tofsee | 10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a

General

Target

10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exe
Size

216KB
MD5

8505936955f4b5fd5b6844f914abd3ad
SHA1

6cb392462d5f5a84ebdec75f4c3630ecf8b71b6e
SHA256

10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a
SHA512

f06a690b9f638a79410db6d5a08b444f16da3515d2b6cbbd78e826ed38136a4a4a242359909970464f5c928b0773b341cc8917aabf788d9b34065e0a8614fa4f

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

C2

103.232.222.57

111.121.193.242

123.249.0.22

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Executes dropped EXE 1 IoCs

Processes:

putwnbfg.exe

pid process

4224 putwnbfg.exe

pid	process
4224	putwnbfg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\putwnbfg.exe\""	10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

putwnbfg.exe

description pid process target process

PID 4224 set thread context of 3212 4224 putwnbfg.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4556 3212 WerFault.exe svchost.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exeputwnbfg.exe

pid process

3944 10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exe
4224 putwnbfg.exe

description	pid	process	target process
PID 4224 set thread context of 3212	4224	putwnbfg.exe	svchost.exe

pid	pid_target	process	target process
4556	3212	WerFault.exe	svchost.exe

pid	process
3944	10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exe
4224	putwnbfg.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exeputwnbfg.exe

description	pid	process	target process
PID 3944 wrote to memory of 4224	3944	10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exe	putwnbfg.exe
PID 3944 wrote to memory of 4224	3944	10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exe	putwnbfg.exe
PID 3944 wrote to memory of 4224	3944	10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exe	putwnbfg.exe
PID 3944 wrote to memory of 4100	3944	10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exe	cmd.exe
PID 3944 wrote to memory of 4100	3944	10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exe	cmd.exe
PID 3944 wrote to memory of 4100	3944	10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exe	cmd.exe
PID 4224 wrote to memory of 3212	4224	putwnbfg.exe	svchost.exe
PID 4224 wrote to memory of 3212	4224	putwnbfg.exe	svchost.exe
PID 4224 wrote to memory of 3212	4224	putwnbfg.exe	svchost.exe
PID 4224 wrote to memory of 3212	4224	putwnbfg.exe	svchost.exe
PID 4224 wrote to memory of 3212	4224	putwnbfg.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exe
"C:\Users\Admin\AppData\Local\Temp\10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3944

C:\Users\Admin\putwnbfg.exe
"C:\Users\Admin\putwnbfg.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4224

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 468
4⤵
- Program crash
PID:4556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6767.bat" "
2⤵
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3212 -ip 3212
1⤵
PID:4768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6767.bat
Filesize
302B

MD5
0f30c7524e0ecf8fe27bde26b4440556

SHA1
367d9ce10592631d2b6829df63742a9d22770de8

SHA256
2d0974509afe422e5ef20bc3c9822e89bcf591b6f5e14ebc5d7790f2a177d218

SHA512
857bdb4ca3ae0391ff21b1c566704f4fe5e6e73150e88b80735decf17bc7ef2c24f7963b945927aedd2bd8bad41383a0cc5fda19a55c0e0516fa50473e35a7a9

Download Submit
C:\Users\Admin\putwnbfg.exe
Filesize
48.6MB

MD5
f54da7330529608b15d5c2e14f28d793

SHA1
736b0c6e5fc3f4adbfbf392a8030fd22c24d4881

SHA256
9634bd6660a0c85a23ec79ee94332eb37cb218cef1bf4dc44ee4d6c5bbbf7fd9

SHA512
d704f0947a5057e41387b0d4ba637ef29fec2ae44c0b2e51a2128609e78356b58668d1f6a7cad9a2b007ef510ad235af7c0dc7d5631e9525f37ffc9d4a673c0c

Download Submit
C:\Users\Admin\putwnbfg.exe
Filesize
48.6MB

MD5
f54da7330529608b15d5c2e14f28d793

SHA1
736b0c6e5fc3f4adbfbf392a8030fd22c24d4881

SHA256
9634bd6660a0c85a23ec79ee94332eb37cb218cef1bf4dc44ee4d6c5bbbf7fd9

SHA512
d704f0947a5057e41387b0d4ba637ef29fec2ae44c0b2e51a2128609e78356b58668d1f6a7cad9a2b007ef510ad235af7c0dc7d5631e9525f37ffc9d4a673c0c

Download Submit
memory/3212-159-0x00000000008E0000-0x00000000008F2000-memory.dmp

Filesize
72KB

Download
memory/3212-157-0x00000000008E0000-0x00000000008F2000-memory.dmp

Filesize
72KB

Download
memory/3212-153-0x0000000000000000-mapping.dmp

Download
memory/3212-154-0x00000000008E0000-0x00000000008F2000-memory.dmp

Filesize
72KB

Download
memory/3212-158-0x00000000008E0000-0x00000000008F2000-memory.dmp

Filesize
72KB

Download
memory/3944-138-0x00000000752E0000-0x000000007543D000-memory.dmp

Filesize
1.4MB

Download
memory/3944-145-0x00000000752E0000-0x000000007543D000-memory.dmp

Filesize
1.4MB

Download
memory/3944-132-0x0000000002E51000-0x0000000002E56000-memory.dmp

Filesize
20KB

Download
memory/3944-134-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4100-144-0x0000000000000000-mapping.dmp

Download
memory/4224-146-0x0000000002CA1000-0x0000000002CA6000-memory.dmp

Filesize
20KB

Download
memory/4224-155-0x00000000752E0000-0x000000007543D000-memory.dmp

Filesize
1.4MB

Download
memory/4224-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads