tofsee | c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd

General

Target

c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe
Size

192KB
MD5

da9f474b3a4d1af9d30a5101b652bbda
SHA1

6797f6e40f5439d15bfc94a53838983f8115b30a
SHA256

c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd
SHA512

676e790d05ed03d0c6122980c962cf9e2368e5dbf734c4760e481d55698b79c3065b00d561617f1accff2c0ba06ad91cd32c44ce9c28fb8aeb21141a52946280
SSDEEP

3072:8c1EtBBRhiEkEq5NqNWx4zVybl4v9G1riZkn4O5Iwuk0yGglr:TOBz2NNyEwkncwupjglr

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

C2

64.20.54.234

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Executes dropped EXE 2 IoCs

Processes:

kqk.exekqk.exe

pid process

320 kqk.exe
1436 kqk.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

944 cmd.exe

pid	process
320	kqk.exe
1436	kqk.exe

pid	process
944	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe

pid	process
1956	c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe
1956	c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\kqk.exe\" /r"	c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exekqk.exekqk.exe

description	pid	process	target process
PID 936 set thread context of 1956	936	c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe	c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe
PID 320 set thread context of 1436	320	kqk.exe	kqk.exe
PID 1436 set thread context of 1312	1436	kqk.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exec146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exekqk.exekqk.exe

description	pid	process	target process
PID 936 wrote to memory of 1956	936	c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe	c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe
PID 936 wrote to memory of 1956	936	c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe	c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe
PID 936 wrote to memory of 1956	936	c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe	c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe
PID 936 wrote to memory of 1956	936	c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe	c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe
PID 936 wrote to memory of 1956	936	c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe	c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe
PID 936 wrote to memory of 1956	936	c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe	c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe
PID 936 wrote to memory of 1956	936	c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe	c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe
PID 936 wrote to memory of 1956	936	c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe	c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe
PID 936 wrote to memory of 1956	936	c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe	c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe
PID 936 wrote to memory of 1956	936	c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe	c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe
PID 1956 wrote to memory of 320	1956	c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe	kqk.exe
PID 1956 wrote to memory of 320	1956	c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe	kqk.exe
PID 1956 wrote to memory of 320	1956	c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe	kqk.exe
PID 1956 wrote to memory of 320	1956	c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe	kqk.exe
PID 1956 wrote to memory of 944	1956	c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe	cmd.exe
PID 1956 wrote to memory of 944	1956	c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe	cmd.exe
PID 1956 wrote to memory of 944	1956	c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe	cmd.exe
PID 1956 wrote to memory of 944	1956	c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe	cmd.exe
PID 320 wrote to memory of 1436	320	kqk.exe	kqk.exe
PID 320 wrote to memory of 1436	320	kqk.exe	kqk.exe
PID 320 wrote to memory of 1436	320	kqk.exe	kqk.exe
PID 320 wrote to memory of 1436	320	kqk.exe	kqk.exe
PID 320 wrote to memory of 1436	320	kqk.exe	kqk.exe
PID 320 wrote to memory of 1436	320	kqk.exe	kqk.exe
PID 320 wrote to memory of 1436	320	kqk.exe	kqk.exe
PID 320 wrote to memory of 1436	320	kqk.exe	kqk.exe
PID 320 wrote to memory of 1436	320	kqk.exe	kqk.exe
PID 320 wrote to memory of 1436	320	kqk.exe	kqk.exe
PID 1436 wrote to memory of 1312	1436	kqk.exe	svchost.exe
PID 1436 wrote to memory of 1312	1436	kqk.exe	svchost.exe
PID 1436 wrote to memory of 1312	1436	kqk.exe	svchost.exe
PID 1436 wrote to memory of 1312	1436	kqk.exe	svchost.exe
PID 1436 wrote to memory of 1312	1436	kqk.exe	svchost.exe
PID 1436 wrote to memory of 1312	1436	kqk.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe
"C:\Users\Admin\AppData\Local\Temp\c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:936

C:\Users\Admin\AppData\Local\Temp\c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe
"C:\Users\Admin\AppData\Local\Temp\c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\kqk.exe
"C:\Users\Admin\kqk.exe" /r
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:320

C:\Users\Admin\kqk.exe
"C:\Users\Admin\kqk.exe" /r
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\SysWOW64\svchost.exe
svchost.exe
5⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\3548.bat" "
3⤵
- Deletes itself
PID:944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3548.bat

Filesize
135B

MD5
96084151008821ff81cbf0e1ff58329c

SHA1
ff1450cc44ed0086e9ba53775bd63698038747c9

SHA256
309d1a71793aa782db92c5debf1d769d15609de94a5ec470485f4dd54155d3eb

SHA512
886d69ef4942bd68b4ed9dbb0bb961972d25281f14b07b7f70d51c857d83d93ec3fe85fc9c9062a660308175340d7403e6dbb4746a40cb56761ccf56a68f7b8f

Download Submit
C:\Users\Admin\kqk.exe

Filesize
192KB

MD5
da9f474b3a4d1af9d30a5101b652bbda

SHA1
6797f6e40f5439d15bfc94a53838983f8115b30a

SHA256
c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd

SHA512
676e790d05ed03d0c6122980c962cf9e2368e5dbf734c4760e481d55698b79c3065b00d561617f1accff2c0ba06ad91cd32c44ce9c28fb8aeb21141a52946280

Download Submit
C:\Users\Admin\kqk.exe

Filesize
192KB

MD5
da9f474b3a4d1af9d30a5101b652bbda

SHA1
6797f6e40f5439d15bfc94a53838983f8115b30a

SHA256
c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd

SHA512
676e790d05ed03d0c6122980c962cf9e2368e5dbf734c4760e481d55698b79c3065b00d561617f1accff2c0ba06ad91cd32c44ce9c28fb8aeb21141a52946280

Download Submit
C:\Users\Admin\kqk.exe

Filesize
192KB

MD5
da9f474b3a4d1af9d30a5101b652bbda

SHA1
6797f6e40f5439d15bfc94a53838983f8115b30a

SHA256
c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd

SHA512
676e790d05ed03d0c6122980c962cf9e2368e5dbf734c4760e481d55698b79c3065b00d561617f1accff2c0ba06ad91cd32c44ce9c28fb8aeb21141a52946280

Download Submit
\Users\Admin\kqk.exe

Filesize
192KB

MD5
da9f474b3a4d1af9d30a5101b652bbda

SHA1
6797f6e40f5439d15bfc94a53838983f8115b30a

SHA256
c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd

SHA512
676e790d05ed03d0c6122980c962cf9e2368e5dbf734c4760e481d55698b79c3065b00d561617f1accff2c0ba06ad91cd32c44ce9c28fb8aeb21141a52946280

Download Submit
\Users\Admin\kqk.exe

Filesize
192KB

MD5
da9f474b3a4d1af9d30a5101b652bbda

SHA1
6797f6e40f5439d15bfc94a53838983f8115b30a

SHA256
c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd

SHA512
676e790d05ed03d0c6122980c962cf9e2368e5dbf734c4760e481d55698b79c3065b00d561617f1accff2c0ba06ad91cd32c44ce9c28fb8aeb21141a52946280

Download Submit
memory/320-70-0x0000000000000000-mapping.dmp

Download
memory/944-72-0x0000000000000000-mapping.dmp

Download
memory/1312-94-0x00000000000F6D21-mapping.dmp

Download
memory/1312-93-0x00000000000F0000-0x0000000000116000-memory.dmp

Filesize
152KB

Download
memory/1312-97-0x00000000000F0000-0x0000000000116000-memory.dmp

Filesize
152KB

Download
memory/1312-98-0x00000000000F0000-0x0000000000116000-memory.dmp

Filesize
152KB

Download
memory/1312-99-0x00000000000F0000-0x0000000000116000-memory.dmp

Filesize
152KB

Download
memory/1436-86-0x0000000000406D21-mapping.dmp

Download
memory/1436-90-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1956-67-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1956-73-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1956-66-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1956-64-0x0000000000406D21-mapping.dmp

Download
memory/1956-54-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1956-63-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1956-62-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1956-60-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1956-59-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1956-57-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1956-55-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads