tofsee | 1aa5697f96a51fd5c776b394adbc732ab28b5b3228077dc11608b2a131cb5bfb

General

Target

1aa5697f96a51fd5c776b394adbc732ab28b5b3228077dc11608b2a131cb5bfb.exe
Size

328KB
MD5

1a848d9da35b7e5d8faa66c836e94861
SHA1

f161a407f9e3fecf8d1739cc841f2376db566c5d
SHA256

1aa5697f96a51fd5c776b394adbc732ab28b5b3228077dc11608b2a131cb5bfb
SHA512

f1cef77fc5781c9e4ce15d5e2ffce9f658446f8bbab98a107e994fa701b73f5616b4d710cc1e33362d5b46f907c6efa4bc56c7d34f9105c80336b14e34b323d5

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

C2

103.232.222.57

111.121.193.242

123.249.0.22

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Executes dropped EXE 1 IoCs

Processes:

rwvypdhi.exe

pid process

2184 rwvypdhi.exe

pid	process
2184	rwvypdhi.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1aa5697f96a51fd5c776b394adbc732ab28b5b3228077dc11608b2a131cb5bfb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	1aa5697f96a51fd5c776b394adbc732ab28b5b3228077dc11608b2a131cb5bfb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1aa5697f96a51fd5c776b394adbc732ab28b5b3228077dc11608b2a131cb5bfb.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\rwvypdhi.exe\""	1aa5697f96a51fd5c776b394adbc732ab28b5b3228077dc11608b2a131cb5bfb.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rwvypdhi.exe

description pid process target process

PID 2184 set thread context of 324 2184 rwvypdhi.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3764 324 WerFault.exe svchost.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

1aa5697f96a51fd5c776b394adbc732ab28b5b3228077dc11608b2a131cb5bfb.exerwvypdhi.exe

pid process

5100 1aa5697f96a51fd5c776b394adbc732ab28b5b3228077dc11608b2a131cb5bfb.exe
2184 rwvypdhi.exe

description	pid	process	target process
PID 2184 set thread context of 324	2184	rwvypdhi.exe	svchost.exe

pid	pid_target	process	target process
3764	324	WerFault.exe	svchost.exe

pid	process
5100	1aa5697f96a51fd5c776b394adbc732ab28b5b3228077dc11608b2a131cb5bfb.exe
2184	rwvypdhi.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

1aa5697f96a51fd5c776b394adbc732ab28b5b3228077dc11608b2a131cb5bfb.exerwvypdhi.exe

description	pid	process	target process
PID 5100 wrote to memory of 2184	5100	1aa5697f96a51fd5c776b394adbc732ab28b5b3228077dc11608b2a131cb5bfb.exe	rwvypdhi.exe
PID 5100 wrote to memory of 2184	5100	1aa5697f96a51fd5c776b394adbc732ab28b5b3228077dc11608b2a131cb5bfb.exe	rwvypdhi.exe
PID 5100 wrote to memory of 2184	5100	1aa5697f96a51fd5c776b394adbc732ab28b5b3228077dc11608b2a131cb5bfb.exe	rwvypdhi.exe
PID 5100 wrote to memory of 620	5100	1aa5697f96a51fd5c776b394adbc732ab28b5b3228077dc11608b2a131cb5bfb.exe	cmd.exe
PID 5100 wrote to memory of 620	5100	1aa5697f96a51fd5c776b394adbc732ab28b5b3228077dc11608b2a131cb5bfb.exe	cmd.exe
PID 5100 wrote to memory of 620	5100	1aa5697f96a51fd5c776b394adbc732ab28b5b3228077dc11608b2a131cb5bfb.exe	cmd.exe
PID 2184 wrote to memory of 324	2184	rwvypdhi.exe	svchost.exe
PID 2184 wrote to memory of 324	2184	rwvypdhi.exe	svchost.exe
PID 2184 wrote to memory of 324	2184	rwvypdhi.exe	svchost.exe
PID 2184 wrote to memory of 324	2184	rwvypdhi.exe	svchost.exe
PID 2184 wrote to memory of 324	2184	rwvypdhi.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\1aa5697f96a51fd5c776b394adbc732ab28b5b3228077dc11608b2a131cb5bfb.exe
"C:\Users\Admin\AppData\Local\Temp\1aa5697f96a51fd5c776b394adbc732ab28b5b3228077dc11608b2a131cb5bfb.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5100

C:\Users\Admin\rwvypdhi.exe
"C:\Users\Admin\rwvypdhi.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 468
4⤵
- Program crash
PID:3764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1824.bat" "
2⤵
PID:620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 324 -ip 324
1⤵
PID:3840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1824.bat
Filesize
302B

MD5
ad8a39db533146344ee56f738b4e0c40

SHA1
1602080d8bd489b7d1ff65c29d5536290baf02dc

SHA256
6ec0e89a579357ae4b26bc4ab8f81467a6ee9662492be5ef72fc172c26ca4fc7

SHA512
2e154e3c6849b094b3e335119883e8ae6edb898997f02856af7e608fc9a1257e4d8925a264bb0acc4bbca8eecaf0bd2daadf5357716a9d1e06ff68a5cd763698

Download Submit
C:\Users\Admin\rwvypdhi.exe
Filesize
32.7MB

MD5
107bf2cd4e4fc136ce38b438bc146a15

SHA1
dbde9534073970030ca506a5b092c39b166ce76b

SHA256
0e29063b266a2b4c6b850336082e7504891e81db72bc2676e49fbc926dc7bb19

SHA512
4c3dafb8333d64f8320d8c3cf53910e79f42931456a1b42c1fb87fa3736325ef9b9ecf6a2d2123a0a53595ee019c682281a39046d68744e69c5d3793431b913d

Download Submit
C:\Users\Admin\rwvypdhi.exe
Filesize
32.7MB

MD5
107bf2cd4e4fc136ce38b438bc146a15

SHA1
dbde9534073970030ca506a5b092c39b166ce76b

SHA256
0e29063b266a2b4c6b850336082e7504891e81db72bc2676e49fbc926dc7bb19

SHA512
4c3dafb8333d64f8320d8c3cf53910e79f42931456a1b42c1fb87fa3736325ef9b9ecf6a2d2123a0a53595ee019c682281a39046d68744e69c5d3793431b913d

Download Submit
memory/324-156-0x00000000009A0000-0x00000000009B2000-memory.dmp

Filesize
72KB

Download
memory/324-155-0x0000000000000000-mapping.dmp

Download
memory/324-161-0x00000000009A0000-0x00000000009B2000-memory.dmp

Filesize
72KB

Download
memory/324-162-0x00000000009A0000-0x00000000009B2000-memory.dmp

Filesize
72KB

Download
memory/620-147-0x0000000000000000-mapping.dmp

Download
memory/2184-141-0x0000000000000000-mapping.dmp

Download
memory/2184-159-0x00000000028D1000-0x00000000028D6000-memory.dmp

Filesize
20KB

Download
memory/2184-160-0x0000000074C90000-0x0000000074DED000-memory.dmp

Filesize
1.4MB

Download
memory/5100-146-0x0000000074C90000-0x0000000074DED000-memory.dmp

Filesize
1.4MB

Download
memory/5100-148-0x0000000074C90000-0x0000000074DED000-memory.dmp

Filesize
1.4MB

Download
memory/5100-137-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5100-135-0x0000000002CC1000-0x0000000002CC6000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads