tofsee | 0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033

General

Target

0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe
Size

196KB
MD5

371e8928f2518f19e3439a7f1870b6ce
SHA1

685d65f85a1e23324fa378f9301a36a52ace4759
SHA256

0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033
SHA512

32703ea0d84be57d5efda99d0a4746d1c4fb5e6a634d24fe8760b6bfbeb23141f34212ea4d17c35497635f2ee4b02aba482577b1f1f3cc872bce903c6604787e

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

C2

103.232.222.57

111.121.193.242

123.249.0.22

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Executes dropped EXE 1 IoCs

Processes:

zedgxlpq.exe

pid process

1388 zedgxlpq.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2020 cmd.exe

pid	process
1388	zedgxlpq.exe

pid	process
2020	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe

pid	process
1548	0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe
1548	0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\zedgxlpq.exe\""	0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

zedgxlpq.exe

description pid process target process

PID 1388 set thread context of 992 1388 zedgxlpq.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exezedgxlpq.exe

pid process

1548 0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe
1388 zedgxlpq.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exezedgxlpq.exe

pid process

1548 0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe
1388 zedgxlpq.exe

description	pid	process	target process
PID 1388 set thread context of 992	1388	zedgxlpq.exe	svchost.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exezedgxlpq.exe

description	pid	process	target process
PID 1548 wrote to memory of 1388	1548	0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe	zedgxlpq.exe
PID 1548 wrote to memory of 1388	1548	0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe	zedgxlpq.exe
PID 1548 wrote to memory of 1388	1548	0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe	zedgxlpq.exe
PID 1548 wrote to memory of 1388	1548	0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe	zedgxlpq.exe
PID 1548 wrote to memory of 2020	1548	0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe	cmd.exe
PID 1548 wrote to memory of 2020	1548	0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe	cmd.exe
PID 1548 wrote to memory of 2020	1548	0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe	cmd.exe
PID 1548 wrote to memory of 2020	1548	0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe	cmd.exe
PID 1388 wrote to memory of 992	1388	zedgxlpq.exe	svchost.exe
PID 1388 wrote to memory of 992	1388	zedgxlpq.exe	svchost.exe
PID 1388 wrote to memory of 992	1388	zedgxlpq.exe	svchost.exe
PID 1388 wrote to memory of 992	1388	zedgxlpq.exe	svchost.exe
PID 1388 wrote to memory of 992	1388	zedgxlpq.exe	svchost.exe
PID 1388 wrote to memory of 992	1388	zedgxlpq.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe
"C:\Users\Admin\AppData\Local\Temp\0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1548

C:\Users\Admin\zedgxlpq.exe
"C:\Users\Admin\zedgxlpq.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:992

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\4788.bat" "
2⤵
- Deletes itself
PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4788.bat
Filesize
302B

MD5
6b9cf7f6462dc12c2356a6687b4c2317

SHA1
ee40d8737db4d82a753d4c34585764fd4bcc6f35

SHA256
f48a50912a2e2c9de41ae4e91a88374dd97e5d9ae04da0c525b2408a41faba70

SHA512
3a306ba630df82d2fb0ae53886ade8931f3abfbb7f52d36d0541024f4a095e11226701aeef20682b37983e99ff8ed15c5f0e5fe3f87996edee1243bf0e6328af

Download Submit
C:\Users\Admin\zedgxlpq.exe
Filesize
36.4MB

MD5
2fd0c7f0c8bcc56172c1650f40a6549f

SHA1
c23616173edcf215f10aede512fa32df5f30c92b

SHA256
f39840e0b87c4f73aa9715301d12b9384c979e448c287b7ec4cfbe3278ec81ab

SHA512
07b8a7173da97da3839db6ae5aa7164324bdbd85bb22a5488f4522873a69a8e3690ecf01a303dafa88811ace1d00620cbdc7982d7625435cb1400d1c82fa18b2

Download Submit
C:\Users\Admin\zedgxlpq.exe
Filesize
36.4MB

MD5
2fd0c7f0c8bcc56172c1650f40a6549f

SHA1
c23616173edcf215f10aede512fa32df5f30c92b

SHA256
f39840e0b87c4f73aa9715301d12b9384c979e448c287b7ec4cfbe3278ec81ab

SHA512
07b8a7173da97da3839db6ae5aa7164324bdbd85bb22a5488f4522873a69a8e3690ecf01a303dafa88811ace1d00620cbdc7982d7625435cb1400d1c82fa18b2

Download Submit
\Users\Admin\zedgxlpq.exe
Filesize
36.4MB

MD5
2fd0c7f0c8bcc56172c1650f40a6549f

SHA1
c23616173edcf215f10aede512fa32df5f30c92b

SHA256
f39840e0b87c4f73aa9715301d12b9384c979e448c287b7ec4cfbe3278ec81ab

SHA512
07b8a7173da97da3839db6ae5aa7164324bdbd85bb22a5488f4522873a69a8e3690ecf01a303dafa88811ace1d00620cbdc7982d7625435cb1400d1c82fa18b2

Download Submit
\Users\Admin\zedgxlpq.exe
Filesize
36.4MB

MD5
2fd0c7f0c8bcc56172c1650f40a6549f

SHA1
c23616173edcf215f10aede512fa32df5f30c92b

SHA256
f39840e0b87c4f73aa9715301d12b9384c979e448c287b7ec4cfbe3278ec81ab

SHA512
07b8a7173da97da3839db6ae5aa7164324bdbd85bb22a5488f4522873a69a8e3690ecf01a303dafa88811ace1d00620cbdc7982d7625435cb1400d1c82fa18b2

Download Submit
memory/992-80-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/992-90-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/992-89-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/992-87-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/992-83-0x000000000008782D-mapping.dmp

Download
memory/992-82-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/1388-65-0x0000000000000000-mapping.dmp

Download
memory/1388-76-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1388-85-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1388-69-0x0000000003011000-0x0000000003016000-memory.dmp

Filesize
20KB

Download
memory/1548-72-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1548-56-0x00000000031D1000-0x00000000031D6000-memory.dmp

Filesize
20KB

Download
memory/1548-59-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1548-57-0x00000000759E1000-0x00000000759E3000-memory.dmp

Filesize
8KB

Download
memory/2020-71-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads