tofsee | 916ed7d444a4233ca18d621514bc9a419608860fa3d13d1aef060d9e034bceb1

General

Target

d3d0c67da718de678206c8e774c6d30c.exe
Size

14.6MB
MD5

d3d0c67da718de678206c8e774c6d30c
SHA1

b2b4039df080b6ad64d6a886ac4b29c76fcd1a37
SHA256

916ed7d444a4233ca18d621514bc9a419608860fa3d13d1aef060d9e034bceb1
SHA512

2647deb5b80f83d8d8f6a7f47e393fea4e57299703ba7458aba84317a5694eb5e70ea038342bdd60de5370b6fabb8685582c3e2115ca5fb1c4867af2b97b3974
SSDEEP

49152:r66666666666666666666666666666666666666666666666666666666666666/:

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4320	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\zqfefpvp\ImagePath = "C:\\Windows\\SysWOW64\\zqfefpvp\\fzbexww.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	d3d0c67da718de678206c8e774c6d30c.exe

Deletes itself 1 IoCs

pid	Process
2512	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
5064	fzbexww.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5064 set thread context of 2512	5064	fzbexww.exe	121

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2100	sc.exe
1552	sc.exe
1784	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4576	2680	WerFault.exe	96
4940	5064	WerFault.exe	114

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 3460	2680	d3d0c67da718de678206c8e774c6d30c.exe	98
PID 2680 wrote to memory of 3460	2680	d3d0c67da718de678206c8e774c6d30c.exe	98
PID 2680 wrote to memory of 3460	2680	d3d0c67da718de678206c8e774c6d30c.exe	98
PID 2680 wrote to memory of 4576	2680	d3d0c67da718de678206c8e774c6d30c.exe	102
PID 2680 wrote to memory of 4576	2680	d3d0c67da718de678206c8e774c6d30c.exe	102
PID 2680 wrote to memory of 4576	2680	d3d0c67da718de678206c8e774c6d30c.exe	102
PID 2680 wrote to memory of 2100	2680	d3d0c67da718de678206c8e774c6d30c.exe	104
PID 2680 wrote to memory of 2100	2680	d3d0c67da718de678206c8e774c6d30c.exe	104
PID 2680 wrote to memory of 2100	2680	d3d0c67da718de678206c8e774c6d30c.exe	104
PID 2680 wrote to memory of 1552	2680	d3d0c67da718de678206c8e774c6d30c.exe	107
PID 2680 wrote to memory of 1552	2680	d3d0c67da718de678206c8e774c6d30c.exe	107
PID 2680 wrote to memory of 1552	2680	d3d0c67da718de678206c8e774c6d30c.exe	107
PID 2680 wrote to memory of 1784	2680	d3d0c67da718de678206c8e774c6d30c.exe	109
PID 2680 wrote to memory of 1784	2680	d3d0c67da718de678206c8e774c6d30c.exe	109
PID 2680 wrote to memory of 1784	2680	d3d0c67da718de678206c8e774c6d30c.exe	109
PID 2680 wrote to memory of 4320	2680	d3d0c67da718de678206c8e774c6d30c.exe	111
PID 2680 wrote to memory of 4320	2680	d3d0c67da718de678206c8e774c6d30c.exe	111
PID 2680 wrote to memory of 4320	2680	d3d0c67da718de678206c8e774c6d30c.exe	111
PID 5064 wrote to memory of 2512	5064	fzbexww.exe	121
PID 5064 wrote to memory of 2512	5064	fzbexww.exe	121
PID 5064 wrote to memory of 2512	5064	fzbexww.exe	121
PID 5064 wrote to memory of 2512	5064	fzbexww.exe	121
PID 5064 wrote to memory of 2512	5064	fzbexww.exe	121

C:\Users\Admin\AppData\Local\Temp\d3d0c67da718de678206c8e774c6d30c.exe
"C:\Users\Admin\AppData\Local\Temp\d3d0c67da718de678206c8e774c6d30c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zqfefpvp\
  2⤵
  PID:3460
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\fzbexww.exe" C:\Windows\SysWOW64\zqfefpvp\
  2⤵
  PID:4576
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create zqfefpvp binPath= "C:\Windows\SysWOW64\zqfefpvp\fzbexww.exe /d\"C:\Users\Admin\AppData\Local\Temp\d3d0c67da718de678206c8e774c6d30c.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:2100
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description zqfefpvp "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:1552
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start zqfefpvp
  2⤵
  - Launches sc.exe
  PID:1784
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:4320
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 744
  2⤵
  - Program crash
  PID:4576

C:\Windows\SysWOW64\zqfefpvp\fzbexww.exe
C:\Windows\SysWOW64\zqfefpvp\fzbexww.exe /d"C:\Users\Admin\AppData\Local\Temp\d3d0c67da718de678206c8e774c6d30c.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Deletes itself
  PID:2512
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 520
  2⤵
  - Program crash
  PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2680 -ip 2680
1⤵
PID:700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5064 -ip 5064
1⤵
PID:2664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1312 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fzbexww.exe

Filesize
14.8MB

MD5
d93eb6eefae0588cf412f9151281e1b3

SHA1
bda93aeeaed50e7b87ad7f25d212213bddc857f7

SHA256
d2cd47fceb85115a43998c3ebee3382847ab66cd09f389180c76dd803671b78c

SHA512
e8481de60dda25757ac488fa26a68fae9c4b176c2c2ba8e0654bd56d0c63777fa7c0b18c0ca57e13780ce548959b6f303aeaec94fb8b3a5feb5826318defa8db

Download Submit
memory/2512-13-0x00000000005C0000-0x00000000005D5000-memory.dmp

Filesize
84KB

Download
memory/2512-20-0x00000000005C0000-0x00000000005D5000-memory.dmp

Filesize
84KB

Download
memory/2512-19-0x00000000005C0000-0x00000000005D5000-memory.dmp

Filesize
84KB

Download
memory/2512-17-0x00000000005C0000-0x00000000005D5000-memory.dmp

Filesize
84KB

Download
memory/2512-16-0x00000000005C0000-0x00000000005D5000-memory.dmp

Filesize
84KB

Download
memory/2680-5-0x0000000000400000-0x0000000000C0A000-memory.dmp

Filesize
8.0MB

Download
memory/2680-9-0x0000000000DD0000-0x0000000000DE3000-memory.dmp

Filesize
76KB

Download
memory/2680-8-0x0000000000400000-0x0000000000C0A000-memory.dmp

Filesize
8.0MB

Download
memory/2680-1-0x0000000000CD0000-0x0000000000DD0000-memory.dmp

Filesize
1024KB

Download
memory/2680-4-0x0000000000400000-0x0000000000C0A000-memory.dmp

Filesize
8.0MB

Download
memory/2680-2-0x0000000000DD0000-0x0000000000DE3000-memory.dmp

Filesize
76KB

Download
memory/5064-11-0x0000000000C20000-0x0000000000D20000-memory.dmp

Filesize
1024KB

Download
memory/5064-12-0x0000000000400000-0x0000000000C0A000-memory.dmp

Filesize
8.0MB

Download
memory/5064-18-0x0000000000400000-0x0000000000C0A000-memory.dmp

Filesize
8.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads