tofsee | 0a131a082b4fb56695e1a0d6532254286baaacec7a880f6d8ce8c6834072ea90

General

Target

0a131a082b4fb56695e1a0d6532254286baaacec7a880f6d8ce8c6834072ea90.exe
Size

13.0MB
MD5

38a85adfdcbda17fe01e01c8cf39289d
SHA1

eb8f22a914d9f6a8b7b7cca8394db6a261675c8c
SHA256

0a131a082b4fb56695e1a0d6532254286baaacec7a880f6d8ce8c6834072ea90
SHA512

ecf37aa2f234b9a795e3e0ef04e4713eacdcc50d3b56a0c6c3a495cf23e848ea84acd5313094c639ff4a310cf5c67b8a2e271dfe7a5e1a1eecf6e0c813ea1acd
SSDEEP

49152:hOFK1llllllllllllllllllllllllllllllllllllllllllllllllllllllllllq:9g

Score

10^/10

tofsee discovery evasion execution persistence trojan

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Tofsee family
tofsee
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2720	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0a131a082b4fb56695e1a0d6532254286baaacec7a880f6d8ce8c6834072ea90.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3476	sc.exe
1860	sc.exe
2156	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2748	4968	WerFault.exe	81
2452	2556	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a131a082b4fb56695e1a0d6532254286baaacec7a880f6d8ce8c6834072ea90.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 4668	4968	0a131a082b4fb56695e1a0d6532254286baaacec7a880f6d8ce8c6834072ea90.exe	84
PID 4968 wrote to memory of 4668	4968	0a131a082b4fb56695e1a0d6532254286baaacec7a880f6d8ce8c6834072ea90.exe	84
PID 4968 wrote to memory of 4668	4968	0a131a082b4fb56695e1a0d6532254286baaacec7a880f6d8ce8c6834072ea90.exe	84

C:\Users\Admin\AppData\Local\Temp\0a131a082b4fb56695e1a0d6532254286baaacec7a880f6d8ce8c6834072ea90.exe
"C:\Users\Admin\AppData\Local\Temp\0a131a082b4fb56695e1a0d6532254286baaacec7a880f6d8ce8c6834072ea90.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nwwxvlte\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4668
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pitjurkd.exe" C:\Windows\SysWOW64\nwwxvlte\
  2⤵
  PID:1272
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create nwwxvlte binPath= "C:\Windows\SysWOW64\nwwxvlte\pitjurkd.exe /d\"C:\Users\Admin\AppData\Local\Temp\0a131a082b4fb56695e1a0d6532254286baaacec7a880f6d8ce8c6834072ea90.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:1860
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description nwwxvlte "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:2156
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start nwwxvlte
  2⤵
  - Launches sc.exe
  PID:3476
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2720
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 1176
  2⤵
  - Program crash
  PID:2748

C:\Windows\SysWOW64\nwwxvlte\pitjurkd.exe
C:\Windows\SysWOW64\nwwxvlte\pitjurkd.exe /d"C:\Users\Admin\AppData\Local\Temp\0a131a082b4fb56695e1a0d6532254286baaacec7a880f6d8ce8c6834072ea90.exe"
1⤵
PID:2556
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:4112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 516
  2⤵
  - Program crash
  PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4968 -ip 4968
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2556 -ip 2556
1⤵
PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pitjurkd.exe

Filesize
13.0MB

MD5
50f5de9caf57d2964071e9913072ce45

SHA1
0557009ed61b02e6ab9b83ff752229a754f67aa9

SHA256
d7121e733b9db0b3a06161df0104e10d9155df0f3cce1a54e52c386524bcf201

SHA512
bbbf7cdef48c43492d5c2091a3eda5c5b9ab437009613323d9f7482e4764d2664c7b0380ae8985c1de4eca0a1fb3b4f3d3da34bb9ff21b2f117d0e79e15b88a3

Download Submit
memory/2556-16-0x0000000000400000-0x00000000016BC000-memory.dmp

Filesize
18.7MB

Download
memory/2556-15-0x0000000000400000-0x00000000016BC000-memory.dmp

Filesize
18.7MB

Download
memory/2556-17-0x0000000000400000-0x00000000016BC000-memory.dmp

Filesize
18.7MB

Download
memory/4112-11-0x0000000000B60000-0x0000000000B75000-memory.dmp

Filesize
84KB

Download
memory/4112-13-0x0000000000B60000-0x0000000000B75000-memory.dmp

Filesize
84KB

Download
memory/4112-14-0x0000000000B60000-0x0000000000B75000-memory.dmp

Filesize
84KB

Download
memory/4968-3-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4968-2-0x0000000001960000-0x0000000001973000-memory.dmp

Filesize
76KB

Download
memory/4968-10-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4968-9-0x0000000001960000-0x0000000001973000-memory.dmp

Filesize
76KB

Download
memory/4968-8-0x0000000000400000-0x00000000016BC000-memory.dmp

Filesize
18.7MB

Download
memory/4968-1-0x00000000019C0000-0x0000000001AC0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads