tofsee | 186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb

General

Target

186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exe
Size

164KB
MD5

3a418eebc66c60605b3fd8ff3d0ae7fe
SHA1

c783046040c8b68cbb7a7e515636bea2abcafa4b
SHA256

186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb
SHA512

d83601897c97e81a0e23644ebcf089e31b8f0103122591e334301b867b58f9e46abfcf4d9d65716d5d1655a75a91a39aa919f0e4ff96c73761674ab72fee0543

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

C2

103.232.222.57

111.121.193.242

123.249.0.22

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Executes dropped EXE 1 IoCs

Processes:

ydcfwkop.exe

pid process

4076 ydcfwkop.exe

pid	process
4076	ydcfwkop.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\ydcfwkop.exe\""	186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ydcfwkop.exe

description pid process target process

PID 4076 set thread context of 1788 4076 ydcfwkop.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1952 1788 WerFault.exe svchost.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exeydcfwkop.exe

pid process

4748 186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exe
4076 ydcfwkop.exe

description	pid	process	target process
PID 4076 set thread context of 1788	4076	ydcfwkop.exe	svchost.exe

pid	pid_target	process	target process
1952	1788	WerFault.exe	svchost.exe

pid	process
4748	186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exe
4076	ydcfwkop.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exeydcfwkop.exe

description	pid	process	target process
PID 4748 wrote to memory of 4076	4748	186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exe	ydcfwkop.exe
PID 4748 wrote to memory of 4076	4748	186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exe	ydcfwkop.exe
PID 4748 wrote to memory of 4076	4748	186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exe	ydcfwkop.exe
PID 4748 wrote to memory of 4900	4748	186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exe	cmd.exe
PID 4748 wrote to memory of 4900	4748	186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exe	cmd.exe
PID 4748 wrote to memory of 4900	4748	186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exe	cmd.exe
PID 4076 wrote to memory of 1788	4076	ydcfwkop.exe	svchost.exe
PID 4076 wrote to memory of 1788	4076	ydcfwkop.exe	svchost.exe
PID 4076 wrote to memory of 1788	4076	ydcfwkop.exe	svchost.exe
PID 4076 wrote to memory of 1788	4076	ydcfwkop.exe	svchost.exe
PID 4076 wrote to memory of 1788	4076	ydcfwkop.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exe
"C:\Users\Admin\AppData\Local\Temp\186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4748

C:\Users\Admin\ydcfwkop.exe
"C:\Users\Admin\ydcfwkop.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 468
4⤵
- Program crash
PID:1952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1217.bat" "
2⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1788 -ip 1788
1⤵
PID:1652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1217.bat
Filesize
302B

MD5
6018c418b1249476f7f479b8f56a3957

SHA1
be2370fb2cf4e5720e68092853426ea22e51da90

SHA256
522385956347845f7f5f81640b6b78fc254bf8d18ba264e82ce624c794095501

SHA512
011b9aaadb9eaa98fdce395bfac5f9c67731a43c426fe0bb3f2ec813947e488e63fb05f61c57146fd8be0e73e1aae6e74844b31c03f911b64d50d0c0186acb10

Download Submit
C:\Users\Admin\ydcfwkop.exe
Filesize
35.3MB

MD5
7395e7850d3adb6b955e63bd09bc0a1d

SHA1
466e4016521b262c1c1288e966dbc5469f3e1657

SHA256
5657974482531cba1eddfd21157f0af39db3dbb5a246a216551f81d2e82be479

SHA512
72cd74d60b91be911dddb0766f2ee013bfd1c899f8fd44797e13ba03ccac6ee6880a71e463cd6dd682b02d1d667fc8721316db8e0869c0304c745e46f6984d76

Download Submit
C:\Users\Admin\ydcfwkop.exe
Filesize
35.3MB

MD5
7395e7850d3adb6b955e63bd09bc0a1d

SHA1
466e4016521b262c1c1288e966dbc5469f3e1657

SHA256
5657974482531cba1eddfd21157f0af39db3dbb5a246a216551f81d2e82be479

SHA512
72cd74d60b91be911dddb0766f2ee013bfd1c899f8fd44797e13ba03ccac6ee6880a71e463cd6dd682b02d1d667fc8721316db8e0869c0304c745e46f6984d76

Download Submit
memory/1788-155-0x00000000006D0000-0x00000000006E2000-memory.dmp

Filesize
72KB

Download
memory/1788-154-0x0000000000000000-mapping.dmp

Download
memory/1788-159-0x00000000006D0000-0x00000000006E2000-memory.dmp

Filesize
72KB

Download
memory/1788-160-0x00000000006D0000-0x00000000006E2000-memory.dmp

Filesize
72KB

Download
memory/4076-138-0x0000000000000000-mapping.dmp

Download
memory/4076-148-0x0000000002D21000-0x0000000002D26000-memory.dmp

Filesize
20KB

Download
memory/4076-157-0x0000000074E80000-0x0000000074FDD000-memory.dmp

Filesize
1.4MB

Download
memory/4748-143-0x0000000074E80000-0x0000000074FDD000-memory.dmp

Filesize
1.4MB

Download
memory/4748-145-0x0000000002F81000-0x0000000002F86000-memory.dmp

Filesize
20KB

Download
memory/4748-146-0x0000000074E80000-0x0000000074FDD000-memory.dmp

Filesize
1.4MB

Download
memory/4748-134-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4748-132-0x0000000002F81000-0x0000000002F86000-memory.dmp

Filesize
20KB

Download
memory/4900-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads