tofsee | 063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48

General

Target

063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe
Size

124KB
MD5

8c61b0f91e87a4276dadb68757d06ce6
SHA1

b36cd20fa4094fe4fe341444740c64d647f7de7a
SHA256

063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48
SHA512

c4506d09d87f3944562129a5457cf92f98303bb877b7e3380fce4a2fc5d6bf3e754e60e54415d8d588df172f6b1f37e087b0a8fbc314d01a5bc28c92ab1b4807
SSDEEP

1536:05qi9cmPC1eMK8echCEjQemGaNslku4ZAjj/4YAncWb+d:M9cHmchCYQ1Bsl146/4Yidb+d

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

C2

103.9.150.244

188.190.120.102

121.127.250.203

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Executes dropped EXE 2 IoCs

Processes:

uhmzerks.exeuhmzerks.exe

pid process

1272 uhmzerks.exe
1192 uhmzerks.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1712 cmd.exe

pid	process
1272	uhmzerks.exe
1192	uhmzerks.exe

pid	process
1712	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe

pid	process
1664	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe
1664	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\uhmzerks.exe\""	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exeuhmzerks.exeuhmzerks.exe

description	pid	process	target process
PID 1044 set thread context of 1664	1044	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe
PID 1272 set thread context of 1192	1272	uhmzerks.exe	uhmzerks.exe
PID 1192 set thread context of 2008	1192	uhmzerks.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exeuhmzerks.exe

pid process

1044 063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe
1272 uhmzerks.exe

pid	process
1044	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe
1272	uhmzerks.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exeuhmzerks.exeuhmzerks.exe

description	pid	process	target process
PID 1044 wrote to memory of 1664	1044	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe
PID 1044 wrote to memory of 1664	1044	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe
PID 1044 wrote to memory of 1664	1044	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe
PID 1044 wrote to memory of 1664	1044	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe
PID 1044 wrote to memory of 1664	1044	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe
PID 1044 wrote to memory of 1664	1044	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe
PID 1044 wrote to memory of 1664	1044	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe
PID 1044 wrote to memory of 1664	1044	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe
PID 1044 wrote to memory of 1664	1044	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe
PID 1044 wrote to memory of 1664	1044	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe
PID 1664 wrote to memory of 1272	1664	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	uhmzerks.exe
PID 1664 wrote to memory of 1272	1664	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	uhmzerks.exe
PID 1664 wrote to memory of 1272	1664	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	uhmzerks.exe
PID 1664 wrote to memory of 1272	1664	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	uhmzerks.exe
PID 1272 wrote to memory of 1192	1272	uhmzerks.exe	uhmzerks.exe
PID 1272 wrote to memory of 1192	1272	uhmzerks.exe	uhmzerks.exe
PID 1272 wrote to memory of 1192	1272	uhmzerks.exe	uhmzerks.exe
PID 1272 wrote to memory of 1192	1272	uhmzerks.exe	uhmzerks.exe
PID 1272 wrote to memory of 1192	1272	uhmzerks.exe	uhmzerks.exe
PID 1272 wrote to memory of 1192	1272	uhmzerks.exe	uhmzerks.exe
PID 1272 wrote to memory of 1192	1272	uhmzerks.exe	uhmzerks.exe
PID 1272 wrote to memory of 1192	1272	uhmzerks.exe	uhmzerks.exe
PID 1272 wrote to memory of 1192	1272	uhmzerks.exe	uhmzerks.exe
PID 1272 wrote to memory of 1192	1272	uhmzerks.exe	uhmzerks.exe
PID 1192 wrote to memory of 2008	1192	uhmzerks.exe	svchost.exe
PID 1192 wrote to memory of 2008	1192	uhmzerks.exe	svchost.exe
PID 1192 wrote to memory of 2008	1192	uhmzerks.exe	svchost.exe
PID 1192 wrote to memory of 2008	1192	uhmzerks.exe	svchost.exe
PID 1192 wrote to memory of 2008	1192	uhmzerks.exe	svchost.exe
PID 1192 wrote to memory of 2008	1192	uhmzerks.exe	svchost.exe
PID 1664 wrote to memory of 1712	1664	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	cmd.exe
PID 1664 wrote to memory of 1712	1664	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	cmd.exe
PID 1664 wrote to memory of 1712	1664	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	cmd.exe
PID 1664 wrote to memory of 1712	1664	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe
"C:\Users\Admin\AppData\Local\Temp\063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1044

C:\Users\Admin\AppData\Local\Temp\063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe
"C:\Users\Admin\AppData\Local\Temp\063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\uhmzerks.exe
"C:\Users\Admin\uhmzerks.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1272

C:\Users\Admin\uhmzerks.exe
"C:\Users\Admin\uhmzerks.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\SysWOW64\svchost.exe
svchost.exe
5⤵
PID:2008

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\8321.bat" "
3⤵
- Deletes itself
PID:1712

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8321.bat
Filesize
302B

MD5
641feece6097c5db7bc7dc9189cc97cd

SHA1
a192a9783d587daefb072d87c34bf1a4debbd2fc

SHA256
5a1c948b06b7680fd0f6a064ddfc36d5501e945c69c21dac8c1c4aa818360bb4

SHA512
d191683a4c96e83d6b08380888825bedf147f08e3d0c24027694183351d26a560a1e9f2c42a664c17b1a191c727bcbca8d85db71db4d478522b28f997b6f903a

Download Submit
C:\Users\Admin\uhmzerks.exe
Filesize
31.6MB

MD5
914a65e9a273512516399f628744fcb9

SHA1
76707d5d05a534bb8111ff67593cfce45ea181eb

SHA256
8ced3169f82dc475303138a685181ed74f2e3bea5f1b731d32807aa33d4ef828

SHA512
8c2036d1278b05316ac6075836f786cd7f81e959399be8ca078feeaef8d9616fe821bd7b31e9a4bf1318b03ba4e1bb48edc86b93d0789808fecde66977bbe7be

Download Submit
C:\Users\Admin\uhmzerks.exe
Filesize
31.6MB

MD5
914a65e9a273512516399f628744fcb9

SHA1
76707d5d05a534bb8111ff67593cfce45ea181eb

SHA256
8ced3169f82dc475303138a685181ed74f2e3bea5f1b731d32807aa33d4ef828

SHA512
8c2036d1278b05316ac6075836f786cd7f81e959399be8ca078feeaef8d9616fe821bd7b31e9a4bf1318b03ba4e1bb48edc86b93d0789808fecde66977bbe7be

Download Submit
C:\Users\Admin\uhmzerks.exe
Filesize
31.6MB

MD5
914a65e9a273512516399f628744fcb9

SHA1
76707d5d05a534bb8111ff67593cfce45ea181eb

SHA256
8ced3169f82dc475303138a685181ed74f2e3bea5f1b731d32807aa33d4ef828

SHA512
8c2036d1278b05316ac6075836f786cd7f81e959399be8ca078feeaef8d9616fe821bd7b31e9a4bf1318b03ba4e1bb48edc86b93d0789808fecde66977bbe7be

Download Submit
\Users\Admin\uhmzerks.exe
Filesize
31.6MB

MD5
914a65e9a273512516399f628744fcb9

SHA1
76707d5d05a534bb8111ff67593cfce45ea181eb

SHA256
8ced3169f82dc475303138a685181ed74f2e3bea5f1b731d32807aa33d4ef828

SHA512
8c2036d1278b05316ac6075836f786cd7f81e959399be8ca078feeaef8d9616fe821bd7b31e9a4bf1318b03ba4e1bb48edc86b93d0789808fecde66977bbe7be

Download Submit
\Users\Admin\uhmzerks.exe
Filesize
31.6MB

MD5
914a65e9a273512516399f628744fcb9

SHA1
76707d5d05a534bb8111ff67593cfce45ea181eb

SHA256
8ced3169f82dc475303138a685181ed74f2e3bea5f1b731d32807aa33d4ef828

SHA512
8c2036d1278b05316ac6075836f786cd7f81e959399be8ca078feeaef8d9616fe821bd7b31e9a4bf1318b03ba4e1bb48edc86b93d0789808fecde66977bbe7be

Download Submit
memory/1192-70-0x0000000000407860-mapping.dmp

Download
memory/1192-79-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1272-64-0x0000000000000000-mapping.dmp

Download
memory/1664-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1664-59-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1664-57-0x0000000000407860-mapping.dmp

Download
memory/1664-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1664-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1664-84-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1712-83-0x0000000000000000-mapping.dmp

Download
memory/2008-77-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/2008-78-0x0000000000087860-mapping.dmp

Download
memory/2008-75-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/2008-86-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/2008-87-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads