tofsee | e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b

General

Target

e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe
Size

116KB
MD5

4c79627d173e65b9f8a540862cec94b6
SHA1

e8ccc199f9c837f87abac347f7c7e148852ee8ea
SHA256

e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b
SHA512

bb3df0154d928e331f449bbdc2c85e82e9633db7408904039ffdb82ff55e16100eea48ed184b3aa70e38fb646d7b2c7c768cdee98bc1b8b342ceedd663de894e
SSDEEP

1536:LazW9cONBCMUUHTYT2n3oJJpG7V8JtYNvZL3HHjLvlz:+zW9cnMUyTYzG7V87YNvZTHH3vlz

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

C2

103.9.150.244

188.190.120.102

121.127.250.203

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Executes dropped EXE 2 IoCs

Processes:

ivansfyg.exeivansfyg.exe

pid process

2024 ivansfyg.exe
2028 ivansfyg.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2012 cmd.exe

pid	process
2024	ivansfyg.exe
2028	ivansfyg.exe

pid	process
2012	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe

pid	process
992	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe
992	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\ivansfyg.exe\""	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exeivansfyg.exeivansfyg.exe

description	pid	process	target process
PID 1228 set thread context of 992	1228	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe
PID 2024 set thread context of 2028	2024	ivansfyg.exe	ivansfyg.exe
PID 2028 set thread context of 1428	2028	ivansfyg.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exeivansfyg.exe

pid process

1228 e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe
2024 ivansfyg.exe

pid	process
1228	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe
2024	ivansfyg.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exee454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exeivansfyg.exeivansfyg.exe

description	pid	process	target process
PID 1228 wrote to memory of 992	1228	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe
PID 1228 wrote to memory of 992	1228	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe
PID 1228 wrote to memory of 992	1228	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe
PID 1228 wrote to memory of 992	1228	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe
PID 1228 wrote to memory of 992	1228	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe
PID 1228 wrote to memory of 992	1228	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe
PID 1228 wrote to memory of 992	1228	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe
PID 1228 wrote to memory of 992	1228	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe
PID 1228 wrote to memory of 992	1228	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe
PID 1228 wrote to memory of 992	1228	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe
PID 992 wrote to memory of 2024	992	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe	ivansfyg.exe
PID 992 wrote to memory of 2024	992	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe	ivansfyg.exe
PID 992 wrote to memory of 2024	992	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe	ivansfyg.exe
PID 992 wrote to memory of 2024	992	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe	ivansfyg.exe
PID 2024 wrote to memory of 2028	2024	ivansfyg.exe	ivansfyg.exe
PID 2024 wrote to memory of 2028	2024	ivansfyg.exe	ivansfyg.exe
PID 2024 wrote to memory of 2028	2024	ivansfyg.exe	ivansfyg.exe
PID 2024 wrote to memory of 2028	2024	ivansfyg.exe	ivansfyg.exe
PID 2024 wrote to memory of 2028	2024	ivansfyg.exe	ivansfyg.exe
PID 2024 wrote to memory of 2028	2024	ivansfyg.exe	ivansfyg.exe
PID 2024 wrote to memory of 2028	2024	ivansfyg.exe	ivansfyg.exe
PID 2024 wrote to memory of 2028	2024	ivansfyg.exe	ivansfyg.exe
PID 2024 wrote to memory of 2028	2024	ivansfyg.exe	ivansfyg.exe
PID 2024 wrote to memory of 2028	2024	ivansfyg.exe	ivansfyg.exe
PID 2028 wrote to memory of 1428	2028	ivansfyg.exe	svchost.exe
PID 2028 wrote to memory of 1428	2028	ivansfyg.exe	svchost.exe
PID 2028 wrote to memory of 1428	2028	ivansfyg.exe	svchost.exe
PID 2028 wrote to memory of 1428	2028	ivansfyg.exe	svchost.exe
PID 2028 wrote to memory of 1428	2028	ivansfyg.exe	svchost.exe
PID 2028 wrote to memory of 1428	2028	ivansfyg.exe	svchost.exe
PID 992 wrote to memory of 2012	992	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe	cmd.exe
PID 992 wrote to memory of 2012	992	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe	cmd.exe
PID 992 wrote to memory of 2012	992	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe	cmd.exe
PID 992 wrote to memory of 2012	992	e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe
"C:\Users\Admin\AppData\Local\Temp\e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1228

C:\Users\Admin\AppData\Local\Temp\e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe
"C:\Users\Admin\AppData\Local\Temp\e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:992

C:\Users\Admin\ivansfyg.exe
"C:\Users\Admin\ivansfyg.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\ivansfyg.exe
"C:\Users\Admin\ivansfyg.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\svchost.exe
svchost.exe
5⤵
PID:1428

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\8117.bat" "
3⤵
- Deletes itself
PID:2012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8117.bat
Filesize
302B

MD5
8530fe7e53228917fc4431711989f54a

SHA1
824af3cb9149767d3bc3bed748d57983551ab893

SHA256
a90fe30e04b4dc00cce56b4f9b7d80525c5f68556c457b680179cbb94495a61e

SHA512
1cb91a04f17fb4390660d60b56c6df525f60536173d4035e6642a5ca6fb66bba7bc3cf5ad062366ea3c442e274ea29941a44d4af482096af9ba7d45597b02612

Download Submit
C:\Users\Admin\ivansfyg.exe
Filesize
38.7MB

MD5
42db86b64885116bff95f8eec6121f44

SHA1
0433fed28f054ba8f42c60d79ce741f009d19a16

SHA256
698db2ef248e0314f7dc17cb3eea5fbf9a93207c7c43ae6000f40808faa980ad

SHA512
0eb1152fb3f859a21d59103b4aa28a809a53bc98ca92cc779aef8e712489a1ed39be0dfdefd711d11c93ed15a7be702f9007078f3c3e763fb41d4aa986906445

Download Submit
C:\Users\Admin\ivansfyg.exe
Filesize
38.7MB

MD5
42db86b64885116bff95f8eec6121f44

SHA1
0433fed28f054ba8f42c60d79ce741f009d19a16

SHA256
698db2ef248e0314f7dc17cb3eea5fbf9a93207c7c43ae6000f40808faa980ad

SHA512
0eb1152fb3f859a21d59103b4aa28a809a53bc98ca92cc779aef8e712489a1ed39be0dfdefd711d11c93ed15a7be702f9007078f3c3e763fb41d4aa986906445

Download Submit
C:\Users\Admin\ivansfyg.exe
Filesize
38.7MB

MD5
42db86b64885116bff95f8eec6121f44

SHA1
0433fed28f054ba8f42c60d79ce741f009d19a16

SHA256
698db2ef248e0314f7dc17cb3eea5fbf9a93207c7c43ae6000f40808faa980ad

SHA512
0eb1152fb3f859a21d59103b4aa28a809a53bc98ca92cc779aef8e712489a1ed39be0dfdefd711d11c93ed15a7be702f9007078f3c3e763fb41d4aa986906445

Download Submit
\Users\Admin\ivansfyg.exe
Filesize
38.7MB

MD5
42db86b64885116bff95f8eec6121f44

SHA1
0433fed28f054ba8f42c60d79ce741f009d19a16

SHA256
698db2ef248e0314f7dc17cb3eea5fbf9a93207c7c43ae6000f40808faa980ad

SHA512
0eb1152fb3f859a21d59103b4aa28a809a53bc98ca92cc779aef8e712489a1ed39be0dfdefd711d11c93ed15a7be702f9007078f3c3e763fb41d4aa986906445

Download Submit
\Users\Admin\ivansfyg.exe
Filesize
38.7MB

MD5
42db86b64885116bff95f8eec6121f44

SHA1
0433fed28f054ba8f42c60d79ce741f009d19a16

SHA256
698db2ef248e0314f7dc17cb3eea5fbf9a93207c7c43ae6000f40808faa980ad

SHA512
0eb1152fb3f859a21d59103b4aa28a809a53bc98ca92cc779aef8e712489a1ed39be0dfdefd711d11c93ed15a7be702f9007078f3c3e763fb41d4aa986906445

Download Submit
memory/992-71-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/992-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/992-59-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download
memory/992-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/992-57-0x0000000000407860-mapping.dmp

Download
memory/1428-78-0x0000000000087860-mapping.dmp

Download
memory/1428-75-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/1428-77-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/1428-83-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/1428-86-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/2012-84-0x0000000000000000-mapping.dmp

Download
memory/2024-63-0x0000000000000000-mapping.dmp

Download
memory/2028-79-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2028-69-0x0000000000407860-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads