tofsee | c9e2a9bfb83ccd0d1d37d99af25b4c163338143d1cf6c041c10f87b0f3974b59

Analysis

max time kernel
99s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2022 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9e2a9bfb83ccd0d1d37d99af25b4c163338143d1cf6c041c10f87b0f3974b59.exe
Size

1.1MB
MD5

676ed17e4e879a2a2f78da41b16acd70
SHA1

fd2b588155e082521c69b2d272f5bfc23e04a5bb
SHA256

c9e2a9bfb83ccd0d1d37d99af25b4c163338143d1cf6c041c10f87b0f3974b59
SHA512

32c0d04253331fbb0e921a7c643b9cd2bba326dee2b15fd0d2d63bf82fabe2f4248d1bf1b6fa430df3d4cc37c4b5b9b32c7bf310269f676c7a829fffe0515d3c
SSDEEP

3072:q2Epu+/YrezMHLJfDZy0s3cccccccccccccccccccccccccccccccccccccccccv:qFp6X91si7

Score

10^/10

tofsee trojan

Malware Config

Extracted

Family

tofsee

43.225.38.217

111.121.193.242

188.190.120.101

188.165.132.183

213.155.0.208

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	c9e2a9bfb83ccd0d1d37d99af25b4c163338143d1cf6c041c10f87b0f3974b59.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4952 set thread context of 3348	4952	c9e2a9bfb83ccd0d1d37d99af25b4c163338143d1cf6c041c10f87b0f3974b59.exe	80

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4952	c9e2a9bfb83ccd0d1d37d99af25b4c163338143d1cf6c041c10f87b0f3974b59.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 3348	4952	c9e2a9bfb83ccd0d1d37d99af25b4c163338143d1cf6c041c10f87b0f3974b59.exe	80
PID 4952 wrote to memory of 3348	4952	c9e2a9bfb83ccd0d1d37d99af25b4c163338143d1cf6c041c10f87b0f3974b59.exe	80
PID 4952 wrote to memory of 3348	4952	c9e2a9bfb83ccd0d1d37d99af25b4c163338143d1cf6c041c10f87b0f3974b59.exe	80
PID 4952 wrote to memory of 3348	4952	c9e2a9bfb83ccd0d1d37d99af25b4c163338143d1cf6c041c10f87b0f3974b59.exe	80
PID 4952 wrote to memory of 3348	4952	c9e2a9bfb83ccd0d1d37d99af25b4c163338143d1cf6c041c10f87b0f3974b59.exe	80
PID 4952 wrote to memory of 3348	4952	c9e2a9bfb83ccd0d1d37d99af25b4c163338143d1cf6c041c10f87b0f3974b59.exe	80
PID 4952 wrote to memory of 3348	4952	c9e2a9bfb83ccd0d1d37d99af25b4c163338143d1cf6c041c10f87b0f3974b59.exe	80
PID 4952 wrote to memory of 3348	4952	c9e2a9bfb83ccd0d1d37d99af25b4c163338143d1cf6c041c10f87b0f3974b59.exe	80
PID 4952 wrote to memory of 3348	4952	c9e2a9bfb83ccd0d1d37d99af25b4c163338143d1cf6c041c10f87b0f3974b59.exe	80
PID 4952 wrote to memory of 3348	4952	c9e2a9bfb83ccd0d1d37d99af25b4c163338143d1cf6c041c10f87b0f3974b59.exe	80
PID 3348 wrote to memory of 1280	3348	c9e2a9bfb83ccd0d1d37d99af25b4c163338143d1cf6c041c10f87b0f3974b59.exe	81
PID 3348 wrote to memory of 1280	3348	c9e2a9bfb83ccd0d1d37d99af25b4c163338143d1cf6c041c10f87b0f3974b59.exe	81
PID 3348 wrote to memory of 1280	3348	c9e2a9bfb83ccd0d1d37d99af25b4c163338143d1cf6c041c10f87b0f3974b59.exe	81

C:\Users\Admin\AppData\Local\Temp\c9e2a9bfb83ccd0d1d37d99af25b4c163338143d1cf6c041c10f87b0f3974b59.exe
"C:\Users\Admin\AppData\Local\Temp\c9e2a9bfb83ccd0d1d37d99af25b4c163338143d1cf6c041c10f87b0f3974b59.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Users\Admin\AppData\Local\Temp\c9e2a9bfb83ccd0d1d37d99af25b4c163338143d1cf6c041c10f87b0f3974b59.exe
  "C:\Users\Admin\AppData\Local\Temp\c9e2a9bfb83ccd0d1d37d99af25b4c163338143d1cf6c041c10f87b0f3974b59.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4232.bat" "
    3⤵
    PID:1280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4232.bat

Filesize
302B

MD5
0ea6da8ddcddd37bdb399ca52b3bd3be

SHA1
427b51457fe0a14db29160f961e4843e1d9f5fa9

SHA256
15c0611759cabf5db9e26d33d6f2110d81ac2b2a5e8aebd56a434f3cf55e8a87

SHA512
62c10f4035491c63c702bd8061f19b2c290d797841b6fad1f62efcdd2969327cc394a06aa934dd84d7b574ddb80169a7927bf74eb15218a7682bb136360238f8

Download Submit
memory/3348-135-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3348-137-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3348-138-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download