tofsee | 04b285f5454574c1eff634abc22b111ef5a9c00d318daf8efe587f2a06a985f9

Reason

Machine shutdown

General

Target

8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe
Size

228KB
MD5

62abaf2cde2460be94b6fc5d5917cf14
SHA1

ef808492171ea4fcc8b85a6ec553544ebff2dc26
SHA256

8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f
SHA512

fb511c078edb9971c8c7c073441f6ef0d1fededa093d7991f6e54c40e7c9144e67c45dbbdec22b5ff93111846f687fcb22456c4b2c03b7b01b3858eaab1792c7
SSDEEP

3072:7VpLtaCoeUUb4Ji0/7t+/KFQbMdLY8aXIbHQSLkJl4C6FD81OL6OwR2Rsb4Mf7U0:JpLt3/bc/taYtLkqKLOOX7

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2520 netsh.exe

pid	process
2520	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe

Executes dropped EXE 1 IoCs

Processes:

ykspviom.exe

pid process

872 ykspviom.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2516 sc.exe
1344 sc.exe
1476 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2820 2148 WerFault.exe 8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe

pid	process
872	ykspviom.exe

pid	process
2516	sc.exe
1344	sc.exe
1476	sc.exe

pid	pid_target	process	target process
2820	2148	WerFault.exe	8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe

description	pid	process	target process
PID 2148 wrote to memory of 4532	2148	8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe	cmd.exe
PID 2148 wrote to memory of 4532	2148	8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe	cmd.exe
PID 2148 wrote to memory of 4532	2148	8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe	cmd.exe
PID 2148 wrote to memory of 1920	2148	8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe	cmd.exe
PID 2148 wrote to memory of 1920	2148	8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe	cmd.exe
PID 2148 wrote to memory of 1920	2148	8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe	cmd.exe
PID 2148 wrote to memory of 2516	2148	8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe	sc.exe
PID 2148 wrote to memory of 2516	2148	8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe	sc.exe
PID 2148 wrote to memory of 2516	2148	8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe	sc.exe
PID 2148 wrote to memory of 1344	2148	8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe	sc.exe
PID 2148 wrote to memory of 1344	2148	8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe	sc.exe
PID 2148 wrote to memory of 1344	2148	8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe	sc.exe
PID 2148 wrote to memory of 1476	2148	8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe	sc.exe
PID 2148 wrote to memory of 1476	2148	8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe	sc.exe
PID 2148 wrote to memory of 1476	2148	8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe	sc.exe
PID 2148 wrote to memory of 2520	2148	8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe	netsh.exe
PID 2148 wrote to memory of 2520	2148	8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe	netsh.exe
PID 2148 wrote to memory of 2520	2148	8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe
"C:\Users\Admin\AppData\Local\Temp\8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ssxepryi\
2⤵
PID:4532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ykspviom.exe" C:\Windows\SysWOW64\ssxepryi\
2⤵
PID:1920

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create ssxepryi binPath= "C:\Windows\SysWOW64\ssxepryi\ykspviom.exe /d\"C:\Users\Admin\AppData\Local\Temp\8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:2516

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description ssxepryi "wifi internet conection"
2⤵
- Launches sc.exe
PID:1344

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start ssxepryi
2⤵
- Launches sc.exe
PID:1476

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 792
2⤵
- Program crash
PID:2820

C:\Windows\SysWOW64\ssxepryi\ykspviom.exe
C:\Windows\SysWOW64\ssxepryi\ykspviom.exe /d"C:\Users\Admin\AppData\Local\Temp\8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe"
1⤵
- Executes dropped EXE
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2148 -ip 2148
1⤵
PID:3616

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ykspviom.exe
Filesize
14.5MB

MD5
59e380e6b9a25d44cf6e4980676042cf

SHA1
c601b09308286fbf8bf7e590df5c34c8412c179f

SHA256
e9d5b969b72c6e10f8043c1ee470494cf934cc377ca61b11224f0cf572f2ba1b

SHA512
d53361f734ec259970956f1960d2ccc4ed5db88e8f9caf0bedd0189e02dcc35f635a47ef5754d3206d54c6377b27e1a5deeef73ce9107031b9b02093188c834d

Download Submit
memory/2148-1-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/2148-2-0x0000000002050000-0x0000000002063000-memory.dmp

Filesize
76KB

Download
memory/2148-3-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

Errors