 wrote to memory of 920	2268	c12142a8710fe99c29101f78dd31d5d7.exe	99
PID 2268 wrote to memory of 708	2268	c12142a8710fe99c29101f78dd31d5d7.exe	102
PID 2268 wrote to memory of 708	2268	c12142a8710fe99c29101f78dd31d5d7.exe	102
PID 2268 wrote to memory of 708	2268	c12142a8710fe99c29101f78dd31d5d7.exe	102
PID 2268 wrote to memory of 4084	2268	c12142a8710fe99c29101f78dd31d5d7.exe	105
PID 2268 wrote to memory of 4084	2268	c12142a8710fe99c29101f78dd31d5d7.exe	105
PID 2268 wrote to memory of 4084	2268	c12142a8710fe99c29101f78dd31d5d7.exe	105
PID 2268 wrote to memory of 2832	2268	c12142a8710fe99c29101f78dd31d5d7.exe	108
PID 2268 wrote to memory of 2832	2268	c12142a8710fe99c29101f78dd31d5d7.exe	108
PID 2268 wrote to memory of 2832	2268	c12142a8710fe99c29101f78dd31d5d7.exe	108
PID 2272 wrote to memory of 1756	2272	ziqohjmm.exe	110
PID 2272 wrote to memory of 1756	2272	ziqohjmm.exe	110
PID 2272 wrote to memory of 1756	2272	ziqohjmm.exe	110
PID 2272 wrote to memory of 1756	2272	ziqohjmm.exe	110
PID 2272 wrote to memory of 1756	2272	ziqohjmm.exe	110

C:\Users\Admin\AppData\Local\Temp\c12142a8710fe99c29101f78dd31d5d7.exe
"C:\Users\Admin\AppData\Local\Temp\c12142a8710fe99c29101f78dd31d5d7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\lbfumwrk\
  2⤵
  PID:2412
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ziqohjmm.exe" C:\Windows\SysWOW64\lbfumwrk\
  2⤵
  PID:2124
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create lbfumwrk binPath= "C:\Windows\SysWOW64\lbfumwrk\ziqohjmm.exe /d\"C:\Users\Admin\AppData\Local\Temp\c12142a8710fe99c29101f78dd31d5d7.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:920
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description lbfumwrk "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:708
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start lbfumwrk
  2⤵
  - Launches sc.exe
  PID:4084
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2832

C:\Windows\SysWOW64\lbfumwrk\ziqohjmm.exe
C:\Windows\SysWOW64\lbfumwrk\ziqohjmm.exe /d"C:\Users\Admin\AppData\Local\Temp\c12142a8710fe99c29101f78dd31d5d7.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ziqohjmm.exe

Filesize
13.0MB

MD5
d3c17467bae2d6dfcccbdfe968f8da0a

SHA1
c80f292196be1efd7d961ed8a3d6217426ed9dd2

SHA256
4bb83b605e62fc759319de8ff7a74bd4423dfb46571c3b1584060d7fecbc8110

SHA512
09414bce31bed42cd1a28588dd340462a21882843bf508d4093b0ba646e7bd4271fb38c3440a1519cc7b3db7a7c2cb4112a5b21e573f76b127fe2a953f2f05b3

Download Submit
C:\Windows\SysWOW64\lbfumwrk\ziqohjmm.exe

Filesize
11.2MB

MD5
c886cda1cfd68dcfeb6096343544af3a

SHA1
60366def871ba9960843be7f689cf2d953ee839f

SHA256
d6ca82bd0de0cfed411fcb06b958596d08278f03f822ef5d6605137d7bc51e67

SHA512
787a87abbcc831ce7087a419f4c8413e9bd387935528a8b3dc7e2125aa3b60cd45cae6b4c7b833225fd33d9f61adcb55cc165c330d18bedb66659240624cfbce

Download Submit
memory/1756-13-0x00000000010F0000-0x0000000001105000-memory.dmp

Filesize
84KB

Download
memory/1756-26-0x00000000010F0000-0x0000000001105000-memory.dmp

Filesize
84KB

Download
memory/1756-10-0x00000000010F0000-0x0000000001105000-memory.dmp

Filesize
84KB

Download
memory/1756-15-0x00000000010F0000-0x0000000001105000-memory.dmp

Filesize
84KB

Download
memory/1756-16-0x00000000010F0000-0x0000000001105000-memory.dmp

Filesize
84KB

Download
memory/2268-24-0x0000000000620000-0x0000000000720000-memory.dmp

Filesize
1024KB

Download
memory/2268-2-0x00000000005D0000-0x00000000005E3000-memory.dmp

Filesize
76KB

Download
memory/2268-3-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2268-1-0x0000000000620000-0x0000000000720000-memory.dmp

Filesize
1024KB

Download
memory/2268-14-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2272-9-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2272-21-0x0000000000D30000-0x0000000000D43000-memory.dmp

Filesize
76KB

Download
memory/2272-17-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2272-8-0x0000000000690000-0x0000000000790000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads