tofsee | 063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48

General

Target

063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe
Size

124KB
MD5

8c61b0f91e87a4276dadb68757d06ce6
SHA1

b36cd20fa4094fe4fe341444740c64d647f7de7a
SHA256

063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48
SHA512

c4506d09d87f3944562129a5457cf92f98303bb877b7e3380fce4a2fc5d6bf3e754e60e54415d8d588df172f6b1f37e087b0a8fbc314d01a5bc28c92ab1b4807
SSDEEP

1536:05qi9cmPC1eMK8echCEjQemGaNslku4ZAjj/4YAncWb+d:M9cHmchCYQ1Bsl146/4Yidb+d

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

C2

103.9.150.244

188.190.120.102

121.127.250.203

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Executes dropped EXE 2 IoCs

Processes:

cpuhmzsa.execpuhmzsa.exe

pid process

2528 cpuhmzsa.exe
5028 cpuhmzsa.exe

pid	process
2528	cpuhmzsa.exe
5028	cpuhmzsa.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\cpuhmzsa.exe\""	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.execpuhmzsa.execpuhmzsa.exe

description	pid	process	target process
PID 792 set thread context of 1424	792	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe
PID 2528 set thread context of 5028	2528	cpuhmzsa.exe	cpuhmzsa.exe
PID 5028 set thread context of 5040	5028	cpuhmzsa.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4228 5040 WerFault.exe svchost.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.execpuhmzsa.exe

pid process

792 063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe
2528 cpuhmzsa.exe

pid	pid_target	process	target process
4228	5040	WerFault.exe	svchost.exe

pid	process
792	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe
2528	cpuhmzsa.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.execpuhmzsa.execpuhmzsa.exe

description	pid	process	target process
PID 792 wrote to memory of 1424	792	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe
PID 792 wrote to memory of 1424	792	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe
PID 792 wrote to memory of 1424	792	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe
PID 792 wrote to memory of 1424	792	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe
PID 792 wrote to memory of 1424	792	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe
PID 792 wrote to memory of 1424	792	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe
PID 792 wrote to memory of 1424	792	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe
PID 792 wrote to memory of 1424	792	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe
PID 792 wrote to memory of 1424	792	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe
PID 1424 wrote to memory of 2528	1424	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	cpuhmzsa.exe
PID 1424 wrote to memory of 2528	1424	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	cpuhmzsa.exe
PID 1424 wrote to memory of 2528	1424	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	cpuhmzsa.exe
PID 2528 wrote to memory of 5028	2528	cpuhmzsa.exe	cpuhmzsa.exe
PID 2528 wrote to memory of 5028	2528	cpuhmzsa.exe	cpuhmzsa.exe
PID 2528 wrote to memory of 5028	2528	cpuhmzsa.exe	cpuhmzsa.exe
PID 2528 wrote to memory of 5028	2528	cpuhmzsa.exe	cpuhmzsa.exe
PID 2528 wrote to memory of 5028	2528	cpuhmzsa.exe	cpuhmzsa.exe
PID 2528 wrote to memory of 5028	2528	cpuhmzsa.exe	cpuhmzsa.exe
PID 2528 wrote to memory of 5028	2528	cpuhmzsa.exe	cpuhmzsa.exe
PID 2528 wrote to memory of 5028	2528	cpuhmzsa.exe	cpuhmzsa.exe
PID 2528 wrote to memory of 5028	2528	cpuhmzsa.exe	cpuhmzsa.exe
PID 5028 wrote to memory of 5040	5028	cpuhmzsa.exe	svchost.exe
PID 5028 wrote to memory of 5040	5028	cpuhmzsa.exe	svchost.exe
PID 5028 wrote to memory of 5040	5028	cpuhmzsa.exe	svchost.exe
PID 5028 wrote to memory of 5040	5028	cpuhmzsa.exe	svchost.exe
PID 5028 wrote to memory of 5040	5028	cpuhmzsa.exe	svchost.exe
PID 1424 wrote to memory of 1740	1424	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	cmd.exe
PID 1424 wrote to memory of 1740	1424	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	cmd.exe
PID 1424 wrote to memory of 1740	1424	063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe
"C:\Users\Admin\AppData\Local\Temp\063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:792

C:\Users\Admin\AppData\Local\Temp\063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe
"C:\Users\Admin\AppData\Local\Temp\063cc4d12c5a690504069405cbcae15796294d468b8159c0601f68c59a418b48.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\cpuhmzsa.exe
"C:\Users\Admin\cpuhmzsa.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2528

C:\Users\Admin\cpuhmzsa.exe
"C:\Users\Admin\cpuhmzsa.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\SysWOW64\svchost.exe
svchost.exe
5⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 356
6⤵
- Program crash
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4645.bat" "
3⤵
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5040 -ip 5040
1⤵
PID:1340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4645.bat
Filesize
302B

MD5
641feece6097c5db7bc7dc9189cc97cd

SHA1
a192a9783d587daefb072d87c34bf1a4debbd2fc

SHA256
5a1c948b06b7680fd0f6a064ddfc36d5501e945c69c21dac8c1c4aa818360bb4

SHA512
d191683a4c96e83d6b08380888825bedf147f08e3d0c24027694183351d26a560a1e9f2c42a664c17b1a191c727bcbca8d85db71db4d478522b28f997b6f903a

Download Submit
C:\Users\Admin\cpuhmzsa.exe
Filesize
45.1MB

MD5
e083d26c1f1acc8e8a090bf04bc72c96

SHA1
56ed70ef2f6f1afc40e3f912f50e0a4acf72905f

SHA256
3dac0d4726348310175fc266c1c0b385ea094b07fb85157cb5a844f57e807741

SHA512
ca5e6ca399ae3716c643719f15e74794880481720d1f23a387bebd04746e92c68895ac9662a003d180c2326ea7a58b70194c4b09a92ec67940122382f87c9078

Download Submit
C:\Users\Admin\cpuhmzsa.exe
Filesize
45.1MB

MD5
e083d26c1f1acc8e8a090bf04bc72c96

SHA1
56ed70ef2f6f1afc40e3f912f50e0a4acf72905f

SHA256
3dac0d4726348310175fc266c1c0b385ea094b07fb85157cb5a844f57e807741

SHA512
ca5e6ca399ae3716c643719f15e74794880481720d1f23a387bebd04746e92c68895ac9662a003d180c2326ea7a58b70194c4b09a92ec67940122382f87c9078

Download Submit
C:\Users\Admin\cpuhmzsa.exe
Filesize
45.1MB

MD5
e083d26c1f1acc8e8a090bf04bc72c96

SHA1
56ed70ef2f6f1afc40e3f912f50e0a4acf72905f

SHA256
3dac0d4726348310175fc266c1c0b385ea094b07fb85157cb5a844f57e807741

SHA512
ca5e6ca399ae3716c643719f15e74794880481720d1f23a387bebd04746e92c68895ac9662a003d180c2326ea7a58b70194c4b09a92ec67940122382f87c9078

Download Submit
memory/1424-138-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1424-137-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1424-134-0x0000000000000000-mapping.dmp

Download
memory/1424-156-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1424-135-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1740-155-0x0000000000000000-mapping.dmp

Download
memory/2528-139-0x0000000000000000-mapping.dmp

Download
memory/5028-144-0x0000000000000000-mapping.dmp

Download
memory/5028-152-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5040-150-0x0000000001250000-0x0000000001262000-memory.dmp

Filesize
72KB

Download
memory/5040-149-0x0000000000000000-mapping.dmp

Download
memory/5040-154-0x0000000001250000-0x0000000001262000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads