tofsee | 738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df

General

Target

738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe
Size

128KB
MD5

e0817495fcad5e019e645c222667d205
SHA1

09f723995470a58ba519efc4d6ebcfad466b7d57
SHA256

738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df
SHA512

d5cb26130c38d64e259f6e89590623e074b16f226bec49681e4afd10ed9e6477802953e3f330a3ee020afc8653bef226bb52f010b7ae56c6fc6d25832f52e593
SSDEEP

1536:iQvOWIoFEZDjD1ACzG9wWMoHylbbDhn5WLr2S4a3eJ/8Ikfy6A1dAxAWh:bOKWDjD+UyLaPa3eJ/hr6ArAxAw

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

C2

103.9.150.14

188.190.120.99

119.1.109.61

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Executes dropped EXE 2 IoCs

Processes:

erwjobuc.exeerwjobuc.exe

pid process

620 erwjobuc.exe
4036 erwjobuc.exe

pid	process
620	erwjobuc.exe
4036	erwjobuc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\erwjobuc.exe\""	738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exeerwjobuc.exeerwjobuc.exe

description	pid	process	target process
PID 3268 set thread context of 1456	3268	738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe	738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe
PID 620 set thread context of 4036	620	erwjobuc.exe	erwjobuc.exe
PID 4036 set thread context of 5048	4036	erwjobuc.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5080 5048 WerFault.exe svchost.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exeerwjobuc.exe

pid process

3268 738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe
620 erwjobuc.exe

pid	pid_target	process	target process
5080	5048	WerFault.exe	svchost.exe

pid	process
3268	738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe
620	erwjobuc.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exeerwjobuc.exeerwjobuc.exe

description	pid	process	target process
PID 3268 wrote to memory of 1456	3268	738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe	738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe
PID 3268 wrote to memory of 1456	3268	738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe	738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe
PID 3268 wrote to memory of 1456	3268	738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe	738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe
PID 3268 wrote to memory of 1456	3268	738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe	738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe
PID 3268 wrote to memory of 1456	3268	738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe	738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe
PID 3268 wrote to memory of 1456	3268	738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe	738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe
PID 3268 wrote to memory of 1456	3268	738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe	738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe
PID 3268 wrote to memory of 1456	3268	738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe	738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe
PID 3268 wrote to memory of 1456	3268	738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe	738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe
PID 1456 wrote to memory of 620	1456	738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe	erwjobuc.exe
PID 1456 wrote to memory of 620	1456	738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe	erwjobuc.exe
PID 1456 wrote to memory of 620	1456	738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe	erwjobuc.exe
PID 620 wrote to memory of 4036	620	erwjobuc.exe	erwjobuc.exe
PID 620 wrote to memory of 4036	620	erwjobuc.exe	erwjobuc.exe
PID 620 wrote to memory of 4036	620	erwjobuc.exe	erwjobuc.exe
PID 620 wrote to memory of 4036	620	erwjobuc.exe	erwjobuc.exe
PID 620 wrote to memory of 4036	620	erwjobuc.exe	erwjobuc.exe
PID 620 wrote to memory of 4036	620	erwjobuc.exe	erwjobuc.exe
PID 620 wrote to memory of 4036	620	erwjobuc.exe	erwjobuc.exe
PID 620 wrote to memory of 4036	620	erwjobuc.exe	erwjobuc.exe
PID 620 wrote to memory of 4036	620	erwjobuc.exe	erwjobuc.exe
PID 4036 wrote to memory of 5048	4036	erwjobuc.exe	svchost.exe
PID 4036 wrote to memory of 5048	4036	erwjobuc.exe	svchost.exe
PID 4036 wrote to memory of 5048	4036	erwjobuc.exe	svchost.exe
PID 4036 wrote to memory of 5048	4036	erwjobuc.exe	svchost.exe
PID 4036 wrote to memory of 5048	4036	erwjobuc.exe	svchost.exe
PID 1456 wrote to memory of 3844	1456	738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe	cmd.exe
PID 1456 wrote to memory of 3844	1456	738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe	cmd.exe
PID 1456 wrote to memory of 3844	1456	738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe
"C:\Users\Admin\AppData\Local\Temp\738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3268

C:\Users\Admin\AppData\Local\Temp\738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe
"C:\Users\Admin\AppData\Local\Temp\738814f87c44a9fe2963c3d8a4f335cf12e988a6a46f2437627cb468e3c193df.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\erwjobuc.exe
"C:\Users\Admin\erwjobuc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:620

C:\Users\Admin\erwjobuc.exe
"C:\Users\Admin\erwjobuc.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\SysWOW64\svchost.exe
svchost.exe
5⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 356
6⤵
- Program crash
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1051.bat" "
3⤵
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5048 -ip 5048
1⤵
PID:4784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1051.bat
Filesize
302B

MD5
5c6b2e3ad14a0c68846b778a5914138f

SHA1
dd7123d67d166a7d8b2af31400f4c4f3e3b4aa6e

SHA256
fae9efe6991ff8fd9ac04dd9d711a46c8de80be2df7a26c835fad8b54fe6565e

SHA512
8e3bbac7454a3166622521d84ea8ed2766e56f4f738f6d36cb0d9dd26198758a1fae3a3955c00b1519f5685c27a419cdfa296ae0bf786ec1111d81e7db31f08d

Download Submit
C:\Users\Admin\erwjobuc.exe
Filesize
30.1MB

MD5
143eb0c0b321848c748051a915a13257

SHA1
c3c8abb5a87451854af06cb78b7f585482b9d1f0

SHA256
a4725e496235e9282cd5fb6984b7365b51430e1dbd83cb24f2bebb70352dbc09

SHA512
cdef5a29a576b37cfd4ea71a689a182fb2d30da82cc35255a9c21058060d2e59e363be28c3d39343d6142470fcf7ba200a34802a4e2ba8bb8c47c7bed557a092

Download Submit
C:\Users\Admin\erwjobuc.exe
Filesize
30.1MB

MD5
143eb0c0b321848c748051a915a13257

SHA1
c3c8abb5a87451854af06cb78b7f585482b9d1f0

SHA256
a4725e496235e9282cd5fb6984b7365b51430e1dbd83cb24f2bebb70352dbc09

SHA512
cdef5a29a576b37cfd4ea71a689a182fb2d30da82cc35255a9c21058060d2e59e363be28c3d39343d6142470fcf7ba200a34802a4e2ba8bb8c47c7bed557a092

Download Submit
C:\Users\Admin\erwjobuc.exe
Filesize
30.1MB

MD5
143eb0c0b321848c748051a915a13257

SHA1
c3c8abb5a87451854af06cb78b7f585482b9d1f0

SHA256
a4725e496235e9282cd5fb6984b7365b51430e1dbd83cb24f2bebb70352dbc09

SHA512
cdef5a29a576b37cfd4ea71a689a182fb2d30da82cc35255a9c21058060d2e59e363be28c3d39343d6142470fcf7ba200a34802a4e2ba8bb8c47c7bed557a092

Download Submit
memory/620-141-0x0000000000000000-mapping.dmp

Download
memory/1456-140-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1456-145-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1456-137-0x0000000000000000-mapping.dmp

Download
memory/1456-138-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3844-159-0x0000000000000000-mapping.dmp

Download
memory/4036-147-0x0000000000000000-mapping.dmp

Download
memory/4036-152-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4036-155-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5048-153-0x0000000000000000-mapping.dmp

Download
memory/5048-158-0x0000000000E40000-0x0000000000E52000-memory.dmp

Filesize
72KB

Download
memory/5048-154-0x0000000000E40000-0x0000000000E52000-memory.dmp

Filesize
72KB

Download
memory/5048-161-0x0000000000E40000-0x0000000000E52000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads