tofsee | 2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172

General

Target

2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exe
Size

176KB
MD5

69149d4fbc2666bd9beb761b3337e6fe
SHA1

f27c17a5e9b3d77a6049637b54ff9d56c4b91785
SHA256

2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172
SHA512

833db5449a8f6333ff13127334e19fc105a6a473552f395d39101ab19e7e0c094f514459294f41b1ee4c7388ad120b31484ebbeeefa8bb6ebe13fc488a814e72

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

C2

103.232.222.57

111.121.193.242

123.249.0.22

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Executes dropped EXE 1 IoCs

Processes:

glkneswx.exe

pid process

4956 glkneswx.exe

pid	process
4956	glkneswx.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\glkneswx.exe\""	2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{AA2DF9A5-F7CA-4967-BD6C-99ECD5BAE139}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{79848B50-6150-4E97-909F-1208708DEAA7}.catalogItem	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

glkneswx.exe

description pid process target process

PID 4956 set thread context of 1400 4956 glkneswx.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2164 1400 WerFault.exe svchost.exe

description	pid	process	target process
PID 4956 set thread context of 1400	4956	glkneswx.exe	svchost.exe

pid	pid_target	process	target process
2164	1400	WerFault.exe	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exeglkneswx.exe

pid process

4464 2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exe
4956 glkneswx.exe

pid	process
4464	2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exe
4956	glkneswx.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exeglkneswx.exe

description	pid	process	target process
PID 4464 wrote to memory of 4956	4464	2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exe	glkneswx.exe
PID 4464 wrote to memory of 4956	4464	2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exe	glkneswx.exe
PID 4464 wrote to memory of 4956	4464	2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exe	glkneswx.exe
PID 4464 wrote to memory of 4136	4464	2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exe	cmd.exe
PID 4464 wrote to memory of 4136	4464	2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exe	cmd.exe
PID 4464 wrote to memory of 4136	4464	2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exe	cmd.exe
PID 4956 wrote to memory of 1400	4956	glkneswx.exe	svchost.exe
PID 4956 wrote to memory of 1400	4956	glkneswx.exe	svchost.exe
PID 4956 wrote to memory of 1400	4956	glkneswx.exe	svchost.exe
PID 4956 wrote to memory of 1400	4956	glkneswx.exe	svchost.exe
PID 4956 wrote to memory of 1400	4956	glkneswx.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exe
"C:\Users\Admin\AppData\Local\Temp\2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4464

C:\Users\Admin\glkneswx.exe
"C:\Users\Admin\glkneswx.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 468
4⤵
- Program crash
PID:2164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0107.bat" "
2⤵
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 1400 -ip 1400
1⤵
PID:3960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:4416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0107.bat
Filesize
302B

MD5
86439fa75168b38e020ba551c2a8d755

SHA1
801ae13cb7746ba21b167ab8e7797b85b35ae9a8

SHA256
aa1d31671aa84ba2efb12a8105a75c3e76075a2e7da3d4134d919d1c82de5378

SHA512
55b1f20ce23a7569499e1bf9959a411f06596c81449c5e8dec7879953ef6b412a3d4428fbb2d345ea44df574d588d177fb2f7bd39b59d40558e92c64c8d6f989

Download Submit
C:\Users\Admin\glkneswx.exe
Filesize
40.2MB

MD5
9202486a5ccfd0c1cd422ea0973abb79

SHA1
100bf10f2081dbfa0230589cabc44e7b614f5361

SHA256
e58630b30ffe30852fc9d31bf29ec6f06caa12edb0d49f34e8fcb3dd00dcb33a

SHA512
3de1d383eb171ec70e0bd2314b97938c41beaf40ea9a70e0fe3a1f84509c1adb5d8ddc1917cf23d8adb9484a00abcfaf86870fd2ab8cb801ecc9d9bb560cfb08

Download Submit
C:\Users\Admin\glkneswx.exe
Filesize
40.2MB

MD5
9202486a5ccfd0c1cd422ea0973abb79

SHA1
100bf10f2081dbfa0230589cabc44e7b614f5361

SHA256
e58630b30ffe30852fc9d31bf29ec6f06caa12edb0d49f34e8fcb3dd00dcb33a

SHA512
3de1d383eb171ec70e0bd2314b97938c41beaf40ea9a70e0fe3a1f84509c1adb5d8ddc1917cf23d8adb9484a00abcfaf86870fd2ab8cb801ecc9d9bb560cfb08

Download Submit
memory/1400-159-0x0000000000A30000-0x0000000000A42000-memory.dmp

Filesize
72KB

Download
memory/1400-158-0x0000000000A30000-0x0000000000A42000-memory.dmp

Filesize
72KB

Download
memory/1400-154-0x0000000000A30000-0x0000000000A42000-memory.dmp

Filesize
72KB

Download
memory/1400-153-0x0000000000000000-mapping.dmp

Download
memory/4136-145-0x0000000000000000-mapping.dmp

Download
memory/4464-144-0x0000000075230000-0x000000007538D000-memory.dmp

Filesize
1.4MB

Download
memory/4464-132-0x00000000024F1000-0x00000000024F6000-memory.dmp

Filesize
20KB

Download
memory/4464-141-0x00000000024F1000-0x00000000024F6000-memory.dmp

Filesize
20KB

Download
memory/4464-134-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4956-147-0x0000000003421000-0x0000000003426000-memory.dmp

Filesize
20KB

Download
memory/4956-156-0x0000000075230000-0x000000007538D000-memory.dmp

Filesize
1.4MB

Download
memory/4956-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads