tofsee | 0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d

General

Target

0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exe
Size

184KB
MD5

86904bef92845b067a76d08ade4cc08b
SHA1

33ce7286d3a5f2cea3c5197e63fcbbc6effa026a
SHA256

0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d
SHA512

7db74feff0246d8d5564cccbd23dcc555147881c7733f79c6013f9dcfae4f5f8d2fdde28722794665c73fdf85dd5f5d0a895fb9372dcc6fe0170b51cf1b293e2

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

C2

103.232.222.57

111.121.193.242

123.249.0.22

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Executes dropped EXE 1 IoCs

Processes:

uzybsgkl.exe

pid process

4656 uzybsgkl.exe

pid	process
4656	uzybsgkl.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\uzybsgkl.exe\""	0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

uzybsgkl.exe

description pid process target process

PID 4656 set thread context of 3164 4656 uzybsgkl.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4912 3164 WerFault.exe svchost.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exeuzybsgkl.exe

pid process

1488 0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exe
4656 uzybsgkl.exe

description	pid	process	target process
PID 4656 set thread context of 3164	4656	uzybsgkl.exe	svchost.exe

pid	pid_target	process	target process
4912	3164	WerFault.exe	svchost.exe

pid	process
1488	0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exe
4656	uzybsgkl.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exeuzybsgkl.exe

description	pid	process	target process
PID 1488 wrote to memory of 4656	1488	0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exe	uzybsgkl.exe
PID 1488 wrote to memory of 4656	1488	0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exe	uzybsgkl.exe
PID 1488 wrote to memory of 4656	1488	0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exe	uzybsgkl.exe
PID 4656 wrote to memory of 3164	4656	uzybsgkl.exe	svchost.exe
PID 4656 wrote to memory of 3164	4656	uzybsgkl.exe	svchost.exe
PID 4656 wrote to memory of 3164	4656	uzybsgkl.exe	svchost.exe
PID 4656 wrote to memory of 3164	4656	uzybsgkl.exe	svchost.exe
PID 4656 wrote to memory of 3164	4656	uzybsgkl.exe	svchost.exe
PID 1488 wrote to memory of 1320	1488	0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exe	cmd.exe
PID 1488 wrote to memory of 1320	1488	0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exe	cmd.exe
PID 1488 wrote to memory of 1320	1488	0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exe
"C:\Users\Admin\AppData\Local\Temp\0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488

C:\Users\Admin\uzybsgkl.exe
"C:\Users\Admin\uzybsgkl.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 468
4⤵
- Program crash
PID:4912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3127.bat" "
2⤵
PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3164 -ip 3164
1⤵
PID:2988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3127.bat
Filesize
302B

MD5
4987e43eb075f5da1d7663541c9f84ba

SHA1
e6cbfdff1b695d0dd7a7c48ece8b71454f921464

SHA256
cfd836a78db5d20c1633784346a3dff1661d222ea3313604f6aad44c056a0717

SHA512
f077bd12bf2023c3651fc18dedc04dec1f94d48f79030a7394832f18dfa6154d5967f1085c1e96e70b8649caec5eb3b7ef8bb54bdaef53517c3313ab5b1c0faf

Download Submit
C:\Users\Admin\uzybsgkl.exe
Filesize
37.7MB

MD5
f4eaf1dc26ac982d0a0f081463b47d85

SHA1
6fc83afccc09abfa3184f32ef9f035bf6b085460

SHA256
76cddf9c29884f28a5343c583f3d9c3735f39336f279ff09763a8c923491a721

SHA512
d30a9f9d7572142c114902c5c7892bfeb6cf6262cd2f425c931cbdc0a8ce5f68b3ec0be1b614017460b237ccaa46ffbb0da6ee36364ef4b7b15b418f9069ece0

Download Submit
C:\Users\Admin\uzybsgkl.exe
Filesize
37.7MB

MD5
f4eaf1dc26ac982d0a0f081463b47d85

SHA1
6fc83afccc09abfa3184f32ef9f035bf6b085460

SHA256
76cddf9c29884f28a5343c583f3d9c3735f39336f279ff09763a8c923491a721

SHA512
d30a9f9d7572142c114902c5c7892bfeb6cf6262cd2f425c931cbdc0a8ce5f68b3ec0be1b614017460b237ccaa46ffbb0da6ee36364ef4b7b15b418f9069ece0

Download Submit
memory/1320-157-0x0000000000000000-mapping.dmp

Download
memory/1488-134-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1488-138-0x0000000002291000-0x0000000002296000-memory.dmp

Filesize
20KB

Download
memory/1488-144-0x0000000075790000-0x00000000758ED000-memory.dmp

Filesize
1.4MB

Download
memory/1488-158-0x0000000075790000-0x00000000758ED000-memory.dmp

Filesize
1.4MB

Download
memory/1488-132-0x0000000002291000-0x0000000002296000-memory.dmp

Filesize
20KB

Download
memory/3164-151-0x0000000000000000-mapping.dmp

Download
memory/3164-156-0x00000000004F0000-0x0000000000502000-memory.dmp

Filesize
72KB

Download
memory/3164-152-0x00000000004F0000-0x0000000000502000-memory.dmp

Filesize
72KB

Download
memory/3164-160-0x00000000004F0000-0x0000000000502000-memory.dmp

Filesize
72KB

Download
memory/4656-155-0x0000000075790000-0x00000000758ED000-memory.dmp

Filesize
1.4MB

Download
memory/4656-145-0x0000000002E31000-0x0000000002E36000-memory.dmp

Filesize
20KB

Download
memory/4656-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads