tofsee | 16385d96743d3d0a22a752a5e2f8306921c89468fe258ea03e8e7e85705aa35e

General

Target

16385d96743d3d0a22a752a5e2f8306921c89468fe258ea03e8e7e85705aa35e.exe
Size

228KB
MD5

c386a6ad2d8424363fb872dfca82831f
SHA1

3f8c3597caad3a7524f9b996d523fc6085624a7a
SHA256

16385d96743d3d0a22a752a5e2f8306921c89468fe258ea03e8e7e85705aa35e
SHA512

1750b367981ed088d26b4edaf8ad91b59e79d75479347b4313392d7a61151d1e584284bcdbba3051c471b49e36e7a77017a6efd3a24e387263cf9d8e34e66819
SSDEEP

3072:6Nt7vpI299tzwPVZC2le5W3pIhvvdUr7nuQTdzZ/pUTetjy4f:6Nt7vpIK96NZCae5w80uQTdJ6TeZ

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2968 netsh.exe

pid	process
2968	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\gocflksf\ImagePath = "C:\\Windows\\SysWOW64\\gocflksf\\xvfgiehn.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

16385d96743d3d0a22a752a5e2f8306921c89468fe258ea03e8e7e85705aa35e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	16385d96743d3d0a22a752a5e2f8306921c89468fe258ea03e8e7e85705aa35e.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

3140 svchost.exe
Executes dropped EXE 1 IoCs

Processes:

xvfgiehn.exe

pid process

4380 xvfgiehn.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

xvfgiehn.exe

description pid process target process

PID 4380 set thread context of 3140 4380 xvfgiehn.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

632 sc.exe
4852 sc.exe
1092 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3140	svchost.exe

pid	process
4380	xvfgiehn.exe

description	pid	process	target process
PID 4380 set thread context of 3140	4380	xvfgiehn.exe	svchost.exe

pid	process
632	sc.exe
4852	sc.exe
1092	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exesc.exesc.exenetsh.exesvchost.exe16385d96743d3d0a22a752a5e2f8306921c89468fe258ea03e8e7e85705aa35e.execmd.exesc.exexvfgiehn.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16385d96743d3d0a22a752a5e2f8306921c89468fe258ea03e8e7e85705aa35e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xvfgiehn.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

16385d96743d3d0a22a752a5e2f8306921c89468fe258ea03e8e7e85705aa35e.exexvfgiehn.exe

description	pid	process	target process
PID 4828 wrote to memory of 4824	4828	16385d96743d3d0a22a752a5e2f8306921c89468fe258ea03e8e7e85705aa35e.exe	cmd.exe
PID 4828 wrote to memory of 4824	4828	16385d96743d3d0a22a752a5e2f8306921c89468fe258ea03e8e7e85705aa35e.exe	cmd.exe
PID 4828 wrote to memory of 4824	4828	16385d96743d3d0a22a752a5e2f8306921c89468fe258ea03e8e7e85705aa35e.exe	cmd.exe
PID 4828 wrote to memory of 1744	4828	16385d96743d3d0a22a752a5e2f8306921c89468fe258ea03e8e7e85705aa35e.exe	cmd.exe
PID 4828 wrote to memory of 1744	4828	16385d96743d3d0a22a752a5e2f8306921c89468fe258ea03e8e7e85705aa35e.exe	cmd.exe
PID 4828 wrote to memory of 1744	4828	16385d96743d3d0a22a752a5e2f8306921c89468fe258ea03e8e7e85705aa35e.exe	cmd.exe
PID 4828 wrote to memory of 1092	4828	16385d96743d3d0a22a752a5e2f8306921c89468fe258ea03e8e7e85705aa35e.exe	sc.exe
PID 4828 wrote to memory of 1092	4828	16385d96743d3d0a22a752a5e2f8306921c89468fe258ea03e8e7e85705aa35e.exe	sc.exe
PID 4828 wrote to memory of 1092	4828	16385d96743d3d0a22a752a5e2f8306921c89468fe258ea03e8e7e85705aa35e.exe	sc.exe
PID 4828 wrote to memory of 632	4828	16385d96743d3d0a22a752a5e2f8306921c89468fe258ea03e8e7e85705aa35e.exe	sc.exe
PID 4828 wrote to memory of 632	4828	16385d96743d3d0a22a752a5e2f8306921c89468fe258ea03e8e7e85705aa35e.exe	sc.exe
PID 4828 wrote to memory of 632	4828	16385d96743d3d0a22a752a5e2f8306921c89468fe258ea03e8e7e85705aa35e.exe	sc.exe
PID 4828 wrote to memory of 4852	4828	16385d96743d3d0a22a752a5e2f8306921c89468fe258ea03e8e7e85705aa35e.exe	sc.exe
PID 4828 wrote to memory of 4852	4828	16385d96743d3d0a22a752a5e2f8306921c89468fe258ea03e8e7e85705aa35e.exe	sc.exe
PID 4828 wrote to memory of 4852	4828	16385d96743d3d0a22a752a5e2f8306921c89468fe258ea03e8e7e85705aa35e.exe	sc.exe
PID 4828 wrote to memory of 2968	4828	16385d96743d3d0a22a752a5e2f8306921c89468fe258ea03e8e7e85705aa35e.exe	netsh.exe
PID 4828 wrote to memory of 2968	4828	16385d96743d3d0a22a752a5e2f8306921c89468fe258ea03e8e7e85705aa35e.exe	netsh.exe
PID 4828 wrote to memory of 2968	4828	16385d96743d3d0a22a752a5e2f8306921c89468fe258ea03e8e7e85705aa35e.exe	netsh.exe
PID 4380 wrote to memory of 3140	4380	xvfgiehn.exe	svchost.exe
PID 4380 wrote to memory of 3140	4380	xvfgiehn.exe	svchost.exe
PID 4380 wrote to memory of 3140	4380	xvfgiehn.exe	svchost.exe
PID 4380 wrote to memory of 3140	4380	xvfgiehn.exe	svchost.exe
PID 4380 wrote to memory of 3140	4380	xvfgiehn.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\16385d96743d3d0a22a752a5e2f8306921c89468fe258ea03e8e7e85705aa35e.exe
"C:\Users\Admin\AppData\Local\Temp\16385d96743d3d0a22a752a5e2f8306921c89468fe258ea03e8e7e85705aa35e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gocflksf\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4824
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xvfgiehn.exe" C:\Windows\SysWOW64\gocflksf\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1744
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create gocflksf binPath= "C:\Windows\SysWOW64\gocflksf\xvfgiehn.exe /d\"C:\Users\Admin\AppData\Local\Temp\16385d96743d3d0a22a752a5e2f8306921c89468fe258ea03e8e7e85705aa35e.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:1092
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description gocflksf "wifi internet conection"
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:632
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start gocflksf
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:4852
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2968

C:\Windows\SysWOW64\gocflksf\xvfgiehn.exe
C:\Windows\SysWOW64\gocflksf\xvfgiehn.exe /d"C:\Users\Admin\AppData\Local\Temp\16385d96743d3d0a22a752a5e2f8306921c89468fe258ea03e8e7e85705aa35e.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xvfgiehn.exe

Filesize
10.3MB

MD5
35afdabb1797915739197d771f0e279a

SHA1
56fe6179bbb5f09f52100aab86246de065e59e7e

SHA256
ce142ecac3cc82e2211e002d29b7dafa43f3f573d40b240357935545b088b6ae

SHA512
cd972ee719631ff15231f9396a1f0d7f028ad966aee43b3a8fda963b644ecf8d9f33a49b57c11062c8c35f4fbf8b768788e433c52d6e2de321d17d862d51a39d

Download Submit
memory/3140-11-0x0000000000490000-0x00000000004A5000-memory.dmp

Filesize
84KB

Download
memory/3140-14-0x0000000000490000-0x00000000004A5000-memory.dmp

Filesize
84KB

Download
memory/3140-15-0x0000000000490000-0x00000000004A5000-memory.dmp

Filesize
84KB

Download
memory/4380-12-0x0000000000400000-0x0000000002B59000-memory.dmp

Filesize
39.3MB

Download
memory/4828-1-0x0000000002EC0000-0x0000000002FC0000-memory.dmp

Filesize
1024KB

Download
memory/4828-2-0x0000000002CF0000-0x0000000002D03000-memory.dmp

Filesize
76KB

Download
memory/4828-3-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4828-9-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4828-8-0x0000000002CF0000-0x0000000002D03000-memory.dmp

Filesize
76KB

Download
memory/4828-7-0x0000000000400000-0x0000000002B59000-memory.dmp

Filesize
39.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads