tofsee | 350a594c4295d9108753f28159e65d192256b74968b087b90cb2ec091cfa2ad2

General

Target

350a594c4295d9108753f28159e65d192256b74968b087b90cb2ec091cfa2ad2.exe
Size

288KB
MD5

49c14162f3ee193af91eadadcca62016
SHA1

c45b24e9807486083c6a9f38a0ef9cfe4b75663b
SHA256

350a594c4295d9108753f28159e65d192256b74968b087b90cb2ec091cfa2ad2
SHA512

92ed684d0f88a131e8a9daa0f410a32b87f1748947fa8b7a3eda1cb953d2bb60c0e9c96933e9fa663916258cddc57a294dc0c436a9270318fe4fd6ac3de5ac5d

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

C2

103.232.222.57

111.121.193.242

123.249.0.22

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Executes dropped EXE 1 IoCs

Processes:

afehymqr.exe

pid process

4392 afehymqr.exe

pid	process
4392	afehymqr.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

350a594c4295d9108753f28159e65d192256b74968b087b90cb2ec091cfa2ad2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	350a594c4295d9108753f28159e65d192256b74968b087b90cb2ec091cfa2ad2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

350a594c4295d9108753f28159e65d192256b74968b087b90cb2ec091cfa2ad2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\afehymqr.exe\""	350a594c4295d9108753f28159e65d192256b74968b087b90cb2ec091cfa2ad2.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

afehymqr.exe

description pid process target process

PID 4392 set thread context of 4036 4392 afehymqr.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4440 4036 WerFault.exe svchost.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

350a594c4295d9108753f28159e65d192256b74968b087b90cb2ec091cfa2ad2.exeafehymqr.exe

pid process

4620 350a594c4295d9108753f28159e65d192256b74968b087b90cb2ec091cfa2ad2.exe
4392 afehymqr.exe

description	pid	process	target process
PID 4392 set thread context of 4036	4392	afehymqr.exe	svchost.exe

pid	pid_target	process	target process
4440	4036	WerFault.exe	svchost.exe

pid	process
4620	350a594c4295d9108753f28159e65d192256b74968b087b90cb2ec091cfa2ad2.exe
4392	afehymqr.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

350a594c4295d9108753f28159e65d192256b74968b087b90cb2ec091cfa2ad2.exeafehymqr.exe

description	pid	process	target process
PID 4620 wrote to memory of 4392	4620	350a594c4295d9108753f28159e65d192256b74968b087b90cb2ec091cfa2ad2.exe	afehymqr.exe
PID 4620 wrote to memory of 4392	4620	350a594c4295d9108753f28159e65d192256b74968b087b90cb2ec091cfa2ad2.exe	afehymqr.exe
PID 4620 wrote to memory of 4392	4620	350a594c4295d9108753f28159e65d192256b74968b087b90cb2ec091cfa2ad2.exe	afehymqr.exe
PID 4620 wrote to memory of 1476	4620	350a594c4295d9108753f28159e65d192256b74968b087b90cb2ec091cfa2ad2.exe	cmd.exe
PID 4620 wrote to memory of 1476	4620	350a594c4295d9108753f28159e65d192256b74968b087b90cb2ec091cfa2ad2.exe	cmd.exe
PID 4620 wrote to memory of 1476	4620	350a594c4295d9108753f28159e65d192256b74968b087b90cb2ec091cfa2ad2.exe	cmd.exe
PID 4392 wrote to memory of 4036	4392	afehymqr.exe	svchost.exe
PID 4392 wrote to memory of 4036	4392	afehymqr.exe	svchost.exe
PID 4392 wrote to memory of 4036	4392	afehymqr.exe	svchost.exe
PID 4392 wrote to memory of 4036	4392	afehymqr.exe	svchost.exe
PID 4392 wrote to memory of 4036	4392	afehymqr.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\350a594c4295d9108753f28159e65d192256b74968b087b90cb2ec091cfa2ad2.exe
"C:\Users\Admin\AppData\Local\Temp\350a594c4295d9108753f28159e65d192256b74968b087b90cb2ec091cfa2ad2.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4620

C:\Users\Admin\afehymqr.exe
"C:\Users\Admin\afehymqr.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4392

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 468
4⤵
- Program crash
PID:4440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7244.bat" "
2⤵
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4036 -ip 4036
1⤵
PID:3760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7244.bat
Filesize
302B

MD5
459e7a0d1b8311303df978394750912e

SHA1
61ffc0dedf349e574e8bef3126c487b0f21e4d31

SHA256
6259529a3f993441ae08ae72524b69b08dd82a8d7c2255df495e2e957b9e1e7d

SHA512
2df30d74296c0821d4eca05bd31ebd9edac1ce86e1dc5a84e12a9778be6f15871546c47c86d4c18979bab76d309d6839089e98d8d8694a4cca59c5c1b8b65b15

Download Submit
C:\Users\Admin\afehymqr.exe
Filesize
44.2MB

MD5
8957449bd9c15a186198136e563d3c36

SHA1
4d2ad89d155a489bcf4dbfb8c332c8ea1808ee90

SHA256
07e3f536f28da521ec364a21149fcc0a09ce5ab8485c9e330a8c093518ae13eb

SHA512
342362a6334413afb191809a631766682b2dabcf0210f73f6ff35ac7e8c9f9f16f53237cdad43460c63bddb834aa29021380f55f66e5c0ffe5121e26515ffa91

Download Submit
C:\Users\Admin\afehymqr.exe
Filesize
44.2MB

MD5
8957449bd9c15a186198136e563d3c36

SHA1
4d2ad89d155a489bcf4dbfb8c332c8ea1808ee90

SHA256
07e3f536f28da521ec364a21149fcc0a09ce5ab8485c9e330a8c093518ae13eb

SHA512
342362a6334413afb191809a631766682b2dabcf0210f73f6ff35ac7e8c9f9f16f53237cdad43460c63bddb834aa29021380f55f66e5c0ffe5121e26515ffa91

Download Submit
memory/1476-144-0x0000000000000000-mapping.dmp

Download
memory/4036-153-0x0000000000000000-mapping.dmp

Download
memory/4036-154-0x0000000001060000-0x0000000001072000-memory.dmp

Filesize
72KB

Download
memory/4036-158-0x0000000001060000-0x0000000001072000-memory.dmp

Filesize
72KB

Download
memory/4036-159-0x0000000001060000-0x0000000001072000-memory.dmp

Filesize
72KB

Download
memory/4392-138-0x0000000000000000-mapping.dmp

Download
memory/4392-147-0x0000000002C61000-0x0000000002C66000-memory.dmp

Filesize
20KB

Download
memory/4392-157-0x0000000074C00000-0x0000000074D5D000-memory.dmp

Filesize
1.4MB

Download
memory/4620-143-0x0000000074C00000-0x0000000074D5D000-memory.dmp

Filesize
1.4MB

Download
memory/4620-132-0x0000000002D41000-0x0000000002D46000-memory.dmp

Filesize
20KB

Download
memory/4620-145-0x0000000074C00000-0x0000000074D5D000-memory.dmp

Filesize
1.4MB

Download
memory/4620-134-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads