tofsee | 1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed

General

Target

1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe
Size

143KB
MD5

060bd7824d33fece88d0b30173fa9552
SHA1

79b6fc5843fa02d997733389cee31708cc709d34
SHA256

1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed
SHA512

95cf4e435b9085b1ebf346c9c302e8b418113a737fb5976f3767b21e25a6070d8ee4ecbb9a13bc4428cac2c062518f1f38a7a824cc7b1c4d89dad462e9a749e6

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

C2

91.218.38.245

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Executes dropped EXE 1 IoCs

Processes:

reblslze.exe

pid process

1708 reblslze.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1728 cmd.exe

pid	process
1708	reblslze.exe

pid	process
1728	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe

pid	process
1800	1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe
1800	1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\reblslze.exe\""	1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exereblslze.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	reblslze.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	reblslze.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

reblslze.exe

description pid process target process

PID 1708 set thread context of 1512 1708 reblslze.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1708 set thread context of 1512	1708	reblslze.exe	svchost.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exereblslze.exe

description	pid	process	target process
PID 1800 wrote to memory of 1708	1800	1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe	reblslze.exe
PID 1800 wrote to memory of 1708	1800	1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe	reblslze.exe
PID 1800 wrote to memory of 1708	1800	1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe	reblslze.exe
PID 1800 wrote to memory of 1708	1800	1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe	reblslze.exe
PID 1800 wrote to memory of 1728	1800	1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe	cmd.exe
PID 1800 wrote to memory of 1728	1800	1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe	cmd.exe
PID 1800 wrote to memory of 1728	1800	1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe	cmd.exe
PID 1800 wrote to memory of 1728	1800	1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe	cmd.exe
PID 1708 wrote to memory of 1512	1708	reblslze.exe	svchost.exe
PID 1708 wrote to memory of 1512	1708	reblslze.exe	svchost.exe
PID 1708 wrote to memory of 1512	1708	reblslze.exe	svchost.exe
PID 1708 wrote to memory of 1512	1708	reblslze.exe	svchost.exe
PID 1708 wrote to memory of 1512	1708	reblslze.exe	svchost.exe
PID 1708 wrote to memory of 1512	1708	reblslze.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe
"C:\Users\Admin\AppData\Local\Temp\1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:1800

C:\Users\Admin\reblslze.exe
"C:\Users\Admin\reblslze.exe"
2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\5030.bat" "
2⤵
- Deletes itself
PID:1728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5030.bat
Filesize
302B

MD5
0c6c0cab50914df25f2dcf8997c3a3a6

SHA1
e624fed5c2c65d3d6874be7608f78ed1327bb700

SHA256
4783bf4675a7e57ccb644738842df97f5a9182637b0b5bc2e86a8c83669f666e

SHA512
29e02a9fea3cfbee27314e9f49cd1d2e865b8c2bfc848c3a7d1da1f2f861192340069a3eca3aebfb9e624aa4de214a71d53116c9f98423ec2624491307438337

Download Submit
C:\Users\Admin\reblslze.exe
Filesize
143KB

MD5
060bd7824d33fece88d0b30173fa9552

SHA1
79b6fc5843fa02d997733389cee31708cc709d34

SHA256
1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed

SHA512
95cf4e435b9085b1ebf346c9c302e8b418113a737fb5976f3767b21e25a6070d8ee4ecbb9a13bc4428cac2c062518f1f38a7a824cc7b1c4d89dad462e9a749e6

Download Submit
C:\Users\Admin\reblslze.exe
Filesize
143KB

MD5
060bd7824d33fece88d0b30173fa9552

SHA1
79b6fc5843fa02d997733389cee31708cc709d34

SHA256
1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed

SHA512
95cf4e435b9085b1ebf346c9c302e8b418113a737fb5976f3767b21e25a6070d8ee4ecbb9a13bc4428cac2c062518f1f38a7a824cc7b1c4d89dad462e9a749e6

Download Submit
\Users\Admin\reblslze.exe
Filesize
143KB

MD5
060bd7824d33fece88d0b30173fa9552

SHA1
79b6fc5843fa02d997733389cee31708cc709d34

SHA256
1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed

SHA512
95cf4e435b9085b1ebf346c9c302e8b418113a737fb5976f3767b21e25a6070d8ee4ecbb9a13bc4428cac2c062518f1f38a7a824cc7b1c4d89dad462e9a749e6

Download Submit
\Users\Admin\reblslze.exe
Filesize
143KB

MD5
060bd7824d33fece88d0b30173fa9552

SHA1
79b6fc5843fa02d997733389cee31708cc709d34

SHA256
1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed

SHA512
95cf4e435b9085b1ebf346c9c302e8b418113a737fb5976f3767b21e25a6070d8ee4ecbb9a13bc4428cac2c062518f1f38a7a824cc7b1c4d89dad462e9a749e6

Download Submit
memory/1512-69-0x0000000000080000-0x0000000000091000-memory.dmp

Filesize
68KB

Download
memory/1512-67-0x0000000000080000-0x0000000000091000-memory.dmp

Filesize
68KB

Download
memory/1512-77-0x0000000000080000-0x0000000000091000-memory.dmp

Filesize
68KB

Download
memory/1512-76-0x0000000000080000-0x0000000000091000-memory.dmp

Filesize
68KB

Download
memory/1512-74-0x0000000000080000-0x0000000000091000-memory.dmp

Filesize
68KB

Download
memory/1512-70-0x0000000000087321-mapping.dmp

Download
memory/1708-64-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1708-58-0x0000000000000000-mapping.dmp

Download
memory/1708-72-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1728-61-0x0000000000000000-mapping.dmp

Download
memory/1800-65-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1800-54-0x0000000074E91000-0x0000000074E93000-memory.dmp

Filesize
8KB

Download
memory/1800-55-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1800-63-0x00000000063F0000-0x0000000006445000-memory.dmp

Filesize
340KB

Download
memory/1800-62-0x00000000063F0000-0x0000000006445000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads