tofsee | c2d94e9579a169f3ccc2003ffb38e69d4c1471f6c24b199adeeb3d88d15c5f78

Analysis

max time kernel
142s
max time network
144s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2d94e9579a169f3ccc2003ffb38e69d4c1471f6c24b199adeeb3d88d15c5f78.exe
Size

4.8MB
MD5

c3c762bdf1f673328017ec983249e09e
SHA1

64dc43657c00deb05ad6af004e413b5f79b045a6
SHA256

c2d94e9579a169f3ccc2003ffb38e69d4c1471f6c24b199adeeb3d88d15c5f78
SHA512

7bc0addbea5a3616cf8ed9886c49719d60b2d04e8c9406a1c1f3b382cc3fa4f980882533509fbd98d15ca76735922e56d54762e3402cefbd185721ef5048b8e2
SSDEEP

98304:kK/ZoaObB9IEBiDvXCh3YKxugzUHU9Mrfmr8hYE7j+RJ5HHuQB:P/usEBKeHNN1IvjaJ5HHuS

Score

10^/10

tofsee discovery trojan

Malware Config

Extracted

Family

tofsee

vanaheim.cn

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Tofsee family
tofsee

Executes dropped EXE 3 IoCs

pid	Process
2212	c2d94e9579a169f3ccc2003ffb38e69d4c1471f6c24b199adeeb3d88d15c5f78.exe
2776	msn.exe
2816	msn.exe

Loads dropped DLL 12 IoCs

pid	Process
1180	c2d94e9579a169f3ccc2003ffb38e69d4c1471f6c24b199adeeb3d88d15c5f78.exe
2212	c2d94e9579a169f3ccc2003ffb38e69d4c1471f6c24b199adeeb3d88d15c5f78.exe
2776	msn.exe
2776	msn.exe
2776	msn.exe
2776	msn.exe
2776	msn.exe
2816	msn.exe
2816	msn.exe
2816	msn.exe
1992	cmd.exe
2056	DockerCloud_Vtm_x86.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2816 set thread context of 1992	2816	msn.exe	33

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Serviceprotect_xd.job	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DockerCloud_Vtm_x86.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Buses\Config0 = 54a1e43d5004650224edb47d450dd49d084297dce82e72baa48263fd347d031d36a0264681cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56b14d48245753fe7ae644490bdb57922ec9c580dccf6b454758df21d5904e0a56e16d4874c7538e19d084295d9e13f4bb4c06d02fdadfd5430d59c470c36fbac6b1cd5b40e367b8be90d4091bdb57525ea9d540cc5f7b854718bce15515bb9fd3041ed854b7434e2a5551fc78b84a9349ca439fd0c9b8d541de4ac743d04bafb2f4fb2c70f320dd49d642df4bd843ca92bc32834fdc48d57d1f6ae743d04ccac6d0adb82537338faac552df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743d04cd755c24ed	DockerCloud_Vtm_x86.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Buses	DockerCloud_Vtm_x86.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2776	msn.exe
2816	msn.exe
2816	msn.exe
1992	cmd.exe
1992	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2816	msn.exe
1992	cmd.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 2212	1180	c2d94e9579a169f3ccc2003ffb38e69d4c1471f6c24b199adeeb3d88d15c5f78.exe	30
PID 1180 wrote to memory of 2212	1180	c2d94e9579a169f3ccc2003ffb38e69d4c1471f6c24b199adeeb3d88d15c5f78.exe	30
PID 1180 wrote to memory of 2212	1180	c2d94e9579a169f3ccc2003ffb38e69d4c1471f6c24b199adeeb3d88d15c5f78.exe	30
PID 2212 wrote to memory of 2776	2212	c2d94e9579a169f3ccc2003ffb38e69d4c1471f6c24b199adeeb3d88d15c5f78.exe	31
PID 2212 wrote to memory of 2776	2212	c2d94e9579a169f3ccc2003ffb38e69d4c1471f6c24b199adeeb3d88d15c5f78.exe	31
PID 2212 wrote to memory of 2776	2212	c2d94e9579a169f3ccc2003ffb38e69d4c1471f6c24b199adeeb3d88d15c5f78.exe	31
PID 2212 wrote to memory of 2776	2212	c2d94e9579a169f3ccc2003ffb38e69d4c1471f6c24b199adeeb3d88d15c5f78.exe	31
PID 2776 wrote to memory of 2816	2776	msn.exe	32
PID 2776 wrote to memory of 2816	2776	msn.exe	32
PID 2776 wrote to memory of 2816	2776	msn.exe	32
PID 2776 wrote to memory of 2816	2776	msn.exe	32
PID 2816 wrote to memory of 1992	2816	msn.exe	33
PID 2816 wrote to memory of 1992	2816	msn.exe	33
PID 2816 wrote to memory of 1992	2816	msn.exe	33
PID 2816 wrote to memory of 1992	2816	msn.exe	33
PID 2816 wrote to memory of 1992	2816	msn.exe	33
PID 1992 wrote to memory of 2056	1992	cmd.exe	35
PID 1992 wrote to memory of 2056	1992	cmd.exe	35
PID 1992 wrote to memory of 2056	1992	cmd.exe	35
PID 1992 wrote to memory of 2056	1992	cmd.exe	35
PID 1992 wrote to memory of 2056	1992	cmd.exe	35
PID 1992 wrote to memory of 2056	1992	cmd.exe	35
PID 1992 wrote to memory of 2056	1992	cmd.exe	35
PID 1992 wrote to memory of 2056	1992	cmd.exe	35
PID 1992 wrote to memory of 2056	1992	cmd.exe	35
PID 1992 wrote to memory of 2056	1992	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\c2d94e9579a169f3ccc2003ffb38e69d4c1471f6c24b199adeeb3d88d15c5f78.exe
"C:\Users\Admin\AppData\Local\Temp\c2d94e9579a169f3ccc2003ffb38e69d4c1471f6c24b199adeeb3d88d15c5f78.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\TEMP\{3FD806A1-2CC6-405D-AD03-F80D0C442669}\.cr\c2d94e9579a169f3ccc2003ffb38e69d4c1471f6c24b199adeeb3d88d15c5f78.exe
  "C:\Windows\TEMP\{3FD806A1-2CC6-405D-AD03-F80D0C442669}\.cr\c2d94e9579a169f3ccc2003ffb38e69d4c1471f6c24b199adeeb3d88d15c5f78.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\c2d94e9579a169f3ccc2003ffb38e69d4c1471f6c24b199adeeb3d88d15c5f78.exe" -burn.filehandle.attached=188 -burn.filehandle.self=184
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\TEMP\{7C134828-5374-4EF9-9D88-0F5AD1B20A8B}\.ba\msn.exe
    C:\Windows\TEMP\{7C134828-5374-4EF9-9D88-0F5AD1B20A8B}\.ba\msn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Users\Admin\AppData\Roaming\superUpdate\msn.exe
      C:\Users\Admin\AppData\Roaming\superUpdate\msn.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1992
      - C:\Users\Admin\AppData\Local\Temp\DockerCloud_Vtm_x86.exe
        
        C:\Users\Admin\AppData\Local\Temp\DockerCloud_Vtm_x86.exe
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies Control Panel
        
        PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\395007bd

Filesize
1.7MB

MD5
23c7891b44aebe2701e2169957fc0145

SHA1
30b20afbd9e8280215b8002d738dca8a3cb39e12

SHA256
4ed8ab3ca5c3afc1ed7edbbc2e5b245962368c9b825a29560074b96b630669e2

SHA512
8ffd95d6c7f3077f664ac4493b15db8d988f86d7be84e58ae81123e8a31f77a518d6eab181edb5cd9fadc49d65238e91ff1a3095bcc7e212edafd351e6f5c579

Download Submit
C:\Windows\TEMP\{7C134828-5374-4EF9-9D88-0F5AD1B20A8B}\.ba\archaeopteryx.gif

Filesize
35KB

MD5
c3672decd0ac72b95d213688a3897bd3

SHA1
3cf5a509286cc25ec826804f8f980c1e4fef5db1

SHA256
cad394c34b47a31755ed12504186349cd9263de83562f80fc1256a9d58dd0099

SHA512
0c04811a235c8dfb54af4d589b9b12966f42b57bf5a50ec55f64ec024fd700a8141f86bb3d7a1bc19be060f473cdfe674cbdf55c1054c8fc84e9a43b46d3b5e3

Download Submit
C:\Windows\TEMP\{7C134828-5374-4EF9-9D88-0F5AD1B20A8B}\.ba\catechumenate.xls

Filesize
1.1MB

MD5
0d1cbed13e0e06a5a672770d445875e1

SHA1
a13bd4be50d664040dc4edb923f09289f4d644d8

SHA256
08735bd27d0226052dd1ed311f050bed6fe5f5cbc9f6f72aca5633ebc04f793a

SHA512
2170171636751a04201e406993c6d889b9c561855d5ad32027808f0c64866855f9872b5e53a6d618c9f1f8597c64275e1d04f35855ccaad09b4b0608dac166cf

Download Submit
C:\Windows\TEMP\{7C134828-5374-4EF9-9D88-0F5AD1B20A8B}\.ba\msvcr80.dll

Filesize
612KB

MD5
43143abb001d4211fab627c136124a44

SHA1
edb99760ae04bfe68aaacf34eb0287a3c10ec885

SHA256
cb8928ff2faf2921b1eddc267dce1bb64e6fee4d15b68cd32588e0f3be116b03

SHA512
ced96ca5d1e2573dbf21875cf98a8fcb86b5bcdca4c041680a9cb87374378e04835f02ab569d5243608c68feb2e9b30ffe39feb598f5081261a57d1ce97556a6

Download Submit
C:\Windows\Temp\{7C134828-5374-4EF9-9D88-0F5AD1B20A8B}\.ba\msn.exe

Filesize
5.5MB

MD5
537915708fe4e81e18e99d5104b353ed

SHA1
128ddb7096e5b748c72dc13f55b593d8d20aa3fb

SHA256
6dc7275f2143d1de0ca66c487b0f2ebff3d4c6a79684f03b9619bf23143ecf74

SHA512
9ceaaf7aa5889be9f5606646403133782d004b9d78ef83d7007dfce67c0f4f688d7931aebc74f1fc30aac2f1dd6281bdadfb52bc3ea46aca33b334adb4067ae2

Download Submit
\Users\Admin\AppData\Local\Temp\DockerCloud_Vtm_x86.exe

Filesize
994KB

MD5
de0ea31558536ca7e3164c3cd4578bf5

SHA1
5cc890c3ade653bb1ed1e53dabb0410602ee52df

SHA256
6e599490e164505af796569dce30e18218b179b2b791fe69764892b3ed3e7478

SHA512
c47299cd5f3b4961f423c2ca1fef5a33eb4b0f63dc232af70ef9da39f6f82270406061dd543461de7e47abd1244e26d6190de6035120211b27d4c23f97a25aba

Download Submit
\Windows\Temp\{3FD806A1-2CC6-405D-AD03-F80D0C442669}\.cr\c2d94e9579a169f3ccc2003ffb38e69d4c1471f6c24b199adeeb3d88d15c5f78.exe

Filesize
4.6MB

MD5
948fc9904a7496ff29524521ff508f10

SHA1
aa69cab61561a3f0196a3e35c52131cf23903e01

SHA256
6287cc61bd336510edfaa48148ba9f0b32dc5eed18a3387f3bbddca70fde0faf

SHA512
324c95574e2ac88a5b75526a8c8b395c8f9d052d3a02f7177dfd0f138c3938d5af29fea7e0720274758faed0686ed1b403fab5615420a556f8236188c30d8aa9

Download Submit
\Windows\Temp\{7C134828-5374-4EF9-9D88-0F5AD1B20A8B}\.ba\Sickle.dll

Filesize
156KB

MD5
2d1baab8d4466d742f529fdde392f166

SHA1
f898d9128b340080437995f41856b16768b1811a

SHA256
036b59a5f388ad0730931fcdda71996481f4128470836f71f78ece60ca3da981

SHA512
4c98d762fcfe93e82d6c146fcb8a1834b6eea53b458ea093fa807c4d9d666440f1b91208f511d55511a81b1857484cccff233880e11156441348b156a377803e

Download Submit
\Windows\Temp\{7C134828-5374-4EF9-9D88-0F5AD1B20A8B}\.ba\contactsUX.dll

Filesize
331KB

MD5
54ee6a204238313dc6aca21c7e036c17

SHA1
531fd1c18e2e4984c72334eb56af78a1048da6c7

SHA256
0abf68b8409046a1555d48ac506fd26fda4b29d8d61e07bc412a4e21de2782fd

SHA512
19a2e371712aab54b75059d39a9aea6e7de2eb69b3ffc0332e60df617ebb9de61571b2ca722cddb75c9cbc79f8200d03f73539f21f69366eae3c7641731c7820

Download Submit
\Windows\Temp\{7C134828-5374-4EF9-9D88-0F5AD1B20A8B}\.ba\msidcrl40.dll

Filesize
791KB

MD5
ef66829b99bbfc465b05dc7411b0dcfa

SHA1
c6f6275f92053b4b9fa8f2738ed3e84f45261503

SHA256
257e6489f5b733f2822f0689295a9f47873be3cec5f4a135cd847a2f2c82a575

SHA512
6839b7372e37e67c270a4225f91df21f856158a292849da2101c2978ce37cd08b75923ab30ca39d7360ce896fc6a2a2d646dd88eb2993cef612c43a475fdb2ea

Download Submit
\Windows\Temp\{7C134828-5374-4EF9-9D88-0F5AD1B20A8B}\.ba\msncore.dll

Filesize
982KB

MD5
98c1e156d6e2f4fc8ac9689c27843b25

SHA1
41f2fd6f1feba6fb941233c5d3cf9be9a455b146

SHA256
9ca41837bbdf1b67dbf8df112c05a49c972542d2e0341d5c6eebc18905b14876

SHA512
176e1d4ae9e4636903912adfa014bb2947bdde4c4db33395dd151220638fea60148a811c6e0e5e0e694f5333ef261194f980e7c0c49fedafabcdf12623d3c3b6

Download Submit
memory/1992-78-0x00000000742D0000-0x0000000074444000-memory.dmp

Filesize
1.5MB

Download
memory/1992-62-0x00000000742D0000-0x0000000074444000-memory.dmp

Filesize
1.5MB

Download
memory/1992-61-0x00000000770D0000-0x0000000077279000-memory.dmp

Filesize
1.7MB

Download
memory/2056-92-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2056-91-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2056-101-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2056-100-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2056-99-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2056-84-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2056-83-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2056-87-0x00000000770D0000-0x0000000077279000-memory.dmp

Filesize
1.7MB

Download
memory/2056-89-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2056-98-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2056-97-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2056-93-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2056-95-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2776-30-0x00000000742E0000-0x0000000074454000-memory.dmp

Filesize
1.5MB

Download
memory/2776-31-0x00000000770D0000-0x0000000077279000-memory.dmp

Filesize
1.7MB

Download
memory/2816-58-0x00000000742D0000-0x0000000074444000-memory.dmp

Filesize
1.5MB

Download
memory/2816-56-0x00000000742D0000-0x0000000074444000-memory.dmp

Filesize
1.5MB

Download
memory/2816-57-0x00000000770D0000-0x0000000077279000-memory.dmp

Filesize
1.7MB

Download