tofsee | 608f00694431d768e0f89037b3cea2805932ac3228b82742805456175125248b

General

Target

608f00694431d768e0f89037b3cea2805932ac3228b82742805456175125248b.exe
Size

180KB
MD5

079eeb586e7e582083387bd6c1342a87
SHA1

37dc6f6df1e3b634cf6d5d7eec52d28550db0732
SHA256

608f00694431d768e0f89037b3cea2805932ac3228b82742805456175125248b
SHA512

c12a383e3e08d526da6c6dd4e1ccaaf4b842f04c7f3745de08f8e946a44330803472f14ed78a10ed434d55c7da3e4e3ca21582fb701c388b38bdff6477f47e0a

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

C2

103.232.222.57

111.121.193.242

123.249.0.22

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Executes dropped EXE 1 IoCs

Processes:

dihkbptu.exe

pid process

1980 dihkbptu.exe

pid	process
1980	dihkbptu.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

608f00694431d768e0f89037b3cea2805932ac3228b82742805456175125248b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	608f00694431d768e0f89037b3cea2805932ac3228b82742805456175125248b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

608f00694431d768e0f89037b3cea2805932ac3228b82742805456175125248b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\dihkbptu.exe\""	608f00694431d768e0f89037b3cea2805932ac3228b82742805456175125248b.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

dihkbptu.exe

description pid process target process

PID 1980 set thread context of 3156 1980 dihkbptu.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3536 3156 WerFault.exe svchost.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

608f00694431d768e0f89037b3cea2805932ac3228b82742805456175125248b.exedihkbptu.exe

pid process

4324 608f00694431d768e0f89037b3cea2805932ac3228b82742805456175125248b.exe
1980 dihkbptu.exe

description	pid	process	target process
PID 1980 set thread context of 3156	1980	dihkbptu.exe	svchost.exe

pid	pid_target	process	target process
3536	3156	WerFault.exe	svchost.exe

pid	process
4324	608f00694431d768e0f89037b3cea2805932ac3228b82742805456175125248b.exe
1980	dihkbptu.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

608f00694431d768e0f89037b3cea2805932ac3228b82742805456175125248b.exedihkbptu.exe

description	pid	process	target process
PID 4324 wrote to memory of 1980	4324	608f00694431d768e0f89037b3cea2805932ac3228b82742805456175125248b.exe	dihkbptu.exe
PID 4324 wrote to memory of 1980	4324	608f00694431d768e0f89037b3cea2805932ac3228b82742805456175125248b.exe	dihkbptu.exe
PID 4324 wrote to memory of 1980	4324	608f00694431d768e0f89037b3cea2805932ac3228b82742805456175125248b.exe	dihkbptu.exe
PID 4324 wrote to memory of 3248	4324	608f00694431d768e0f89037b3cea2805932ac3228b82742805456175125248b.exe	cmd.exe
PID 4324 wrote to memory of 3248	4324	608f00694431d768e0f89037b3cea2805932ac3228b82742805456175125248b.exe	cmd.exe
PID 4324 wrote to memory of 3248	4324	608f00694431d768e0f89037b3cea2805932ac3228b82742805456175125248b.exe	cmd.exe
PID 1980 wrote to memory of 3156	1980	dihkbptu.exe	svchost.exe
PID 1980 wrote to memory of 3156	1980	dihkbptu.exe	svchost.exe
PID 1980 wrote to memory of 3156	1980	dihkbptu.exe	svchost.exe
PID 1980 wrote to memory of 3156	1980	dihkbptu.exe	svchost.exe
PID 1980 wrote to memory of 3156	1980	dihkbptu.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\608f00694431d768e0f89037b3cea2805932ac3228b82742805456175125248b.exe
"C:\Users\Admin\AppData\Local\Temp\608f00694431d768e0f89037b3cea2805932ac3228b82742805456175125248b.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4324

C:\Users\Admin\dihkbptu.exe
"C:\Users\Admin\dihkbptu.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 468
4⤵
- Program crash
PID:3536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2162.bat" "
2⤵
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3156 -ip 3156
1⤵
PID:4972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2162.bat
Filesize
302B

MD5
7174337f82ef11b63851b6530cfba05b

SHA1
8c0ae8d24f1b598459075f1ded9b1fbc8f192b78

SHA256
8b59cbe7a0c39144dbb6fcf2e44aebf7e941b01042b6decedc20983dcbf14558

SHA512
48f86aa5096ba5f1adeabf92ba27b88b4a5c5b0154ac52ccbd3c0e9f6b74946a3944df539dc233c75d3e66d04cffce5beb77a9d9bd44c5972e778bba66691bef

Download Submit
C:\Users\Admin\dihkbptu.exe
Filesize
33.5MB

MD5
c31a3926846efb1b7feb89b2656afc2b

SHA1
6c8ba2a03d9388c43629d8909aec292a2a406b29

SHA256
14414fe4f7eb1323964ee5eacc5a72485df98f54af16c78b87fc267bdd291cc8

SHA512
b12857fbb0089ee067adc38b2bab49c78672fa18af6836621145c3777f4335c8002ef113ccb4d3cf61769ec2a1081ce83c50a6113a687748278e0540a1082c2e

Download Submit
C:\Users\Admin\dihkbptu.exe
Filesize
33.5MB

MD5
c31a3926846efb1b7feb89b2656afc2b

SHA1
6c8ba2a03d9388c43629d8909aec292a2a406b29

SHA256
14414fe4f7eb1323964ee5eacc5a72485df98f54af16c78b87fc267bdd291cc8

SHA512
b12857fbb0089ee067adc38b2bab49c78672fa18af6836621145c3777f4335c8002ef113ccb4d3cf61769ec2a1081ce83c50a6113a687748278e0540a1082c2e

Download Submit
memory/1980-138-0x0000000000000000-mapping.dmp

Download
memory/1980-156-0x0000000074FB0000-0x000000007510D000-memory.dmp

Filesize
1.4MB

Download
memory/1980-148-0x0000000002C41000-0x0000000002C46000-memory.dmp

Filesize
20KB

Download
memory/3156-154-0x0000000000000000-mapping.dmp

Download
memory/3156-160-0x0000000000C60000-0x0000000000C72000-memory.dmp

Filesize
72KB

Download
memory/3156-159-0x0000000000C60000-0x0000000000C72000-memory.dmp

Filesize
72KB

Download
memory/3156-158-0x0000000000C60000-0x0000000000C72000-memory.dmp

Filesize
72KB

Download
memory/3156-155-0x0000000000C60000-0x0000000000C72000-memory.dmp

Filesize
72KB

Download
memory/3248-144-0x0000000000000000-mapping.dmp

Download
memory/4324-143-0x0000000074FB0000-0x000000007510D000-memory.dmp

Filesize
1.4MB

Download
memory/4324-146-0x0000000074FB0000-0x000000007510D000-memory.dmp

Filesize
1.4MB

Download
memory/4324-145-0x0000000002DB1000-0x0000000002DB6000-memory.dmp

Filesize
20KB

Download
memory/4324-134-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4324-132-0x0000000002DB1000-0x0000000002DB6000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads