tofsee | 2e3bb86704384f0a25c46a9b79a7f2ae0168709d3560d94f92acfd51bd6a7637

Analysis

max time kernel
159s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbf5e424dc90b592d06e8f30f37c1e6b.exe
Size

13.2MB
MD5

cbf5e424dc90b592d06e8f30f37c1e6b
SHA1

c036166895f21a873d666560bfd7e7fce142f260
SHA256

2e3bb86704384f0a25c46a9b79a7f2ae0168709d3560d94f92acfd51bd6a7637
SHA512

0fec8527110f2c75dc3cb6b61a97fe544596f1b1575a6ac025420fa9fdd651c3dc6c4db5dcc4e1bfb8b29d1bde34c3302f2801430a5140dc626edb4f7d0810d6
SSDEEP

6144:1KTDS3aiZOTXbKdags2FNxWUWF5zoINm/nu:QMaiZOT+dags21Wts9vu

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4904	netsh.exe
3552	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\hehwgsdd\ImagePath = "C:\\Windows\\SysWOW64\\hehwgsdd\\rvcgilbn.exe"	svchost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	cbf5e424dc90b592d06e8f30f37c1e6b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	eilhtczv.exe

Executes dropped EXE 2 IoCs

pid	Process
4440	eilhtczv.exe
412	rvcgilbn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tqtisepp = "\"C:\\Users\\Admin\\eilhtczv.exe\""	cbf5e424dc90b592d06e8f30f37c1e6b.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 412 set thread context of 3744	412	rvcgilbn.exe	129

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1760	sc.exe
2344	sc.exe
5108	sc.exe
3900	sc.exe
1348	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
744	4776	WerFault.exe	95
4936	4440	WerFault.exe	113
112	412	WerFault.exe	124

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 1348	4776	cbf5e424dc90b592d06e8f30f37c1e6b.exe	101
PID 4776 wrote to memory of 1348	4776	cbf5e424dc90b592d06e8f30f37c1e6b.exe	101
PID 4776 wrote to memory of 1348	4776	cbf5e424dc90b592d06e8f30f37c1e6b.exe	101
PID 4776 wrote to memory of 4544	4776	cbf5e424dc90b592d06e8f30f37c1e6b.exe	102
PID 4776 wrote to memory of 4544	4776	cbf5e424dc90b592d06e8f30f37c1e6b.exe	102
PID 4776 wrote to memory of 4544	4776	cbf5e424dc90b592d06e8f30f37c1e6b.exe	102
PID 4776 wrote to memory of 1760	4776	cbf5e424dc90b592d06e8f30f37c1e6b.exe	105
PID 4776 wrote to memory of 1760	4776	cbf5e424dc90b592d06e8f30f37c1e6b.exe	105
PID 4776 wrote to memory of 1760	4776	cbf5e424dc90b592d06e8f30f37c1e6b.exe	105
PID 4776 wrote to memory of 2344	4776	cbf5e424dc90b592d06e8f30f37c1e6b.exe	107
PID 4776 wrote to memory of 2344	4776	cbf5e424dc90b592d06e8f30f37c1e6b.exe	107
PID 4776 wrote to memory of 2344	4776	cbf5e424dc90b592d06e8f30f37c1e6b.exe	107
PID 4776 wrote to memory of 5108	4776	cbf5e424dc90b592d06e8f30f37c1e6b.exe	109
PID 4776 wrote to memory of 5108	4776	cbf5e424dc90b592d06e8f30f37c1e6b.exe	109
PID 4776 wrote to memory of 5108	4776	cbf5e424dc90b592d06e8f30f37c1e6b.exe	109
PID 4776 wrote to memory of 4904	4776	cbf5e424dc90b592d06e8f30f37c1e6b.exe	111
PID 4776 wrote to memory of 4904	4776	cbf5e424dc90b592d06e8f30f37c1e6b.exe	111
PID 4776 wrote to memory of 4904	4776	cbf5e424dc90b592d06e8f30f37c1e6b.exe	111
PID 4776 wrote to memory of 4440	4776	cbf5e424dc90b592d06e8f30f37c1e6b.exe	113
PID 4776 wrote to memory of 4440	4776	cbf5e424dc90b592d06e8f30f37c1e6b.exe	113
PID 4776 wrote to memory of 4440	4776	cbf5e424dc90b592d06e8f30f37c1e6b.exe	113
PID 4440 wrote to memory of 4292	4440	eilhtczv.exe	117
PID 4440 wrote to memory of 4292	4440	eilhtczv.exe	117
PID 4440 wrote to memory of 4292	4440	eilhtczv.exe	117
PID 4440 wrote to memory of 3900	4440	eilhtczv.exe	119
PID 4440 wrote to memory of 3900	4440	eilhtczv.exe	119
PID 4440 wrote to memory of 3900	4440	eilhtczv.exe	119
PID 4440 wrote to memory of 1348	4440	eilhtczv.exe	122
PID 4440 wrote to memory of 1348	4440	eilhtczv.exe	122
PID 4440 wrote to memory of 1348	4440	eilhtczv.exe	122
PID 4440 wrote to memory of 3552	4440	eilhtczv.exe	125
PID 4440 wrote to memory of 3552	4440	eilhtczv.exe	125
PID 4440 wrote to memory of 3552	4440	eilhtczv.exe	125
PID 412 wrote to memory of 3744	412	rvcgilbn.exe	129
PID 412 wrote to memory of 3744	412	rvcgilbn.exe	129
PID 412 wrote to memory of 3744	412	rvcgilbn.exe	129
PID 412 wrote to memory of 3744	412	rvcgilbn.exe	129
PID 412 wrote to memory of 3744	412	rvcgilbn.exe	129

C:\Users\Admin\AppData\Local\Temp\cbf5e424dc90b592d06e8f30f37c1e6b.exe
"C:\Users\Admin\AppData\Local\Temp\cbf5e424dc90b592d06e8f30f37c1e6b.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hehwgsdd\
  2⤵
  PID:1348
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\anenfsuo.exe" C:\Windows\SysWOW64\hehwgsdd\
  2⤵
  PID:4544
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create hehwgsdd binPath= "C:\Windows\SysWOW64\hehwgsdd\anenfsuo.exe /d\"C:\Users\Admin\AppData\Local\Temp\cbf5e424dc90b592d06e8f30f37c1e6b.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:1760
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description hehwgsdd "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:2344
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start hehwgsdd
  2⤵
  - Launches sc.exe
  PID:5108
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:4904
- C:\Users\Admin\eilhtczv.exe
  "C:\Users\Admin\eilhtczv.exe" /d"C:\Users\Admin\AppData\Local\Temp\cbf5e424dc90b592d06e8f30f37c1e6b.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rvcgilbn.exe" C:\Windows\SysWOW64\hehwgsdd\
    3⤵
    PID:4292
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" config hehwgsdd binPath= "C:\Windows\SysWOW64\hehwgsdd\rvcgilbn.exe /d\"C:\Users\Admin\eilhtczv.exe\""
    3⤵
    - Launches sc.exe
    PID:3900
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" start hehwgsdd
    3⤵
    - Launches sc.exe
    PID:1348
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
    3⤵
    - Modifies Windows Firewall
    PID:3552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 1108
    3⤵
    - Program crash
    PID:4936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 1032
  2⤵
  - Program crash
  PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4776 -ip 4776
1⤵
PID:3992

C:\Windows\SysWOW64\hehwgsdd\rvcgilbn.exe
C:\Windows\SysWOW64\hehwgsdd\rvcgilbn.exe /d"C:\Users\Admin\eilhtczv.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:412
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  PID:3744
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 520
  2⤵
  - Program crash
  PID:112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4440 -ip 4440
1⤵
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 412 -ip 412
1⤵
PID:2304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\anenfsuo.exe

Filesize
2.9MB

MD5
e80b444a789b894602d55b0579e8c7a2

SHA1
2a13df9f545b847ba91ac221a826e96c704acea9

SHA256
ac1e645a85310922650931254613c8bd3c152461f41617bf7a2d7d42e95bdfc4

SHA512
26a842ee3d3f321b3d887e45f5185a9fda3001b437b4fd59aed8a6da2f2f2df5a30601d4275db88033fabb55a842aa6cd7746038ee4bb9843cd9d9672e84d397

Download Submit
C:\Users\Admin\AppData\Local\Temp\rvcgilbn.exe

Filesize
631KB

MD5
6cef15a4194e454834d0872f2cee44b3

SHA1
5e06bc9e68d819c57eaf69c1bf6e72bac819f4c7

SHA256
d74656d24ac3205b894efa14b5c592efe50f84269e13b1b26e9ef8379c713792

SHA512
23e259a4e7e60b1dad0adf37e5d003b2b16c9260b60b3b82836bf1bf6ae75e144afb9be7fed2021ee7a50614054331b7f3de81e097005daaab54b19fb0befca9

Download Submit
C:\Users\Admin\eilhtczv.exe

Filesize
2.4MB

MD5
52182d0f6f719df3fa5d4264f162b8ec

SHA1
14626c6a0c885e2e3831dde39458257897b49327

SHA256
889605bc04f4023b99f9894d22bf0fb075869ef5cc9803c9a3deb7756f848d88

SHA512
67be1260219675f720a22c7434db75cc46f5d787c90d7a4c94e00825e469d968e0d56886b2094302fdd1d829ca060b8f284233c849ca19ec0d9ae1e8f2158381

Download Submit
C:\Users\Admin\eilhtczv.exe

Filesize
3.6MB

MD5
5e527a4c1eecf84e4006e74ee48a2d75

SHA1
9362352dbc2159882cd26276e6fed50f21b9d273

SHA256
f96a362a61b4515c7d3d9fade1caf4ab5ac87cdff1e0fa6005b57b3c7a2dd4b5

SHA512
5e3e2eb122526940b721ab6bd105e6ce763c3a0774cd9f3629b7b53972fea225458a03c1f0a24d51e8891fc8143b091712c2800cf6db43b11176d4941255930c

Download Submit
C:\Windows\SysWOW64\hehwgsdd\rvcgilbn.exe

Filesize
1.1MB

MD5
a0f11dacb563af3253a55c1d29998cbe

SHA1
ae8f674c3cf05aff1f9bd384b2f8301883d0e033

SHA256
681e1760e67f195ce0757358b2a3ba7de506f10b8cfa46ba273e1d5e616ade48

SHA512
9b2572a8346bcc3490fdd89544e780ab8778a079e77644771e3454d17589072b4f5a65d10241f02a38961c88cb11c7f51e942790c6fcb232a4753d29641bf767

Download Submit
memory/412-27-0x0000000000400000-0x000000000324F000-memory.dmp

Filesize
46.3MB

Download
memory/412-28-0x0000000000400000-0x000000000324F000-memory.dmp

Filesize
46.3MB

Download
memory/412-22-0x00000000035A0000-0x00000000036A0000-memory.dmp

Filesize
1024KB

Download
memory/3744-23-0x0000000000540000-0x0000000000555000-memory.dmp

Filesize
84KB

Download
memory/3744-26-0x0000000000540000-0x0000000000555000-memory.dmp

Filesize
84KB

Download
memory/3744-31-0x0000000000540000-0x0000000000555000-memory.dmp

Filesize
84KB

Download
memory/3744-30-0x0000000000540000-0x0000000000555000-memory.dmp

Filesize
84KB

Download
memory/3744-29-0x0000000000540000-0x0000000000555000-memory.dmp

Filesize
84KB

Download
memory/4440-14-0x0000000003390000-0x00000000033A3000-memory.dmp

Filesize
76KB

Download
memory/4440-20-0x0000000000400000-0x000000000324F000-memory.dmp

Filesize
46.3MB

Download
memory/4440-13-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/4440-17-0x0000000000400000-0x000000000324F000-memory.dmp

Filesize
46.3MB

Download
memory/4776-15-0x00000000032E0000-0x00000000033E0000-memory.dmp

Filesize
1024KB

Download
memory/4776-6-0x0000000000400000-0x000000000324F000-memory.dmp

Filesize
46.3MB

Download
memory/4776-18-0x0000000000400000-0x000000000324F000-memory.dmp

Filesize
46.3MB

Download
memory/4776-4-0x0000000000400000-0x000000000324F000-memory.dmp

Filesize
46.3MB

Download
memory/4776-1-0x00000000032E0000-0x00000000033E0000-memory.dmp

Filesize
1024KB

Download
memory/4776-2-0x00000000033E0000-0x00000000033F3000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads