tofsee | 1f6a39c4520debfe0f31de642611dfe844c67eb5fc7b4af138df9c6b191a14a1

General

Target

1f6a39c4520debfe0f31de642611dfe844c67eb5fc7b4af138df9c6b191a14a1.exe
Size

112KB
MD5

633916351d1724c5dee57d31ee60adb6
SHA1

fddbffaf67742208cad9036564acdae7520d3390
SHA256

1f6a39c4520debfe0f31de642611dfe844c67eb5fc7b4af138df9c6b191a14a1
SHA512

32364dd7dcda32dc3148bc724282fea427494eaa3045096749f68479cd7eb3c2842290cb72b9de0c33965d453cb4792ee17874d6b27f9238cecc2e968afb1977
SSDEEP

3072:gjgRyvXEFiKfQ15q4Qe4FVwtwwgs4XBcO4:HRGX4kC1eZ6w

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

C2

111.121.193.238

188.190.114.19

103.244.1.233

188.165.132.183

213.155.0.208

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Executes dropped EXE 1 IoCs

pid	Process
888	jszglwab.exe

Deletes itself 1 IoCs

pid	Process
948	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1352	1f6a39c4520debfe0f31de642611dfe844c67eb5fc7b4af138df9c6b191a14a1.exe
1352	1f6a39c4520debfe0f31de642611dfe844c67eb5fc7b4af138df9c6b191a14a1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\jszglwab.exe\""	1f6a39c4520debfe0f31de642611dfe844c67eb5fc7b4af138df9c6b191a14a1.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1388 set thread context of 1352	1388	1f6a39c4520debfe0f31de642611dfe844c67eb5fc7b4af138df9c6b191a14a1.exe	26

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
432	PING.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1388	1f6a39c4520debfe0f31de642611dfe844c67eb5fc7b4af138df9c6b191a14a1.exe
888	jszglwab.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1352	1388	1f6a39c4520debfe0f31de642611dfe844c67eb5fc7b4af138df9c6b191a14a1.exe	26
PID 1388 wrote to memory of 1352	1388	1f6a39c4520debfe0f31de642611dfe844c67eb5fc7b4af138df9c6b191a14a1.exe	26
PID 1388 wrote to memory of 1352	1388	1f6a39c4520debfe0f31de642611dfe844c67eb5fc7b4af138df9c6b191a14a1.exe	26
PID 1388 wrote to memory of 1352	1388	1f6a39c4520debfe0f31de642611dfe844c67eb5fc7b4af138df9c6b191a14a1.exe	26
PID 1388 wrote to memory of 1352	1388	1f6a39c4520debfe0f31de642611dfe844c67eb5fc7b4af138df9c6b191a14a1.exe	26
PID 1388 wrote to memory of 1352	1388	1f6a39c4520debfe0f31de642611dfe844c67eb5fc7b4af138df9c6b191a14a1.exe	26
PID 1388 wrote to memory of 1352	1388	1f6a39c4520debfe0f31de642611dfe844c67eb5fc7b4af138df9c6b191a14a1.exe	26
PID 1388 wrote to memory of 1352	1388	1f6a39c4520debfe0f31de642611dfe844c67eb5fc7b4af138df9c6b191a14a1.exe	26
PID 1388 wrote to memory of 1352	1388	1f6a39c4520debfe0f31de642611dfe844c67eb5fc7b4af138df9c6b191a14a1.exe	26
PID 1388 wrote to memory of 1352	1388	1f6a39c4520debfe0f31de642611dfe844c67eb5fc7b4af138df9c6b191a14a1.exe	26
PID 1352 wrote to memory of 888	1352	1f6a39c4520debfe0f31de642611dfe844c67eb5fc7b4af138df9c6b191a14a1.exe	27
PID 1352 wrote to memory of 888	1352	1f6a39c4520debfe0f31de642611dfe844c67eb5fc7b4af138df9c6b191a14a1.exe	27
PID 1352 wrote to memory of 888	1352	1f6a39c4520debfe0f31de642611dfe844c67eb5fc7b4af138df9c6b191a14a1.exe	27
PID 1352 wrote to memory of 888	1352	1f6a39c4520debfe0f31de642611dfe844c67eb5fc7b4af138df9c6b191a14a1.exe	27
PID 1352 wrote to memory of 948	1352	1f6a39c4520debfe0f31de642611dfe844c67eb5fc7b4af138df9c6b191a14a1.exe	28
PID 1352 wrote to memory of 948	1352	1f6a39c4520debfe0f31de642611dfe844c67eb5fc7b4af138df9c6b191a14a1.exe	28
PID 1352 wrote to memory of 948	1352	1f6a39c4520debfe0f31de642611dfe844c67eb5fc7b4af138df9c6b191a14a1.exe	28
PID 1352 wrote to memory of 948	1352	1f6a39c4520debfe0f31de642611dfe844c67eb5fc7b4af138df9c6b191a14a1.exe	28
PID 948 wrote to memory of 432	948	cmd.exe	30
PID 948 wrote to memory of 432	948	cmd.exe	30
PID 948 wrote to memory of 432	948	cmd.exe	30
PID 948 wrote to memory of 432	948	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\1f6a39c4520debfe0f31de642611dfe844c67eb5fc7b4af138df9c6b191a14a1.exe
"C:\Users\Admin\AppData\Local\Temp\1f6a39c4520debfe0f31de642611dfe844c67eb5fc7b4af138df9c6b191a14a1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Local\Temp\1f6a39c4520debfe0f31de642611dfe844c67eb5fc7b4af138df9c6b191a14a1.exe
  "C:\Users\Admin\AppData\Local\Temp\1f6a39c4520debfe0f31de642611dfe844c67eb5fc7b4af138df9c6b191a14a1.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Users\Admin\jszglwab.exe
    "C:\Users\Admin\jszglwab.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:888
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\2156.bat" "
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:948
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2156.bat

Filesize
302B

MD5
28ebcf90a0314c23eca83289a22c4885

SHA1
7f767297080b0bbd63006737c41e1d63ce16fbf9

SHA256
66d20c8befd9993d0a4d6eed18ce10e4572b3bcbf1375088db6b3b8ef0653c6c

SHA512
582f3da8ca8ae7f47b1f3c988f84772c2d132d03ac68bd524076acad800ff2927aba7336050399015fc01883fb0259fdf068e199f79a7cec3c9670a887429276

Download Submit
C:\Users\Admin\jszglwab.exe

Filesize
40.3MB

MD5
b2cf0a75dadbcd1f3eb393ddcf01cc8f

SHA1
f58f6b4782903a955eae38b8c3b1f5aa8be86c10

SHA256
b2b8730dddaa40eb47df5d6f079d37914c2ef28a6c4b2a3bf1a05cdef4563383

SHA512
d2dcf875f93fb658c7d037db1b5a743a7bc5df75b6c9d768269496f5f18e19ed78c09dd513e389947029481812fdb6cdd9caf61999d587332180bfd8eabbc5f4

Download Submit
\Users\Admin\jszglwab.exe

Filesize
40.3MB

MD5
b2cf0a75dadbcd1f3eb393ddcf01cc8f

SHA1
f58f6b4782903a955eae38b8c3b1f5aa8be86c10

SHA256
b2b8730dddaa40eb47df5d6f079d37914c2ef28a6c4b2a3bf1a05cdef4563383

SHA512
d2dcf875f93fb658c7d037db1b5a743a7bc5df75b6c9d768269496f5f18e19ed78c09dd513e389947029481812fdb6cdd9caf61999d587332180bfd8eabbc5f4

Download Submit
\Users\Admin\jszglwab.exe

Filesize
40.3MB

MD5
b2cf0a75dadbcd1f3eb393ddcf01cc8f

SHA1
f58f6b4782903a955eae38b8c3b1f5aa8be86c10

SHA256
b2b8730dddaa40eb47df5d6f079d37914c2ef28a6c4b2a3bf1a05cdef4563383

SHA512
d2dcf875f93fb658c7d037db1b5a743a7bc5df75b6c9d768269496f5f18e19ed78c09dd513e389947029481812fdb6cdd9caf61999d587332180bfd8eabbc5f4

Download Submit
memory/888-71-0x00000000004C2000-0x00000000004C4000-memory.dmp

Filesize
8KB

Download
memory/888-70-0x00000000004B9000-0x00000000004CB000-memory.dmp

Filesize
72KB

Download
memory/1352-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1352-61-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1352-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1352-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1352-74-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1388-56-0x00000000002DA000-0x00000000002EC000-memory.dmp

Filesize
72KB

Download
memory/1388-57-0x00000000002E2000-0x00000000002E4000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing