tofsee | d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a

General

Target

d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe
Size

169KB
MD5

d32ba71dfd5df6fc649515bbb0ba16bc
SHA1

dd0738787a869066c025b836ae631e5f883a5170
SHA256

d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a
SHA512

49ee9e6416745bd0c8c1a25ee438d38d3f87ab82671775de213ba093f08bce31f8c3cd9ca847f10b6cef58b90963fd2f8097a3aaf0ce39f68bbddebb490a5278
SSDEEP

3072:TNnz4Uk1hIMY8JCLiwMiCjcLUZtHdnXzN2yWTtpFfhYL:TNXkJY8JGC4UzQZtpFhYL

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

C2

64.20.54.234

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Executes dropped EXE 2 IoCs

Processes:

smytev.exesmytev.exe

pid process

784 smytev.exe
864 smytev.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1832 cmd.exe

pid	process
784	smytev.exe
864	smytev.exe

pid	process
1832	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe

pid	process
2024	d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe
2024	d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\smytev.exe\" /r"	d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exesmytev.exesmytev.exe

description	pid	process	target process
PID 1420 set thread context of 2024	1420	d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe	d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe
PID 784 set thread context of 864	784	smytev.exe	smytev.exe
PID 864 set thread context of 1780	864	smytev.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of UnmapMainImage 1 IoCs

Processes:

smytev.exe

pid process

784 smytev.exe

pid	process
784	smytev.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exed228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exesmytev.exesmytev.exe

description	pid	process	target process
PID 1420 wrote to memory of 2024	1420	d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe	d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe
PID 1420 wrote to memory of 2024	1420	d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe	d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe
PID 1420 wrote to memory of 2024	1420	d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe	d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe
PID 1420 wrote to memory of 2024	1420	d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe	d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe
PID 1420 wrote to memory of 2024	1420	d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe	d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe
PID 1420 wrote to memory of 2024	1420	d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe	d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe
PID 1420 wrote to memory of 2024	1420	d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe	d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe
PID 1420 wrote to memory of 2024	1420	d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe	d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe
PID 1420 wrote to memory of 2024	1420	d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe	d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe
PID 2024 wrote to memory of 784	2024	d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe	smytev.exe
PID 2024 wrote to memory of 784	2024	d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe	smytev.exe
PID 2024 wrote to memory of 784	2024	d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe	smytev.exe
PID 2024 wrote to memory of 784	2024	d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe	smytev.exe
PID 784 wrote to memory of 864	784	smytev.exe	smytev.exe
PID 784 wrote to memory of 864	784	smytev.exe	smytev.exe
PID 784 wrote to memory of 864	784	smytev.exe	smytev.exe
PID 784 wrote to memory of 864	784	smytev.exe	smytev.exe
PID 784 wrote to memory of 864	784	smytev.exe	smytev.exe
PID 784 wrote to memory of 864	784	smytev.exe	smytev.exe
PID 784 wrote to memory of 864	784	smytev.exe	smytev.exe
PID 784 wrote to memory of 864	784	smytev.exe	smytev.exe
PID 784 wrote to memory of 864	784	smytev.exe	smytev.exe
PID 864 wrote to memory of 1780	864	smytev.exe	svchost.exe
PID 864 wrote to memory of 1780	864	smytev.exe	svchost.exe
PID 864 wrote to memory of 1780	864	smytev.exe	svchost.exe
PID 864 wrote to memory of 1780	864	smytev.exe	svchost.exe
PID 864 wrote to memory of 1780	864	smytev.exe	svchost.exe
PID 864 wrote to memory of 1780	864	smytev.exe	svchost.exe
PID 2024 wrote to memory of 1832	2024	d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe	cmd.exe
PID 2024 wrote to memory of 1832	2024	d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe	cmd.exe
PID 2024 wrote to memory of 1832	2024	d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe	cmd.exe
PID 2024 wrote to memory of 1832	2024	d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe
"C:\Users\Admin\AppData\Local\Temp\d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1420

C:\Users\Admin\AppData\Local\Temp\d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe
"C:\Users\Admin\AppData\Local\Temp\d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\smytev.exe
"C:\Users\Admin\smytev.exe" /r
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:784

C:\Users\Admin\smytev.exe
"C:\Users\Admin\smytev.exe" /r
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\svchost.exe
svchost.exe
5⤵
PID:1780

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\6662.bat" "
3⤵
- Deletes itself
PID:1832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6662.bat
Filesize
135B

MD5
d17043871d48a2bcfff8880e06d3974f

SHA1
6281bcfe66f427b68e09fb0c06300157615b16db

SHA256
d5fe017c38240e68b2d5c3a46a76889c3e89be98334d9a0984466e08284f8bf6

SHA512
7c0e5720644a37e70221c4e6bb9b5b337a539b228992e38c8869684cac77d335df1b580c50fe44dc6ce3332bd9851bf11810a0d58c8ef5c61c82538c016bbd4e

Download Submit
C:\Users\Admin\smytev.exe
Filesize
169KB

MD5
d32ba71dfd5df6fc649515bbb0ba16bc

SHA1
dd0738787a869066c025b836ae631e5f883a5170

SHA256
d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a

SHA512
49ee9e6416745bd0c8c1a25ee438d38d3f87ab82671775de213ba093f08bce31f8c3cd9ca847f10b6cef58b90963fd2f8097a3aaf0ce39f68bbddebb490a5278

Download Submit
C:\Users\Admin\smytev.exe
Filesize
169KB

MD5
d32ba71dfd5df6fc649515bbb0ba16bc

SHA1
dd0738787a869066c025b836ae631e5f883a5170

SHA256
d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a

SHA512
49ee9e6416745bd0c8c1a25ee438d38d3f87ab82671775de213ba093f08bce31f8c3cd9ca847f10b6cef58b90963fd2f8097a3aaf0ce39f68bbddebb490a5278

Download Submit
C:\Users\Admin\smytev.exe
Filesize
169KB

MD5
d32ba71dfd5df6fc649515bbb0ba16bc

SHA1
dd0738787a869066c025b836ae631e5f883a5170

SHA256
d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a

SHA512
49ee9e6416745bd0c8c1a25ee438d38d3f87ab82671775de213ba093f08bce31f8c3cd9ca847f10b6cef58b90963fd2f8097a3aaf0ce39f68bbddebb490a5278

Download Submit
\Users\Admin\smytev.exe
Filesize
169KB

MD5
d32ba71dfd5df6fc649515bbb0ba16bc

SHA1
dd0738787a869066c025b836ae631e5f883a5170

SHA256
d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a

SHA512
49ee9e6416745bd0c8c1a25ee438d38d3f87ab82671775de213ba093f08bce31f8c3cd9ca847f10b6cef58b90963fd2f8097a3aaf0ce39f68bbddebb490a5278

Download Submit
\Users\Admin\smytev.exe
Filesize
169KB

MD5
d32ba71dfd5df6fc649515bbb0ba16bc

SHA1
dd0738787a869066c025b836ae631e5f883a5170

SHA256
d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a

SHA512
49ee9e6416745bd0c8c1a25ee438d38d3f87ab82671775de213ba093f08bce31f8c3cd9ca847f10b6cef58b90963fd2f8097a3aaf0ce39f68bbddebb490a5278

Download Submit
memory/784-78-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/784-69-0x0000000000000000-mapping.dmp

Download
memory/864-83-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/864-72-0x0000000000000000-mapping.dmp

Download
memory/864-77-0x0000000000401000-0x000000000040BC00-memory.dmp

Filesize
43KB

Download
memory/864-79-0x000000000040C000-0x000000000040D600-memory.dmp

Filesize
5KB

Download
memory/864-85-0x000000000040C000-0x000000000040D600-memory.dmp

Filesize
5KB

Download
memory/1420-64-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1780-89-0x0000000000086D22-mapping.dmp

Download
memory/1780-96-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/1780-94-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/1780-88-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/1832-93-0x0000000000000000-mapping.dmp

Download
memory/2024-61-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2024-80-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2024-81-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/2024-82-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/2024-55-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2024-58-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2024-60-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2024-66-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2024-62-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2024-54-0x0000000000000000-mapping.dmp

Download
memory/2024-56-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2024-65-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads