tofsee | 2267e3a4b504a7cdf3c191f385a2233f40843ba18c06b7d745b8f78329537676

General

Target

2267e3a4b504a7cdf3c191f385a2233f40843ba18c06b7d745b8f78329537676.exe
Size

152KB
MD5

8c49fb45ab38659a7e1c22685a2578c9
SHA1

9c2e7120232d29d7bb75797d8256dafb8bb424b1
SHA256

2267e3a4b504a7cdf3c191f385a2233f40843ba18c06b7d745b8f78329537676
SHA512

4189f9fa47a92eee0456ceb4f90ac595abc83eebd003cfd88980018ec50075683a6fff00f20c418801d50057d61363795bfa1d4794cc0e7794a3067baf3450bc

Score

10^/10

tofsee persistence trojan upx

Malware Config

Extracted

Family

tofsee

C2

91.218.38.245

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Executes dropped EXE 1 IoCs

Processes:

mzwgnguz.exe

pid process

1088 mzwgnguz.exe

pid	process
1088	mzwgnguz.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1560-55-0x0000000000400000-0x0000000000453000-memory.dmp	upx
\Users\Admin\mzwgnguz.exe	upx
\Users\Admin\mzwgnguz.exe	upx
C:\Users\Admin\mzwgnguz.exe	upx
C:\Users\Admin\mzwgnguz.exe	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1768 cmd.exe

pid	process
1768	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

2267e3a4b504a7cdf3c191f385a2233f40843ba18c06b7d745b8f78329537676.exe

pid	process
1560	2267e3a4b504a7cdf3c191f385a2233f40843ba18c06b7d745b8f78329537676.exe
1560	2267e3a4b504a7cdf3c191f385a2233f40843ba18c06b7d745b8f78329537676.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2267e3a4b504a7cdf3c191f385a2233f40843ba18c06b7d745b8f78329537676.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\mzwgnguz.exe\""	2267e3a4b504a7cdf3c191f385a2233f40843ba18c06b7d745b8f78329537676.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2267e3a4b504a7cdf3c191f385a2233f40843ba18c06b7d745b8f78329537676.exemzwgnguz.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	2267e3a4b504a7cdf3c191f385a2233f40843ba18c06b7d745b8f78329537676.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	2267e3a4b504a7cdf3c191f385a2233f40843ba18c06b7d745b8f78329537676.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	mzwgnguz.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	mzwgnguz.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

mzwgnguz.exe

description pid process target process

PID 1088 set thread context of 2044 1088 mzwgnguz.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1088 set thread context of 2044	1088	mzwgnguz.exe	svchost.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

2267e3a4b504a7cdf3c191f385a2233f40843ba18c06b7d745b8f78329537676.exemzwgnguz.exe

description	pid	process	target process
PID 1560 wrote to memory of 1088	1560	2267e3a4b504a7cdf3c191f385a2233f40843ba18c06b7d745b8f78329537676.exe	mzwgnguz.exe
PID 1560 wrote to memory of 1088	1560	2267e3a4b504a7cdf3c191f385a2233f40843ba18c06b7d745b8f78329537676.exe	mzwgnguz.exe
PID 1560 wrote to memory of 1088	1560	2267e3a4b504a7cdf3c191f385a2233f40843ba18c06b7d745b8f78329537676.exe	mzwgnguz.exe
PID 1560 wrote to memory of 1088	1560	2267e3a4b504a7cdf3c191f385a2233f40843ba18c06b7d745b8f78329537676.exe	mzwgnguz.exe
PID 1560 wrote to memory of 1768	1560	2267e3a4b504a7cdf3c191f385a2233f40843ba18c06b7d745b8f78329537676.exe	cmd.exe
PID 1560 wrote to memory of 1768	1560	2267e3a4b504a7cdf3c191f385a2233f40843ba18c06b7d745b8f78329537676.exe	cmd.exe
PID 1560 wrote to memory of 1768	1560	2267e3a4b504a7cdf3c191f385a2233f40843ba18c06b7d745b8f78329537676.exe	cmd.exe
PID 1560 wrote to memory of 1768	1560	2267e3a4b504a7cdf3c191f385a2233f40843ba18c06b7d745b8f78329537676.exe	cmd.exe
PID 1088 wrote to memory of 2044	1088	mzwgnguz.exe	svchost.exe
PID 1088 wrote to memory of 2044	1088	mzwgnguz.exe	svchost.exe
PID 1088 wrote to memory of 2044	1088	mzwgnguz.exe	svchost.exe
PID 1088 wrote to memory of 2044	1088	mzwgnguz.exe	svchost.exe
PID 1088 wrote to memory of 2044	1088	mzwgnguz.exe	svchost.exe
PID 1088 wrote to memory of 2044	1088	mzwgnguz.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\2267e3a4b504a7cdf3c191f385a2233f40843ba18c06b7d745b8f78329537676.exe
"C:\Users\Admin\AppData\Local\Temp\2267e3a4b504a7cdf3c191f385a2233f40843ba18c06b7d745b8f78329537676.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Users\Admin\mzwgnguz.exe
  "C:\Users\Admin\mzwgnguz.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\3251.bat" "
  2⤵
  - Deletes itself
  PID:1768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3251.bat

Filesize
302B

MD5
80bc4a36793afa7cf72a4a173ae48553

SHA1
c13608f3fe63ac67e7042447691d0dd95e88bf9d

SHA256
b7571be744d84d2042554f79d4a922d00da7d42d44e8a674e3454715b83af8f6

SHA512
a4a50cfdc2813dfa0595a49f3e82b8132831505fe4794f5742df7da225a16ba97e71d6b2fb08a80cf6c20847f91740f5bfc81ec3c143ec777d7c99a22e2b2197

Download Submit
C:\Users\Admin\mzwgnguz.exe

Filesize
152KB

MD5
8c49fb45ab38659a7e1c22685a2578c9

SHA1
9c2e7120232d29d7bb75797d8256dafb8bb424b1

SHA256
2267e3a4b504a7cdf3c191f385a2233f40843ba18c06b7d745b8f78329537676

SHA512
4189f9fa47a92eee0456ceb4f90ac595abc83eebd003cfd88980018ec50075683a6fff00f20c418801d50057d61363795bfa1d4794cc0e7794a3067baf3450bc

Download Submit
C:\Users\Admin\mzwgnguz.exe

Filesize
152KB

MD5
8c49fb45ab38659a7e1c22685a2578c9

SHA1
9c2e7120232d29d7bb75797d8256dafb8bb424b1

SHA256
2267e3a4b504a7cdf3c191f385a2233f40843ba18c06b7d745b8f78329537676

SHA512
4189f9fa47a92eee0456ceb4f90ac595abc83eebd003cfd88980018ec50075683a6fff00f20c418801d50057d61363795bfa1d4794cc0e7794a3067baf3450bc

Download Submit
\Users\Admin\mzwgnguz.exe

Filesize
152KB

MD5
8c49fb45ab38659a7e1c22685a2578c9

SHA1
9c2e7120232d29d7bb75797d8256dafb8bb424b1

SHA256
2267e3a4b504a7cdf3c191f385a2233f40843ba18c06b7d745b8f78329537676

SHA512
4189f9fa47a92eee0456ceb4f90ac595abc83eebd003cfd88980018ec50075683a6fff00f20c418801d50057d61363795bfa1d4794cc0e7794a3067baf3450bc

Download Submit
\Users\Admin\mzwgnguz.exe

Filesize
152KB

MD5
8c49fb45ab38659a7e1c22685a2578c9

SHA1
9c2e7120232d29d7bb75797d8256dafb8bb424b1

SHA256
2267e3a4b504a7cdf3c191f385a2233f40843ba18c06b7d745b8f78329537676

SHA512
4189f9fa47a92eee0456ceb4f90ac595abc83eebd003cfd88980018ec50075683a6fff00f20c418801d50057d61363795bfa1d4794cc0e7794a3067baf3450bc

Download Submit
memory/1088-58-0x0000000000000000-mapping.dmp

Download
memory/1088-69-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1560-62-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1560-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1560-55-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1768-61-0x0000000000000000-mapping.dmp

Download
memory/2044-64-0x0000000000080000-0x0000000000091000-memory.dmp

Filesize
68KB

Download
memory/2044-66-0x0000000000080000-0x0000000000091000-memory.dmp

Filesize
68KB

Download
memory/2044-67-0x0000000000087321-mapping.dmp

Download
memory/2044-71-0x0000000000080000-0x0000000000091000-memory.dmp

Filesize
68KB

Download
memory/2044-72-0x0000000000080000-0x0000000000091000-memory.dmp

Filesize
68KB

Download
memory/2044-74-0x0000000000080000-0x0000000000091000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads