tofsee | 5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb

General

Target

5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe
Size

132KB
MD5

3247288441b450a0be73b99371ffe5a4
SHA1

00b0844f6d2ab60df8884f77d02c92f05f83cb48
SHA256

5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb
SHA512

b7099b098b966b64a07d70b7efe74486c804f969c5c6f96c80f269627fa8e69905c11f8ca725c2cdd1651940903d4a1b744606bace0576b24fa75074141a5a66

Score

10^/10

tofsee persistence trojan upx

Malware Config

Extracted

Family

tofsee

C2

91.218.38.245

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Executes dropped EXE 1 IoCs

Processes:

ckme.exe

pid process

900 ckme.exe

pid	process
900	ckme.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1820-55-0x0000000000400000-0x0000000000448000-memory.dmp	upx
\Users\Admin\ckme.exe	upx
\Users\Admin\ckme.exe	upx
C:\Users\Admin\ckme.exe	upx
C:\Users\Admin\ckme.exe	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

732 cmd.exe

pid	process
732	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe

pid	process
1820	5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe
1820	5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\ckme.exe\""	5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.execkme.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	ckme.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	ckme.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ckme.exe

description pid process target process

PID 900 set thread context of 1672 900 ckme.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 900 set thread context of 1672	900	ckme.exe	svchost.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.execkme.exe

description	pid	process	target process
PID 1820 wrote to memory of 900	1820	5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe	ckme.exe
PID 1820 wrote to memory of 900	1820	5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe	ckme.exe
PID 1820 wrote to memory of 900	1820	5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe	ckme.exe
PID 1820 wrote to memory of 900	1820	5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe	ckme.exe
PID 1820 wrote to memory of 732	1820	5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe	cmd.exe
PID 1820 wrote to memory of 732	1820	5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe	cmd.exe
PID 1820 wrote to memory of 732	1820	5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe	cmd.exe
PID 1820 wrote to memory of 732	1820	5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe	cmd.exe
PID 900 wrote to memory of 1672	900	ckme.exe	svchost.exe
PID 900 wrote to memory of 1672	900	ckme.exe	svchost.exe
PID 900 wrote to memory of 1672	900	ckme.exe	svchost.exe
PID 900 wrote to memory of 1672	900	ckme.exe	svchost.exe
PID 900 wrote to memory of 1672	900	ckme.exe	svchost.exe
PID 900 wrote to memory of 1672	900	ckme.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe
"C:\Users\Admin\AppData\Local\Temp\5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:1820

C:\Users\Admin\ckme.exe
"C:\Users\Admin\ckme.exe"
2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1672

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\2320.bat" "
2⤵
- Deletes itself
PID:732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2320.bat
Filesize
302B

MD5
fbe175270e8f2e037b02355ed0b0c367

SHA1
0ae5db5230df2372c8416cbd9db121c958a62c35

SHA256
2763b443c9fa6d2d9c55731d8a23752579965aedca6fb21479161acce0a83ef8

SHA512
0c61bd25ed04dc20b30b693c6aa59e6c091b508d46e21e45c6762e3f6547755e4fb543a0c6e37fca019c1391832543cd04c4d6a13cfff380f28fbc84b6b7b845

Download Submit
C:\Users\Admin\ckme.exe
Filesize
132KB

MD5
3247288441b450a0be73b99371ffe5a4

SHA1
00b0844f6d2ab60df8884f77d02c92f05f83cb48

SHA256
5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb

SHA512
b7099b098b966b64a07d70b7efe74486c804f969c5c6f96c80f269627fa8e69905c11f8ca725c2cdd1651940903d4a1b744606bace0576b24fa75074141a5a66

Download Submit
C:\Users\Admin\ckme.exe
Filesize
132KB

MD5
3247288441b450a0be73b99371ffe5a4

SHA1
00b0844f6d2ab60df8884f77d02c92f05f83cb48

SHA256
5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb

SHA512
b7099b098b966b64a07d70b7efe74486c804f969c5c6f96c80f269627fa8e69905c11f8ca725c2cdd1651940903d4a1b744606bace0576b24fa75074141a5a66

Download Submit
\Users\Admin\ckme.exe
Filesize
132KB

MD5
3247288441b450a0be73b99371ffe5a4

SHA1
00b0844f6d2ab60df8884f77d02c92f05f83cb48

SHA256
5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb

SHA512
b7099b098b966b64a07d70b7efe74486c804f969c5c6f96c80f269627fa8e69905c11f8ca725c2cdd1651940903d4a1b744606bace0576b24fa75074141a5a66

Download Submit
\Users\Admin\ckme.exe
Filesize
132KB

MD5
3247288441b450a0be73b99371ffe5a4

SHA1
00b0844f6d2ab60df8884f77d02c92f05f83cb48

SHA256
5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb

SHA512
b7099b098b966b64a07d70b7efe74486c804f969c5c6f96c80f269627fa8e69905c11f8ca725c2cdd1651940903d4a1b744606bace0576b24fa75074141a5a66

Download Submit
memory/732-61-0x0000000000000000-mapping.dmp

Download
memory/900-58-0x0000000000000000-mapping.dmp

Download
memory/900-69-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1672-67-0x0000000000087322-mapping.dmp

Download
memory/1672-66-0x0000000000080000-0x0000000000091000-memory.dmp

Filesize
68KB

Download
memory/1672-64-0x0000000000080000-0x0000000000091000-memory.dmp

Filesize
68KB

Download
memory/1672-71-0x0000000000080000-0x0000000000091000-memory.dmp

Filesize
68KB

Download
memory/1672-73-0x0000000000080000-0x0000000000091000-memory.dmp

Filesize
68KB

Download
memory/1672-74-0x0000000000080000-0x0000000000091000-memory.dmp

Filesize
68KB

Download
memory/1820-62-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1820-55-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1820-54-0x0000000075851000-0x0000000075853000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads