Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-01-2025 16:46
Static task
static1
Behavioral task
behavioral1
Sample
tofsee.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
tofsee.exe
Resource
win10v2004-20241007-en
General
-
Target
tofsee.exe
-
Size
12.3MB
-
MD5
25d2b9e890383de8e4c54531aec432dd
-
SHA1
ccaa3021da481652aa28104eeb8af59a2ebb7ac7
-
SHA256
50c458863b680d4b1c852fe9b6367c9a1fd6008ba4bd149f08ea71c8b06c2cb6
-
SHA512
452991b58c1ef0d52f1971771a4fe01ce85dee5ee23d59adfdec703df4f5ec76a691fd6b4d3cd88a93736c14a886bd1df8825360efad8e2c99595dc4a4d3feb4
-
SSDEEP
6144:peeISXLAQ4G5g0RVOppo6xI4JbDva0uRjMgUgWWWWWWWWWWWWWWWWWWWWWWWWWWn:pzbXMG5goCfDva5RQg
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Tofsee family
-
Creates new service(s) 2 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4072 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\jlnlfwac\ImagePath = "C:\\Windows\\SysWOW64\\jlnlfwac\\rhjwnfq.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation tofsee.exe -
Deletes itself 1 IoCs
pid Process 3452 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 3112 rhjwnfq.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3112 set thread context of 3452 3112 rhjwnfq.exe 97 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4848 sc.exe 3932 sc.exe 3584 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rhjwnfq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tofsee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2720 wrote to memory of 3948 2720 tofsee.exe 83 PID 2720 wrote to memory of 3948 2720 tofsee.exe 83 PID 2720 wrote to memory of 3948 2720 tofsee.exe 83 PID 2720 wrote to memory of 456 2720 tofsee.exe 85 PID 2720 wrote to memory of 456 2720 tofsee.exe 85 PID 2720 wrote to memory of 456 2720 tofsee.exe 85 PID 2720 wrote to memory of 3932 2720 tofsee.exe 88 PID 2720 wrote to memory of 3932 2720 tofsee.exe 88 PID 2720 wrote to memory of 3932 2720 tofsee.exe 88 PID 2720 wrote to memory of 3584 2720 tofsee.exe 90 PID 2720 wrote to memory of 3584 2720 tofsee.exe 90 PID 2720 wrote to memory of 3584 2720 tofsee.exe 90 PID 2720 wrote to memory of 4848 2720 tofsee.exe 92 PID 2720 wrote to memory of 4848 2720 tofsee.exe 92 PID 2720 wrote to memory of 4848 2720 tofsee.exe 92 PID 2720 wrote to memory of 4072 2720 tofsee.exe 95 PID 2720 wrote to memory of 4072 2720 tofsee.exe 95 PID 2720 wrote to memory of 4072 2720 tofsee.exe 95 PID 3112 wrote to memory of 3452 3112 rhjwnfq.exe 97 PID 3112 wrote to memory of 3452 3112 rhjwnfq.exe 97 PID 3112 wrote to memory of 3452 3112 rhjwnfq.exe 97 PID 3112 wrote to memory of 3452 3112 rhjwnfq.exe 97 PID 3112 wrote to memory of 3452 3112 rhjwnfq.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\tofsee.exe"C:\Users\Admin\AppData\Local\Temp\tofsee.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jlnlfwac\2⤵
- System Location Discovery: System Language Discovery
PID:3948
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rhjwnfq.exe" C:\Windows\SysWOW64\jlnlfwac\2⤵
- System Location Discovery: System Language Discovery
PID:456
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create jlnlfwac binPath= "C:\Windows\SysWOW64\jlnlfwac\rhjwnfq.exe /d\"C:\Users\Admin\AppData\Local\Temp\tofsee.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3932
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description jlnlfwac "wifi internet conection"2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3584
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start jlnlfwac2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4848
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4072
-
-
C:\Windows\SysWOW64\jlnlfwac\rhjwnfq.exeC:\Windows\SysWOW64\jlnlfwac\rhjwnfq.exe /d"C:\Users\Admin\AppData\Local\Temp\tofsee.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
- System Location Discovery: System Language Discovery
PID:3452
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11.6MB
MD53a6af36f62a06945ac9d6087c94d3e63
SHA1192fb55575c0b616c0754c4986962fd62995a8ac
SHA256bb754b303b82a865673ea654dd8aac944f190cbec9a946bc0c85612808e7c28a
SHA512b0a8ade93f8cd2e96df174fc2fbb3f0fce8f413925fefa9a7fd37dc3f9d58245094006ec5b54e67a8b34f34c08777008199c4ca44c99dedf73eccfb468d9939b