tofsee | 4e22f19f44e653a725ee0efb10b66985cd6b56df527781659b14fdad2645e542

General

Target

c99590ceea962a47d2c1f296427fd4c0.exe
Size

12.5MB
MD5

c99590ceea962a47d2c1f296427fd4c0
SHA1

50a6bdfa2ffd566ccd88ef3dfb7b2e6a4a087afa
SHA256

4e22f19f44e653a725ee0efb10b66985cd6b56df527781659b14fdad2645e542
SHA512

d2635a75533708305f47456df0eca41cbe669a9b722c656673bae02c696e8b23e7704a96ef57a0106daa9eb28da902758c84ad1c477068363f190e1ae6d431d0
SSDEEP

24576:6erU5sWbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbX:6sW

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3664	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\urwcbemt\ImagePath = "C:\\Windows\\SysWOW64\\urwcbemt\\dmcqrfua.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	c99590ceea962a47d2c1f296427fd4c0.exe

Executes dropped EXE 1 IoCs

pid	Process
2364	dmcqrfua.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2364 set thread context of 784	2364	dmcqrfua.exe	110

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1228	sc.exe
684	sc.exe
4364	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 4760	4836	c99590ceea962a47d2c1f296427fd4c0.exe	91
PID 4836 wrote to memory of 4760	4836	c99590ceea962a47d2c1f296427fd4c0.exe	91
PID 4836 wrote to memory of 4760	4836	c99590ceea962a47d2c1f296427fd4c0.exe	91
PID 4836 wrote to memory of 4052	4836	c99590ceea962a47d2c1f296427fd4c0.exe	93
PID 4836 wrote to memory of 4052	4836	c99590ceea962a47d2c1f296427fd4c0.exe	93
PID 4836 wrote to memory of 4052	4836	c99590ceea962a47d2c1f296427fd4c0.exe	93
PID 4836 wrote to memory of 1228	4836	c99590ceea962a47d2c1f296427fd4c0.exe	96
PID 4836 wrote to memory of 1228	4836	c99590ceea962a47d2c1f296427fd4c0.exe	96
PID 4836 wrote to memory of 1228	4836	c99590ceea962a47d2c1f296427fd4c0.exe	96
PID 4836 wrote to memory of 684	4836	c99590ceea962a47d2c1f296427fd4c0.exe	100
PID 4836 wrote to memory of 684	4836	c99590ceea962a47d2c1f296427fd4c0.exe	100
PID 4836 wrote to memory of 684	4836	c99590ceea962a47d2c1f296427fd4c0.exe	100
PID 4836 wrote to memory of 4364	4836	c99590ceea962a47d2c1f296427fd4c0.exe	102
PID 4836 wrote to memory of 4364	4836	c99590ceea962a47d2c1f296427fd4c0.exe	102
PID 4836 wrote to memory of 4364	4836	c99590ceea962a47d2c1f296427fd4c0.exe	102
PID 4836 wrote to memory of 3664	4836	c99590ceea962a47d2c1f296427fd4c0.exe	105
PID 4836 wrote to memory of 3664	4836	c99590ceea962a47d2c1f296427fd4c0.exe	105
PID 4836 wrote to memory of 3664	4836	c99590ceea962a47d2c1f296427fd4c0.exe	105
PID 2364 wrote to memory of 784	2364	dmcqrfua.exe	110
PID 2364 wrote to memory of 784	2364	dmcqrfua.exe	110
PID 2364 wrote to memory of 784	2364	dmcqrfua.exe	110
PID 2364 wrote to memory of 784	2364	dmcqrfua.exe	110
PID 2364 wrote to memory of 784	2364	dmcqrfua.exe	110

C:\Users\Admin\AppData\Local\Temp\c99590ceea962a47d2c1f296427fd4c0.exe
"C:\Users\Admin\AppData\Local\Temp\c99590ceea962a47d2c1f296427fd4c0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\urwcbemt\
  2⤵
  PID:4760
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\dmcqrfua.exe" C:\Windows\SysWOW64\urwcbemt\
  2⤵
  PID:4052
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create urwcbemt binPath= "C:\Windows\SysWOW64\urwcbemt\dmcqrfua.exe /d\"C:\Users\Admin\AppData\Local\Temp\c99590ceea962a47d2c1f296427fd4c0.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:1228
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description urwcbemt "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:684
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start urwcbemt
  2⤵
  - Launches sc.exe
  PID:4364
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:3664

C:\Windows\SysWOW64\urwcbemt\dmcqrfua.exe
C:\Windows\SysWOW64\urwcbemt\dmcqrfua.exe /d"C:\Users\Admin\AppData\Local\Temp\c99590ceea962a47d2c1f296427fd4c0.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  PID:784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dmcqrfua.exe

Filesize
14.5MB

MD5
7effdf76504c8ccf96b175c590dd6560

SHA1
afd2eb2ba0fb0b1ffae1646b63cdd7260348abd5

SHA256
31b205bef570d6c52a14560c1ea506a4b72219c3d9ee3694d1b868da6649578c

SHA512
6cc2130f7659d11690358869c3f7a38596c179e8deeabec0e521edf93edd6a30a3c0b08b2e35a0a2c910b6dc62fd66d37033cf0b222372dc2f7481b4d5da3a23

Download Submit
C:\Windows\SysWOW64\urwcbemt\dmcqrfua.exe

Filesize
4.8MB

MD5
360e66a39e748903aa03672934d56476

SHA1
c091a70ccb9f03bdf12f69feeab6783a69d70f83

SHA256
28d06d4b807cc4e6df594c8c08df7196f9160ebf9505aceb6f55a2273aaea5aa

SHA512
236783c42f2c0ee895cd0a75d7cf98f808bf79bc5704a5788ac53942ca71412ee972400f12898b3aea2b13392ce8b0b1c8066ba5935014fa1dd54966b7e46e73

Download Submit
memory/784-12-0x0000000000950000-0x0000000000965000-memory.dmp

Filesize
84KB

Download
memory/784-27-0x0000000000950000-0x0000000000965000-memory.dmp

Filesize
84KB

Download
memory/784-20-0x0000000000950000-0x0000000000965000-memory.dmp

Filesize
84KB

Download
memory/784-19-0x0000000000950000-0x0000000000965000-memory.dmp

Filesize
84KB

Download
memory/784-15-0x0000000000950000-0x0000000000965000-memory.dmp

Filesize
84KB

Download
memory/2364-17-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2364-11-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2364-9-0x00000000006A0000-0x00000000007A0000-memory.dmp

Filesize
1024KB

Download
memory/2364-10-0x00000000004F0000-0x0000000000503000-memory.dmp

Filesize
76KB

Download
memory/4836-18-0x0000000000510000-0x0000000000610000-memory.dmp

Filesize
1024KB

Download
memory/4836-1-0x0000000000510000-0x0000000000610000-memory.dmp

Filesize
1024KB

Download
memory/4836-6-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4836-3-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4836-2-0x0000000000630000-0x0000000000643000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads