tofsee | ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd

General

Target

ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exe
Size

81KB
MD5

aaf4a34a5d5d298ef5b02a4ac71378c6
SHA1

96b74f49bd95c0b18a5e22ff9bac7da3ebce1835
SHA256

ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd
SHA512

ca22dc85572108ee699502e28bfec15f5fc8ad6424705eb2aa51a75b99ffc95e189ad6f7d9cc48a1c0cbb68b78fe9ffaa9ec0baa9fd2180d4b3f47a96574dea6
SSDEEP

1536:iO6tyJjl87GWuWK6RpoBlJ/rkvgGYD3UH:iO6tyJkGHL6verggpUH

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

C2

185.4.227.76

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Executes dropped EXE 2 IoCs

Processes:

zzihtfsu.exezzihtfsu.exe

pid process

900 zzihtfsu.exe
524 zzihtfsu.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

984 cmd.exe

pid	process
900	zzihtfsu.exe
524	zzihtfsu.exe

pid	process
984	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exe

pid	process
1564	ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exe
1564	ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\zzihtfsu.exe\""	ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exezzihtfsu.exezzihtfsu.exe

description	pid	process	target process
PID 1536 set thread context of 1564	1536	ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exe	ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exe
PID 900 set thread context of 524	900	zzihtfsu.exe	zzihtfsu.exe
PID 524 set thread context of 592	524	zzihtfsu.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exeba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exezzihtfsu.exezzihtfsu.exe

description	pid	process	target process
PID 1536 wrote to memory of 1564	1536	ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exe	ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exe
PID 1536 wrote to memory of 1564	1536	ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exe	ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exe
PID 1536 wrote to memory of 1564	1536	ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exe	ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exe
PID 1536 wrote to memory of 1564	1536	ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exe	ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exe
PID 1536 wrote to memory of 1564	1536	ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exe	ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exe
PID 1536 wrote to memory of 1564	1536	ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exe	ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exe
PID 1564 wrote to memory of 900	1564	ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exe	zzihtfsu.exe
PID 1564 wrote to memory of 900	1564	ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exe	zzihtfsu.exe
PID 1564 wrote to memory of 900	1564	ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exe	zzihtfsu.exe
PID 1564 wrote to memory of 900	1564	ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exe	zzihtfsu.exe
PID 900 wrote to memory of 524	900	zzihtfsu.exe	zzihtfsu.exe
PID 900 wrote to memory of 524	900	zzihtfsu.exe	zzihtfsu.exe
PID 900 wrote to memory of 524	900	zzihtfsu.exe	zzihtfsu.exe
PID 900 wrote to memory of 524	900	zzihtfsu.exe	zzihtfsu.exe
PID 900 wrote to memory of 524	900	zzihtfsu.exe	zzihtfsu.exe
PID 900 wrote to memory of 524	900	zzihtfsu.exe	zzihtfsu.exe
PID 524 wrote to memory of 592	524	zzihtfsu.exe	svchost.exe
PID 524 wrote to memory of 592	524	zzihtfsu.exe	svchost.exe
PID 524 wrote to memory of 592	524	zzihtfsu.exe	svchost.exe
PID 524 wrote to memory of 592	524	zzihtfsu.exe	svchost.exe
PID 524 wrote to memory of 592	524	zzihtfsu.exe	svchost.exe
PID 524 wrote to memory of 592	524	zzihtfsu.exe	svchost.exe
PID 1564 wrote to memory of 984	1564	ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exe	cmd.exe
PID 1564 wrote to memory of 984	1564	ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exe	cmd.exe
PID 1564 wrote to memory of 984	1564	ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exe	cmd.exe
PID 1564 wrote to memory of 984	1564	ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exe
"C:\Users\Admin\AppData\Local\Temp\ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1536

C:\Users\Admin\AppData\Local\Temp\ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exe
"C:\Users\Admin\AppData\Local\Temp\ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1564

C:\Users\Admin\zzihtfsu.exe
"C:\Users\Admin\zzihtfsu.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\zzihtfsu.exe
"C:\Users\Admin\zzihtfsu.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\SysWOW64\svchost.exe
svchost.exe
5⤵
PID:592

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\6776.bat" "
3⤵
- Deletes itself
PID:984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6776.bat
Filesize
302B

MD5
923d7d5868ee24cacca77067f4cb2ddc

SHA1
b4549c1470c941d3ff00dadac7c4c03aba007582

SHA256
ef47da55bec7a718debc3bb8f73570f7cbc30b35a68329f08c62789ea3060635

SHA512
7f1fb9e317770d247f75de01688d8d1ff9e2a5a018266542bd3cc8005ab5222df9fa1a700b7b023deb88067aed48c7c01fd82d46a7333b1931b0d81c9638887c

Download Submit
C:\Users\Admin\zzihtfsu.exe
Filesize
81KB

MD5
aaf4a34a5d5d298ef5b02a4ac71378c6

SHA1
96b74f49bd95c0b18a5e22ff9bac7da3ebce1835

SHA256
ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd

SHA512
ca22dc85572108ee699502e28bfec15f5fc8ad6424705eb2aa51a75b99ffc95e189ad6f7d9cc48a1c0cbb68b78fe9ffaa9ec0baa9fd2180d4b3f47a96574dea6

Download Submit
C:\Users\Admin\zzihtfsu.exe
Filesize
81KB

MD5
aaf4a34a5d5d298ef5b02a4ac71378c6

SHA1
96b74f49bd95c0b18a5e22ff9bac7da3ebce1835

SHA256
ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd

SHA512
ca22dc85572108ee699502e28bfec15f5fc8ad6424705eb2aa51a75b99ffc95e189ad6f7d9cc48a1c0cbb68b78fe9ffaa9ec0baa9fd2180d4b3f47a96574dea6

Download Submit
C:\Users\Admin\zzihtfsu.exe
Filesize
81KB

MD5
aaf4a34a5d5d298ef5b02a4ac71378c6

SHA1
96b74f49bd95c0b18a5e22ff9bac7da3ebce1835

SHA256
ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd

SHA512
ca22dc85572108ee699502e28bfec15f5fc8ad6424705eb2aa51a75b99ffc95e189ad6f7d9cc48a1c0cbb68b78fe9ffaa9ec0baa9fd2180d4b3f47a96574dea6

Download Submit
\Users\Admin\zzihtfsu.exe
Filesize
81KB

MD5
aaf4a34a5d5d298ef5b02a4ac71378c6

SHA1
96b74f49bd95c0b18a5e22ff9bac7da3ebce1835

SHA256
ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd

SHA512
ca22dc85572108ee699502e28bfec15f5fc8ad6424705eb2aa51a75b99ffc95e189ad6f7d9cc48a1c0cbb68b78fe9ffaa9ec0baa9fd2180d4b3f47a96574dea6

Download Submit
\Users\Admin\zzihtfsu.exe
Filesize
81KB

MD5
aaf4a34a5d5d298ef5b02a4ac71378c6

SHA1
96b74f49bd95c0b18a5e22ff9bac7da3ebce1835

SHA256
ba91ffb597778dc5526826dde9715282049d0732d08df54314c1087056d7fbcd

SHA512
ca22dc85572108ee699502e28bfec15f5fc8ad6424705eb2aa51a75b99ffc95e189ad6f7d9cc48a1c0cbb68b78fe9ffaa9ec0baa9fd2180d4b3f47a96574dea6

Download Submit
memory/524-69-0x000000000040741C-mapping.dmp

Download
memory/592-77-0x00000000000D741C-mapping.dmp

Download
memory/592-76-0x00000000000D0000-0x00000000000E1000-memory.dmp

Filesize
68KB

Download
memory/592-84-0x00000000000D0000-0x00000000000E1000-memory.dmp

Filesize
68KB

Download
memory/592-85-0x00000000000D0000-0x00000000000E1000-memory.dmp

Filesize
68KB

Download
memory/900-63-0x0000000000000000-mapping.dmp

Download
memory/984-81-0x0000000000000000-mapping.dmp

Download
memory/1564-59-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download
memory/1564-60-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1564-56-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1564-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1564-82-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1564-57-0x000000000040741C-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads