tofsee | a58c26dd8d015d4e3b081b09c3b21f1cff71e42abe545d90872c2eef003d51c9

General

Target

b2de784471ee083a4a7e2d6f3057e00c.exe
Size

310KB
MD5

b2de784471ee083a4a7e2d6f3057e00c
SHA1

03e5e0fd35a1eba05ddb6d0c4f4a9d8c8d4c67a3
SHA256

a58c26dd8d015d4e3b081b09c3b21f1cff71e42abe545d90872c2eef003d51c9
SHA512

5aa37e1305403375b475df3abb5cb60aa6ae4e2f5f07b4d45828c67ef7591e931b7155e135d4898dc982404042dfaa7adb02f9fd12a8336b9cd30955f08125fb
SSDEEP

3072:iPlmU+ROj7FN7oY9hjFJBqqKjOyTpZHNBmN+tTJfNr+1QbSoymwTTuB:iPX+RAxoYzMF5TpZtBmwG0SdTy

Score

10^/10

tofsee evasion execution persistence trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2328 netsh.exe

pid	process
2328	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\murxkkde\ImagePath = "C:\\Windows\\SysWOW64\\murxkkde\\ugsxuazn.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b2de784471ee083a4a7e2d6f3057e00c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	b2de784471ee083a4a7e2d6f3057e00c.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

3160 svchost.exe
Executes dropped EXE 1 IoCs

Processes:

ugsxuazn.exe

pid process

1828 ugsxuazn.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

ugsxuazn.exe

description pid process target process

PID 1828 set thread context of 3160 1828 ugsxuazn.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

4424 sc.exe
3980 sc.exe
804 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4108 3608 WerFault.exe b2de784471ee083a4a7e2d6f3057e00c.exe
2240 1828 WerFault.exe ugsxuazn.exe

pid	process
3160	svchost.exe

pid	process
1828	ugsxuazn.exe

description	pid	process	target process
PID 1828 set thread context of 3160	1828	ugsxuazn.exe	svchost.exe

pid	process
4424	sc.exe
3980	sc.exe
804	sc.exe

pid	pid_target	process	target process
4108	3608	WerFault.exe	b2de784471ee083a4a7e2d6f3057e00c.exe
2240	1828	WerFault.exe	ugsxuazn.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

b2de784471ee083a4a7e2d6f3057e00c.exeugsxuazn.exe

description	pid	process	target process
PID 3608 wrote to memory of 2832	3608	b2de784471ee083a4a7e2d6f3057e00c.exe	cmd.exe
PID 3608 wrote to memory of 2832	3608	b2de784471ee083a4a7e2d6f3057e00c.exe	cmd.exe
PID 3608 wrote to memory of 2832	3608	b2de784471ee083a4a7e2d6f3057e00c.exe	cmd.exe
PID 3608 wrote to memory of 2988	3608	b2de784471ee083a4a7e2d6f3057e00c.exe	cmd.exe
PID 3608 wrote to memory of 2988	3608	b2de784471ee083a4a7e2d6f3057e00c.exe	cmd.exe
PID 3608 wrote to memory of 2988	3608	b2de784471ee083a4a7e2d6f3057e00c.exe	cmd.exe
PID 3608 wrote to memory of 4424	3608	b2de784471ee083a4a7e2d6f3057e00c.exe	sc.exe
PID 3608 wrote to memory of 4424	3608	b2de784471ee083a4a7e2d6f3057e00c.exe	sc.exe
PID 3608 wrote to memory of 4424	3608	b2de784471ee083a4a7e2d6f3057e00c.exe	sc.exe
PID 3608 wrote to memory of 3980	3608	b2de784471ee083a4a7e2d6f3057e00c.exe	sc.exe
PID 3608 wrote to memory of 3980	3608	b2de784471ee083a4a7e2d6f3057e00c.exe	sc.exe
PID 3608 wrote to memory of 3980	3608	b2de784471ee083a4a7e2d6f3057e00c.exe	sc.exe
PID 3608 wrote to memory of 804	3608	b2de784471ee083a4a7e2d6f3057e00c.exe	sc.exe
PID 3608 wrote to memory of 804	3608	b2de784471ee083a4a7e2d6f3057e00c.exe	sc.exe
PID 3608 wrote to memory of 804	3608	b2de784471ee083a4a7e2d6f3057e00c.exe	sc.exe
PID 3608 wrote to memory of 2328	3608	b2de784471ee083a4a7e2d6f3057e00c.exe	netsh.exe
PID 3608 wrote to memory of 2328	3608	b2de784471ee083a4a7e2d6f3057e00c.exe	netsh.exe
PID 3608 wrote to memory of 2328	3608	b2de784471ee083a4a7e2d6f3057e00c.exe	netsh.exe
PID 1828 wrote to memory of 3160	1828	ugsxuazn.exe	svchost.exe
PID 1828 wrote to memory of 3160	1828	ugsxuazn.exe	svchost.exe
PID 1828 wrote to memory of 3160	1828	ugsxuazn.exe	svchost.exe
PID 1828 wrote to memory of 3160	1828	ugsxuazn.exe	svchost.exe
PID 1828 wrote to memory of 3160	1828	ugsxuazn.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\b2de784471ee083a4a7e2d6f3057e00c.exe
"C:\Users\Admin\AppData\Local\Temp\b2de784471ee083a4a7e2d6f3057e00c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\murxkkde\
  2⤵
  PID:2832
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ugsxuazn.exe" C:\Windows\SysWOW64\murxkkde\
  2⤵
  PID:2988
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create murxkkde binPath= "C:\Windows\SysWOW64\murxkkde\ugsxuazn.exe /d\"C:\Users\Admin\AppData\Local\Temp\b2de784471ee083a4a7e2d6f3057e00c.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:4424
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description murxkkde "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:3980
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start murxkkde
  2⤵
  - Launches sc.exe
  PID:804
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2328
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1036
  2⤵
  - Program crash
  PID:4108

C:\Windows\SysWOW64\murxkkde\ugsxuazn.exe
C:\Windows\SysWOW64\murxkkde\ugsxuazn.exe /d"C:\Users\Admin\AppData\Local\Temp\b2de784471ee083a4a7e2d6f3057e00c.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Deletes itself
  PID:3160
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 516
  2⤵
  - Program crash
  PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3608 -ip 3608
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1828 -ip 1828
1⤵
PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ugsxuazn.exe

Filesize
11.1MB

MD5
cf1d0ff1d0672e8a1289ebceaf288b26

SHA1
a68c87e102bee44bcf6063a15b8c47ab70b3b1c6

SHA256
6f38a1c7fcc999778015c3e33ed0f8a5813f43e7edc7e0636737203a43f3a521

SHA512
174ed7a2ea5cb995b59b55beabf2af2fc2068af310f13a3af3dfa8a0cfa94473f8d699df13d150c4932dc80b22b3628e0e4b0651323d1fd8472b7ce763de6418

Download Submit
memory/1828-11-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1828-17-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1828-12-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3160-15-0x0000000000190000-0x00000000001A5000-memory.dmp

Filesize
84KB

Download
memory/3160-13-0x0000000000190000-0x00000000001A5000-memory.dmp

Filesize
84KB

Download
memory/3160-16-0x0000000000190000-0x00000000001A5000-memory.dmp

Filesize
84KB

Download
memory/3608-9-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3608-8-0x00000000006D0000-0x00000000006E3000-memory.dmp

Filesize
76KB

Download
memory/3608-7-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3608-1-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/3608-4-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3608-2-0x00000000006D0000-0x00000000006E3000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads