tofsee | 6522fa5f61dee8086fcc972547b6e169f58da291dd00b7365acc011f175666c4

General

Target

b557b082890ce023270e4291073976f24d7e68b1ab58890bb95b310785142992.exe
Size

229KB
MD5

68502dbaf73be1eca888f78e3b06d55a
SHA1

14654e87e085e07b91535c7e4e8bc5f41ced65e4
SHA256

b557b082890ce023270e4291073976f24d7e68b1ab58890bb95b310785142992
SHA512

d87cad3ac8f7f18cb12e63c9bb6a74f29dabf09d5374c64d51ce7a1b3621fd65e454ecf6ff0d0551b80685117b450abf50494b669ad48d5a9906b44e7364d6cb
SSDEEP

3072:+nBlv1nZAbXsdUs0vEJier1K2x5b2CZ/P20DMb9rAn5M23R8Gj7mkg+cmH:+nBXk1fmK+G0DMb9rA6Gj7mkHco

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4940 netsh.exe

pid	process
4940	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\qmccuwno\ImagePath = "C:\\Windows\\SysWOW64\\qmccuwno\\trgohxso.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b557b082890ce023270e4291073976f24d7e68b1ab58890bb95b310785142992.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	b557b082890ce023270e4291073976f24d7e68b1ab58890bb95b310785142992.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

3976 svchost.exe
Executes dropped EXE 1 IoCs

Processes:

trgohxso.exe

pid process

4528 trgohxso.exe

pid	process
3976	svchost.exe

pid	process
4528	trgohxso.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

trgohxso.exe

description pid process target process

PID 4528 set thread context of 3976 4528 trgohxso.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

1564 sc.exe
2012 sc.exe
2480 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 4528 set thread context of 3976	4528	trgohxso.exe	svchost.exe

pid	process
1564	sc.exe
2012	sc.exe
2480	sc.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
324	64	WerFault.exe	b557b082890ce023270e4291073976f24d7e68b1ab58890bb95b310785142992.exe
4048	4528	WerFault.exe	trgohxso.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = dce4b63d4c7d0d0324edb47d450dd49d134286d6db3e66aba46d34fdc48d541dd2a9244d41cd945d24ee786f470dd49d651bc693b57f26f3955500d3f1b5541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d64cbf5bd847dad1ca43f84649a8d541de4ac743d04a1fb3e4581d71b230d796312f53f08842e681abfe934fdc48d541de4ae743d04abf83c439eeb083469d4ad644f9bcfea1270bcd00834ccf1b5632cd79d400e37cdfd3924dc844a7634e3aa5319c6bdec244bb4c06d19cff5be6028d79c440b35cdf8324589d10f1b64b09d502d9dcd847b22e5945e00c9fdb8546e96db2b496da0f15d15dd8c4a703fe4a45619f4d1eb2e75b1fb195d90a18d6528dc9a450e34f9a16d2409941f445564043a2df4bd844f14dda42470cff5bb6429d79b460e31cd945d2467b97c3709d49d642df4bd844e14dda466903844	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Buses	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 4cbdb73d4c7d0d0324edb47d450dd49d084297dce82e72baa4c0ca8b1c46e11d6b22922d81cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda5681cda854e7439e7ae644490bdb57d23ef9d5a03caf0bf54758df21d5904e0a66c17d9814e753de2ac64419bdce0286682cd0934c9c4e4241ddc95400a37fda66413edc70f3252a0f40948f490b57f23eb915806ccf5bf54718bce15515bb9fd3041ed85487c3ae5ae5419c08d84a934bfa42584649a8d541de4ac743d04bafb2f4fb2c70f320dd49d642df4bd847b108dd42834fdc48d57d1f6ae743d04cca26f0adc864f6a3ceca94a18ccbd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743d04cd725c24ed	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

b557b082890ce023270e4291073976f24d7e68b1ab58890bb95b310785142992.exetrgohxso.exe

description	pid	process	target process
PID 64 wrote to memory of 2320	64	b557b082890ce023270e4291073976f24d7e68b1ab58890bb95b310785142992.exe	cmd.exe
PID 64 wrote to memory of 2320	64	b557b082890ce023270e4291073976f24d7e68b1ab58890bb95b310785142992.exe	cmd.exe
PID 64 wrote to memory of 2320	64	b557b082890ce023270e4291073976f24d7e68b1ab58890bb95b310785142992.exe	cmd.exe
PID 64 wrote to memory of 2784	64	b557b082890ce023270e4291073976f24d7e68b1ab58890bb95b310785142992.exe	cmd.exe
PID 64 wrote to memory of 2784	64	b557b082890ce023270e4291073976f24d7e68b1ab58890bb95b310785142992.exe	cmd.exe
PID 64 wrote to memory of 2784	64	b557b082890ce023270e4291073976f24d7e68b1ab58890bb95b310785142992.exe	cmd.exe
PID 64 wrote to memory of 2012	64	b557b082890ce023270e4291073976f24d7e68b1ab58890bb95b310785142992.exe	sc.exe
PID 64 wrote to memory of 2012	64	b557b082890ce023270e4291073976f24d7e68b1ab58890bb95b310785142992.exe	sc.exe
PID 64 wrote to memory of 2012	64	b557b082890ce023270e4291073976f24d7e68b1ab58890bb95b310785142992.exe	sc.exe
PID 64 wrote to memory of 2480	64	b557b082890ce023270e4291073976f24d7e68b1ab58890bb95b310785142992.exe	sc.exe
PID 64 wrote to memory of 2480	64	b557b082890ce023270e4291073976f24d7e68b1ab58890bb95b310785142992.exe	sc.exe
PID 64 wrote to memory of 2480	64	b557b082890ce023270e4291073976f24d7e68b1ab58890bb95b310785142992.exe	sc.exe
PID 64 wrote to memory of 1564	64	b557b082890ce023270e4291073976f24d7e68b1ab58890bb95b310785142992.exe	sc.exe
PID 64 wrote to memory of 1564	64	b557b082890ce023270e4291073976f24d7e68b1ab58890bb95b310785142992.exe	sc.exe
PID 64 wrote to memory of 1564	64	b557b082890ce023270e4291073976f24d7e68b1ab58890bb95b310785142992.exe	sc.exe
PID 4528 wrote to memory of 3976	4528	trgohxso.exe	svchost.exe
PID 4528 wrote to memory of 3976	4528	trgohxso.exe	svchost.exe
PID 4528 wrote to memory of 3976	4528	trgohxso.exe	svchost.exe
PID 4528 wrote to memory of 3976	4528	trgohxso.exe	svchost.exe
PID 4528 wrote to memory of 3976	4528	trgohxso.exe	svchost.exe
PID 64 wrote to memory of 4940	64	b557b082890ce023270e4291073976f24d7e68b1ab58890bb95b310785142992.exe	netsh.exe
PID 64 wrote to memory of 4940	64	b557b082890ce023270e4291073976f24d7e68b1ab58890bb95b310785142992.exe	netsh.exe
PID 64 wrote to memory of 4940	64	b557b082890ce023270e4291073976f24d7e68b1ab58890bb95b310785142992.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\b557b082890ce023270e4291073976f24d7e68b1ab58890bb95b310785142992.exe
"C:\Users\Admin\AppData\Local\Temp\b557b082890ce023270e4291073976f24d7e68b1ab58890bb95b310785142992.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:64

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qmccuwno\
2⤵
PID:2320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\trgohxso.exe" C:\Windows\SysWOW64\qmccuwno\
2⤵
PID:2784

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create qmccuwno binPath= "C:\Windows\SysWOW64\qmccuwno\trgohxso.exe /d\"C:\Users\Admin\AppData\Local\Temp\b557b082890ce023270e4291073976f24d7e68b1ab58890bb95b310785142992.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:2012

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description qmccuwno "wifi internet conection"
2⤵
- Launches sc.exe
PID:2480

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start qmccuwno
2⤵
- Launches sc.exe
PID:1564

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 1188
2⤵
- Program crash
PID:324

C:\Windows\SysWOW64\qmccuwno\trgohxso.exe
C:\Windows\SysWOW64\qmccuwno\trgohxso.exe /d"C:\Users\Admin\AppData\Local\Temp\b557b082890ce023270e4291073976f24d7e68b1ab58890bb95b310785142992.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4528

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
- Deletes itself
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 524
2⤵
- Program crash
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4528 -ip 4528
1⤵
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 64 -ip 64
1⤵
PID:316

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\trgohxso.exe
Filesize
13.1MB

MD5
c8d0dc730c61dec07abefe260b368d31

SHA1
a736c8b95734d9caec8d159f4e1bf10a5a2956e9

SHA256
e9ef1a06f2207266db90195efcfea978ed5318242b864648c203c29694b6aa91

SHA512
8bfa203e6af8d83c438b3eb0b16481feadad80abcc9ef836cfba978b2d1f7ab799c16cc3208c0703151f29465887d7961ba5c5b22f07657700bc7b810386e67b

Download Submit
memory/64-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/64-1-0x00000000006D0000-0x00000000007D0000-memory.dmp

Filesize
1024KB

Download
memory/64-3-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/64-2-0x00000000006A0000-0x00000000006B3000-memory.dmp

Filesize
76KB

Download
memory/3976-20-0x0000000000610000-0x0000000000625000-memory.dmp

Filesize
84KB

Download
memory/3976-18-0x0000000000610000-0x0000000000625000-memory.dmp

Filesize
84KB

Download
memory/3976-11-0x0000000000610000-0x0000000000625000-memory.dmp

Filesize
84KB

Download
memory/3976-14-0x0000000000610000-0x0000000000625000-memory.dmp

Filesize
84KB

Download
memory/3976-17-0x0000000000610000-0x0000000000625000-memory.dmp

Filesize
84KB

Download
memory/4528-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4528-15-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4528-9-0x00000000005A0000-0x00000000005B3000-memory.dmp

Filesize
76KB

Download
memory/4528-8-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads