tofsee | 23922e5ee3a9ff743df4b5f29cb099c6e7ab41d64ffb4123b8a8fde439f5b012

General

Target

23922e5ee3a9ff743df4b5f29cb099c6e7ab41d64ffb4123b8a8fde439f5b012.exe
Size

12.1MB
MD5

db1af63eff5afab4bede9ffd3886b91a
SHA1

5030c06972023757b7d001fa12b02aadc07c3054
SHA256

23922e5ee3a9ff743df4b5f29cb099c6e7ab41d64ffb4123b8a8fde439f5b012
SHA512

97632ddd6e8efa10bfc648500fe39ac4f9650fc512a763b86a454a03c8512450dfef0156b925ee30ea30e5b617ac13810e3d8c90f4accfc9ccf9b9a99d88a62c
SSDEEP

196608:WT66666666666666666666666666666666666666666666666666666666666662:W

Score

10^/10

tofsee evasion execution persistence trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

5056 netsh.exe

pid	process
5056	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\brqamyy\ImagePath = "C:\\Windows\\SysWOW64\\brqamyy\\zlxffqfn.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

23922e5ee3a9ff743df4b5f29cb099c6e7ab41d64ffb4123b8a8fde439f5b012.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	23922e5ee3a9ff743df4b5f29cb099c6e7ab41d64ffb4123b8a8fde439f5b012.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

3612 svchost.exe
Executes dropped EXE 1 IoCs

Processes:

zlxffqfn.exe

pid process

1340 zlxffqfn.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

zlxffqfn.exe

description pid process target process

PID 1340 set thread context of 3612 1340 zlxffqfn.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

4896 sc.exe
3156 sc.exe
844 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3612	svchost.exe

pid	process
1340	zlxffqfn.exe

description	pid	process	target process
PID 1340 set thread context of 3612	1340	zlxffqfn.exe	svchost.exe

pid	process
4896	sc.exe
3156	sc.exe
844	sc.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
4428	1904	WerFault.exe	23922e5ee3a9ff743df4b5f29cb099c6e7ab41d64ffb4123b8a8fde439f5b012.exe
2072	1340	WerFault.exe	zlxffqfn.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

23922e5ee3a9ff743df4b5f29cb099c6e7ab41d64ffb4123b8a8fde439f5b012.exezlxffqfn.exe

description	pid	process	target process
PID 1904 wrote to memory of 4856	1904	23922e5ee3a9ff743df4b5f29cb099c6e7ab41d64ffb4123b8a8fde439f5b012.exe	cmd.exe
PID 1904 wrote to memory of 4856	1904	23922e5ee3a9ff743df4b5f29cb099c6e7ab41d64ffb4123b8a8fde439f5b012.exe	cmd.exe
PID 1904 wrote to memory of 4856	1904	23922e5ee3a9ff743df4b5f29cb099c6e7ab41d64ffb4123b8a8fde439f5b012.exe	cmd.exe
PID 1904 wrote to memory of 4932	1904	23922e5ee3a9ff743df4b5f29cb099c6e7ab41d64ffb4123b8a8fde439f5b012.exe	cmd.exe
PID 1904 wrote to memory of 4932	1904	23922e5ee3a9ff743df4b5f29cb099c6e7ab41d64ffb4123b8a8fde439f5b012.exe	cmd.exe
PID 1904 wrote to memory of 4932	1904	23922e5ee3a9ff743df4b5f29cb099c6e7ab41d64ffb4123b8a8fde439f5b012.exe	cmd.exe
PID 1904 wrote to memory of 4896	1904	23922e5ee3a9ff743df4b5f29cb099c6e7ab41d64ffb4123b8a8fde439f5b012.exe	sc.exe
PID 1904 wrote to memory of 4896	1904	23922e5ee3a9ff743df4b5f29cb099c6e7ab41d64ffb4123b8a8fde439f5b012.exe	sc.exe
PID 1904 wrote to memory of 4896	1904	23922e5ee3a9ff743df4b5f29cb099c6e7ab41d64ffb4123b8a8fde439f5b012.exe	sc.exe
PID 1904 wrote to memory of 3156	1904	23922e5ee3a9ff743df4b5f29cb099c6e7ab41d64ffb4123b8a8fde439f5b012.exe	sc.exe
PID 1904 wrote to memory of 3156	1904	23922e5ee3a9ff743df4b5f29cb099c6e7ab41d64ffb4123b8a8fde439f5b012.exe	sc.exe
PID 1904 wrote to memory of 3156	1904	23922e5ee3a9ff743df4b5f29cb099c6e7ab41d64ffb4123b8a8fde439f5b012.exe	sc.exe
PID 1904 wrote to memory of 844	1904	23922e5ee3a9ff743df4b5f29cb099c6e7ab41d64ffb4123b8a8fde439f5b012.exe	sc.exe
PID 1904 wrote to memory of 844	1904	23922e5ee3a9ff743df4b5f29cb099c6e7ab41d64ffb4123b8a8fde439f5b012.exe	sc.exe
PID 1904 wrote to memory of 844	1904	23922e5ee3a9ff743df4b5f29cb099c6e7ab41d64ffb4123b8a8fde439f5b012.exe	sc.exe
PID 1904 wrote to memory of 5056	1904	23922e5ee3a9ff743df4b5f29cb099c6e7ab41d64ffb4123b8a8fde439f5b012.exe	netsh.exe
PID 1904 wrote to memory of 5056	1904	23922e5ee3a9ff743df4b5f29cb099c6e7ab41d64ffb4123b8a8fde439f5b012.exe	netsh.exe
PID 1904 wrote to memory of 5056	1904	23922e5ee3a9ff743df4b5f29cb099c6e7ab41d64ffb4123b8a8fde439f5b012.exe	netsh.exe
PID 1340 wrote to memory of 3612	1340	zlxffqfn.exe	svchost.exe
PID 1340 wrote to memory of 3612	1340	zlxffqfn.exe	svchost.exe
PID 1340 wrote to memory of 3612	1340	zlxffqfn.exe	svchost.exe
PID 1340 wrote to memory of 3612	1340	zlxffqfn.exe	svchost.exe
PID 1340 wrote to memory of 3612	1340	zlxffqfn.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\23922e5ee3a9ff743df4b5f29cb099c6e7ab41d64ffb4123b8a8fde439f5b012.exe
"C:\Users\Admin\AppData\Local\Temp\23922e5ee3a9ff743df4b5f29cb099c6e7ab41d64ffb4123b8a8fde439f5b012.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\brqamyy\
2⤵
PID:4856

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zlxffqfn.exe" C:\Windows\SysWOW64\brqamyy\
2⤵
PID:4932

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create brqamyy binPath= "C:\Windows\SysWOW64\brqamyy\zlxffqfn.exe /d\"C:\Users\Admin\AppData\Local\Temp\23922e5ee3a9ff743df4b5f29cb099c6e7ab41d64ffb4123b8a8fde439f5b012.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:4896

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description brqamyy "wifi internet conection"
2⤵
- Launches sc.exe
PID:3156

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start brqamyy
2⤵
- Launches sc.exe
PID:844

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 1036
2⤵
- Program crash
PID:4428

C:\Windows\SysWOW64\brqamyy\zlxffqfn.exe
C:\Windows\SysWOW64\brqamyy\zlxffqfn.exe /d"C:\Users\Admin\AppData\Local\Temp\23922e5ee3a9ff743df4b5f29cb099c6e7ab41d64ffb4123b8a8fde439f5b012.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
- Deletes itself
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 560
2⤵
- Program crash
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1904 -ip 1904
1⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1340 -ip 1340
1⤵
PID:1812

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zlxffqfn.exe
Filesize
13.6MB

MD5
7867265aa35c2acb372f3be0147e5ca6

SHA1
a18201fdeab782563ef7ffeb2b0765a4d976041c

SHA256
75df0c07c8efe984a6afd68f5d94a6935f9254aa860c1aca5ee0e0121f7c0c61

SHA512
107fe764acde54c4f15a2ede76e0c9086002e99f5c2cf465ac4407625c8d21524722308e56e82163a4cefba41777c9fcb00695dde2f4c25aeade249dcc53ba85

Download Submit
memory/1340-15-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download
memory/1340-11-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download
memory/1340-16-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download
memory/1904-4-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1904-1-0x0000000000C00000-0x0000000000D00000-memory.dmp

Filesize
1024KB

Download
memory/1904-8-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download
memory/1904-10-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1904-9-0x00000000001C0000-0x00000000001D3000-memory.dmp

Filesize
76KB

Download
memory/1904-2-0x00000000001C0000-0x00000000001D3000-memory.dmp

Filesize
76KB

Download
memory/3612-12-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/3612-14-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/3612-17-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads