tofsee | 2fc40cff07f1e60f6aa3c2e2a3d94c6d031573fd7eaddc865d396d3c27da583b

General

Target

2fc40cff07f1e60f6aa3c2e2a3d94c6d031573fd7eaddc865d396d3c27da583b.exe
Size

123KB
MD5

9023fe87594e524cb743689038daa1d0
SHA1

e9beebd569fd91ad7fbee9cd6fc31d736be0fc76
SHA256

2fc40cff07f1e60f6aa3c2e2a3d94c6d031573fd7eaddc865d396d3c27da583b
SHA512

e4452210eb19c93e94c7b1a722bd71564cef9e93b723dfddf893bc88f03e50f5dca055d3aca713a083632b9187a738d33497b15aa47d23493130be587dedb459
SSDEEP

1536:e76oh6unW1dh3BpdOEeBW8aBFhrRFccloCtjbtXmEi8YJaXX:e704qr3BleB5aBXIcSCNbAlM

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

C2

94.242.250.149

91.218.38.245

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Executes dropped EXE 1 IoCs

pid	Process
1752	vwommgyl.exe

Deletes itself 1 IoCs

pid	Process
1892	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1804	2fc40cff07f1e60f6aa3c2e2a3d94c6d031573fd7eaddc865d396d3c27da583b.exe
1804	2fc40cff07f1e60f6aa3c2e2a3d94c6d031573fd7eaddc865d396d3c27da583b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\vwommgyl.exe\""	2fc40cff07f1e60f6aa3c2e2a3d94c6d031573fd7eaddc865d396d3c27da583b.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1752 set thread context of 1744	1752	vwommgyl.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1804	2fc40cff07f1e60f6aa3c2e2a3d94c6d031573fd7eaddc865d396d3c27da583b.exe
1752	vwommgyl.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 1752	1804	2fc40cff07f1e60f6aa3c2e2a3d94c6d031573fd7eaddc865d396d3c27da583b.exe	27
PID 1804 wrote to memory of 1752	1804	2fc40cff07f1e60f6aa3c2e2a3d94c6d031573fd7eaddc865d396d3c27da583b.exe	27
PID 1804 wrote to memory of 1752	1804	2fc40cff07f1e60f6aa3c2e2a3d94c6d031573fd7eaddc865d396d3c27da583b.exe	27
PID 1804 wrote to memory of 1752	1804	2fc40cff07f1e60f6aa3c2e2a3d94c6d031573fd7eaddc865d396d3c27da583b.exe	27
PID 1752 wrote to memory of 1744	1752	vwommgyl.exe	28
PID 1752 wrote to memory of 1744	1752	vwommgyl.exe	28
PID 1752 wrote to memory of 1744	1752	vwommgyl.exe	28
PID 1752 wrote to memory of 1744	1752	vwommgyl.exe	28
PID 1752 wrote to memory of 1744	1752	vwommgyl.exe	28
PID 1752 wrote to memory of 1744	1752	vwommgyl.exe	28
PID 1804 wrote to memory of 1892	1804	2fc40cff07f1e60f6aa3c2e2a3d94c6d031573fd7eaddc865d396d3c27da583b.exe	30
PID 1804 wrote to memory of 1892	1804	2fc40cff07f1e60f6aa3c2e2a3d94c6d031573fd7eaddc865d396d3c27da583b.exe	30
PID 1804 wrote to memory of 1892	1804	2fc40cff07f1e60f6aa3c2e2a3d94c6d031573fd7eaddc865d396d3c27da583b.exe	30
PID 1804 wrote to memory of 1892	1804	2fc40cff07f1e60f6aa3c2e2a3d94c6d031573fd7eaddc865d396d3c27da583b.exe	30

C:\Users\Admin\AppData\Local\Temp\2fc40cff07f1e60f6aa3c2e2a3d94c6d031573fd7eaddc865d396d3c27da583b.exe
"C:\Users\Admin\AppData\Local\Temp\2fc40cff07f1e60f6aa3c2e2a3d94c6d031573fd7eaddc865d396d3c27da583b.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Users\Admin\vwommgyl.exe
  "C:\Users\Admin\vwommgyl.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7843.bat" "
  2⤵
  - Deletes itself
  PID:1892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7843.bat

Filesize
302B

MD5
3011eef8f271d7ae680579fcf869530c

SHA1
810e5bdf9c904a6dc27fb40a1943c84198046931

SHA256
265d85af8de543dfdcb48668f203d71257af3bcb797759c0a314afef52275364

SHA512
8457c9e3552d885b5719fd003a9f13e4a09d467829f8e4ac11d61fe1aa71f896f8cf33688a8f7aeaa226ea3fe4215da575273b1d74640cc12660c2609134c80d

Download Submit
C:\Users\Admin\vwommgyl.exe

Filesize
33.6MB

MD5
a480788d8555382d4dc069eaf954416c

SHA1
6b667eb9bfce96d6795a21806abb8cf4dd23694e

SHA256
5090ea3a97d55a752ebf58efab2657cde4eda8ac482ccbd867d2dd36743d11ae

SHA512
a679a07fc11c31d78158c62180bd3fc8f18e43b5c28c28e13a1dfc0ed3e01d3fab063a0769e9124d8004f92ee0085ae46db8525ffef4b86feed09c1aad80be05

Download Submit
C:\Users\Admin\vwommgyl.exe

Filesize
33.6MB

MD5
a480788d8555382d4dc069eaf954416c

SHA1
6b667eb9bfce96d6795a21806abb8cf4dd23694e

SHA256
5090ea3a97d55a752ebf58efab2657cde4eda8ac482ccbd867d2dd36743d11ae

SHA512
a679a07fc11c31d78158c62180bd3fc8f18e43b5c28c28e13a1dfc0ed3e01d3fab063a0769e9124d8004f92ee0085ae46db8525ffef4b86feed09c1aad80be05

Download Submit
\Users\Admin\vwommgyl.exe

Filesize
33.6MB

MD5
a480788d8555382d4dc069eaf954416c

SHA1
6b667eb9bfce96d6795a21806abb8cf4dd23694e

SHA256
5090ea3a97d55a752ebf58efab2657cde4eda8ac482ccbd867d2dd36743d11ae

SHA512
a679a07fc11c31d78158c62180bd3fc8f18e43b5c28c28e13a1dfc0ed3e01d3fab063a0769e9124d8004f92ee0085ae46db8525ffef4b86feed09c1aad80be05

Download Submit
\Users\Admin\vwommgyl.exe

Filesize
33.6MB

MD5
a480788d8555382d4dc069eaf954416c

SHA1
6b667eb9bfce96d6795a21806abb8cf4dd23694e

SHA256
5090ea3a97d55a752ebf58efab2657cde4eda8ac482ccbd867d2dd36743d11ae

SHA512
a679a07fc11c31d78158c62180bd3fc8f18e43b5c28c28e13a1dfc0ed3e01d3fab063a0769e9124d8004f92ee0085ae46db8525ffef4b86feed09c1aad80be05

Download Submit
memory/1744-73-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/1744-78-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/1744-65-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/1744-67-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/1752-69-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1752-64-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1752-63-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/1804-56-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1804-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download
memory/1804-76-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1804-55-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/1804-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing