tofsee | 2fc40cff07f1e60f6aa3c2e2a3d94c6d031573fd7eaddc865d396d3c27da583b

General

Target

2fc40cff07f1e60f6aa3c2e2a3d94c6d031573fd7eaddc865d396d3c27da583b.exe
Size

123KB
MD5

9023fe87594e524cb743689038daa1d0
SHA1

e9beebd569fd91ad7fbee9cd6fc31d736be0fc76
SHA256

2fc40cff07f1e60f6aa3c2e2a3d94c6d031573fd7eaddc865d396d3c27da583b
SHA512

e4452210eb19c93e94c7b1a722bd71564cef9e93b723dfddf893bc88f03e50f5dca055d3aca713a083632b9187a738d33497b15aa47d23493130be587dedb459
SSDEEP

1536:e76oh6unW1dh3BpdOEeBW8aBFhrRFccloCtjbtXmEi8YJaXX:e704qr3BleB5aBXIcSCNbAlM

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

C2

94.242.250.149

91.218.38.245

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Executes dropped EXE 1 IoCs

pid	Process
4160	abtrrldq.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	2fc40cff07f1e60f6aa3c2e2a3d94c6d031573fd7eaddc865d396d3c27da583b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\abtrrldq.exe\""	2fc40cff07f1e60f6aa3c2e2a3d94c6d031573fd7eaddc865d396d3c27da583b.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4160 set thread context of 5052	4160	abtrrldq.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 4160	3036	2fc40cff07f1e60f6aa3c2e2a3d94c6d031573fd7eaddc865d396d3c27da583b.exe	81
PID 3036 wrote to memory of 4160	3036	2fc40cff07f1e60f6aa3c2e2a3d94c6d031573fd7eaddc865d396d3c27da583b.exe	81
PID 3036 wrote to memory of 4160	3036	2fc40cff07f1e60f6aa3c2e2a3d94c6d031573fd7eaddc865d396d3c27da583b.exe	81
PID 4160 wrote to memory of 5052	4160	abtrrldq.exe	82
PID 4160 wrote to memory of 5052	4160	abtrrldq.exe	82
PID 4160 wrote to memory of 5052	4160	abtrrldq.exe	82
PID 4160 wrote to memory of 5052	4160	abtrrldq.exe	82
PID 4160 wrote to memory of 5052	4160	abtrrldq.exe	82
PID 3036 wrote to memory of 5004	3036	2fc40cff07f1e60f6aa3c2e2a3d94c6d031573fd7eaddc865d396d3c27da583b.exe	85
PID 3036 wrote to memory of 5004	3036	2fc40cff07f1e60f6aa3c2e2a3d94c6d031573fd7eaddc865d396d3c27da583b.exe	85
PID 3036 wrote to memory of 5004	3036	2fc40cff07f1e60f6aa3c2e2a3d94c6d031573fd7eaddc865d396d3c27da583b.exe	85

C:\Users\Admin\AppData\Local\Temp\2fc40cff07f1e60f6aa3c2e2a3d94c6d031573fd7eaddc865d396d3c27da583b.exe
"C:\Users\Admin\AppData\Local\Temp\2fc40cff07f1e60f6aa3c2e2a3d94c6d031573fd7eaddc865d396d3c27da583b.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\abtrrldq.exe
  "C:\Users\Admin\abtrrldq.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:5052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3634.bat" "
  2⤵
  PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5052 -ip 5052
1⤵
PID:4020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3634.bat

Filesize
302B

MD5
3011eef8f271d7ae680579fcf869530c

SHA1
810e5bdf9c904a6dc27fb40a1943c84198046931

SHA256
265d85af8de543dfdcb48668f203d71257af3bcb797759c0a314afef52275364

SHA512
8457c9e3552d885b5719fd003a9f13e4a09d467829f8e4ac11d61fe1aa71f896f8cf33688a8f7aeaa226ea3fe4215da575273b1d74640cc12660c2609134c80d

Download Submit
C:\Users\Admin\abtrrldq.exe

Filesize
34.2MB

MD5
ae401f72fb181db155375d6dc6d8992c

SHA1
a3a419aa7ad746efb33aedd2b384a7d52ef26cc6

SHA256
242e382d1c188901721382cd604dc304408cb3a72b9c6079e85f9f5d05247684

SHA512
834bee1459194073a17d7442721548014c6031527b6e1c4ea8f1b9638700597a043bfc4280b5909c3dd47b8bbcadb63941a11f571f481a5ff46a27ddc8fad12c

Download Submit
C:\Users\Admin\abtrrldq.exe

Filesize
34.2MB

MD5
ae401f72fb181db155375d6dc6d8992c

SHA1
a3a419aa7ad746efb33aedd2b384a7d52ef26cc6

SHA256
242e382d1c188901721382cd604dc304408cb3a72b9c6079e85f9f5d05247684

SHA512
834bee1459194073a17d7442721548014c6031527b6e1c4ea8f1b9638700597a043bfc4280b5909c3dd47b8bbcadb63941a11f571f481a5ff46a27ddc8fad12c

Download Submit
memory/3036-135-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3036-134-0x00000000006F0000-0x0000000000702000-memory.dmp

Filesize
72KB

Download
memory/3036-133-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3036-132-0x00000000006F0000-0x0000000000702000-memory.dmp

Filesize
72KB

Download
memory/3036-148-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4160-141-0x00000000005A0000-0x00000000005B2000-memory.dmp

Filesize
72KB

Download
memory/4160-142-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4160-145-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5052-140-0x00000000007B0000-0x00000000007C2000-memory.dmp

Filesize
72KB

Download
memory/5052-146-0x00000000007B0000-0x00000000007C2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing