tofsee | 26128830cb8a15abdbc9b22a6a1aaece6bb8c2a13abc1103611fec4d867629b6

Analysis

max time kernel
146s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2025 21:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26128830cb8a15abdbc9b22a6a1aaece6bb8c2a13abc1103611fec4d867629b6.exe
Size

152KB
MD5

6f352302073de0e2bfe05dbfb220d074
SHA1

c36f3014baf28b7667612752e025cf138b448f55
SHA256

26128830cb8a15abdbc9b22a6a1aaece6bb8c2a13abc1103611fec4d867629b6
SHA512

5a9af4c6682a681732ec8c603bf146ce86d7cc698dfdde744245156c887399d65bc38d2bd4ac2075ed86088a4539c2f252a337abd04ce7beb71d8913e8208677
SSDEEP

1536:oqJVtDbTMSjRZqsAONjZmZ9wkPGdkD8Vyzt/86My6n27InSJd:okTMNINjZBNkwmt/Ksd

Score

10^/10

tofsee discovery persistence trojan

Malware Config

Extracted

Family

tofsee

103.9.150.244

188.190.120.102

121.127.250.203

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Tofsee family
tofsee

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	26128830cb8a15abdbc9b22a6a1aaece6bb8c2a13abc1103611fec4d867629b6.exe

Executes dropped EXE 2 IoCs

pid	Process
1056	dewuuogt.exe
4832	dewuuogt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\dewuuogt.exe\""	26128830cb8a15abdbc9b22a6a1aaece6bb8c2a13abc1103611fec4d867629b6.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3936 set thread context of 4460	3936	26128830cb8a15abdbc9b22a6a1aaece6bb8c2a13abc1103611fec4d867629b6.exe	83
PID 1056 set thread context of 4832	1056	dewuuogt.exe	87
PID 4832 set thread context of 1480	4832	dewuuogt.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
808	1480	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26128830cb8a15abdbc9b22a6a1aaece6bb8c2a13abc1103611fec4d867629b6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26128830cb8a15abdbc9b22a6a1aaece6bb8c2a13abc1103611fec4d867629b6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dewuuogt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dewuuogt.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3936	26128830cb8a15abdbc9b22a6a1aaece6bb8c2a13abc1103611fec4d867629b6.exe
1056	dewuuogt.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 4460	3936	26128830cb8a15abdbc9b22a6a1aaece6bb8c2a13abc1103611fec4d867629b6.exe	83
PID 3936 wrote to memory of 4460	3936	26128830cb8a15abdbc9b22a6a1aaece6bb8c2a13abc1103611fec4d867629b6.exe	83
PID 3936 wrote to memory of 4460	3936	26128830cb8a15abdbc9b22a6a1aaece6bb8c2a13abc1103611fec4d867629b6.exe	83
PID 3936 wrote to memory of 4460	3936	26128830cb8a15abdbc9b22a6a1aaece6bb8c2a13abc1103611fec4d867629b6.exe	83
PID 3936 wrote to memory of 4460	3936	26128830cb8a15abdbc9b22a6a1aaece6bb8c2a13abc1103611fec4d867629b6.exe	83
PID 3936 wrote to memory of 4460	3936	26128830cb8a15abdbc9b22a6a1aaece6bb8c2a13abc1103611fec4d867629b6.exe	83
PID 3936 wrote to memory of 4460	3936	26128830cb8a15abdbc9b22a6a1aaece6bb8c2a13abc1103611fec4d867629b6.exe	83
PID 3936 wrote to memory of 4460	3936	26128830cb8a15abdbc9b22a6a1aaece6bb8c2a13abc1103611fec4d867629b6.exe	83
PID 3936 wrote to memory of 4460	3936	26128830cb8a15abdbc9b22a6a1aaece6bb8c2a13abc1103611fec4d867629b6.exe	83
PID 4460 wrote to memory of 1056	4460	26128830cb8a15abdbc9b22a6a1aaece6bb8c2a13abc1103611fec4d867629b6.exe	84
PID 4460 wrote to memory of 1056	4460	26128830cb8a15abdbc9b22a6a1aaece6bb8c2a13abc1103611fec4d867629b6.exe	84
PID 4460 wrote to memory of 1056	4460	26128830cb8a15abdbc9b22a6a1aaece6bb8c2a13abc1103611fec4d867629b6.exe	84
PID 4460 wrote to memory of 972	4460	26128830cb8a15abdbc9b22a6a1aaece6bb8c2a13abc1103611fec4d867629b6.exe	85
PID 4460 wrote to memory of 972	4460	26128830cb8a15abdbc9b22a6a1aaece6bb8c2a13abc1103611fec4d867629b6.exe	85
PID 4460 wrote to memory of 972	4460	26128830cb8a15abdbc9b22a6a1aaece6bb8c2a13abc1103611fec4d867629b6.exe	85
PID 1056 wrote to memory of 4832	1056	dewuuogt.exe	87
PID 1056 wrote to memory of 4832	1056	dewuuogt.exe	87
PID 1056 wrote to memory of 4832	1056	dewuuogt.exe	87
PID 1056 wrote to memory of 4832	1056	dewuuogt.exe	87
PID 1056 wrote to memory of 4832	1056	dewuuogt.exe	87
PID 1056 wrote to memory of 4832	1056	dewuuogt.exe	87
PID 1056 wrote to memory of 4832	1056	dewuuogt.exe	87
PID 1056 wrote to memory of 4832	1056	dewuuogt.exe	87
PID 1056 wrote to memory of 4832	1056	dewuuogt.exe	87
PID 4832 wrote to memory of 1480	4832	dewuuogt.exe	88
PID 4832 wrote to memory of 1480	4832	dewuuogt.exe	88
PID 4832 wrote to memory of 1480	4832	dewuuogt.exe	88
PID 4832 wrote to memory of 1480	4832	dewuuogt.exe	88
PID 4832 wrote to memory of 1480	4832	dewuuogt.exe	88

C:\Users\Admin\AppData\Local\Temp\26128830cb8a15abdbc9b22a6a1aaece6bb8c2a13abc1103611fec4d867629b6.exe
"C:\Users\Admin\AppData\Local\Temp\26128830cb8a15abdbc9b22a6a1aaece6bb8c2a13abc1103611fec4d867629b6.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Users\Admin\AppData\Local\Temp\26128830cb8a15abdbc9b22a6a1aaece6bb8c2a13abc1103611fec4d867629b6.exe
  "C:\Users\Admin\AppData\Local\Temp\26128830cb8a15abdbc9b22a6a1aaece6bb8c2a13abc1103611fec4d867629b6.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Users\Admin\dewuuogt.exe
    "C:\Users\Admin\dewuuogt.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1056
  - - C:\Users\Admin\dewuuogt.exe
      "C:\Users\Admin\dewuuogt.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4832
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 356
        6⤵
        Program crash
        
        PID:808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0043.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1480 -ip 1480
1⤵
PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0043.bat

Filesize
302B

MD5
dea0722044ce550b65e5614d8a261066

SHA1
0db60881a89b3231e98b962428ee0a8fdaf660e5

SHA256
222b69a64ae360e45207a5209faae3a720c6fec44b6fed0032130dcb1172709d

SHA512
ff50a36bf75a4a1182b280793a03e26cd5388d1d927afffed08f0cbf01cefe1fbbd37b7d0c0bc0b5cceea1190004e3c906d6e296bfcb87d45e50ee5b22df5ef6

Download Submit
C:\Users\Admin\dewuuogt.exe

Filesize
37.8MB

MD5
179c0f656db10fc6c2327e371e0a19ce

SHA1
1af5aba4322310a8c943e114c2a8afdabd4671b2

SHA256
44f1801beca76d4fedfb2aa157f7c19b93c3db5f21b95862a8c835cd11875d68

SHA512
a597d7b2a3c412d03ae71a77e6cf1417ab539d1fc45f63fdda32cc552ddb8ea5caf35b37a89ab901bd6e5d1c9f4e631b68a985e1cd214d4bd8650348d3e01f1d

Download Submit
memory/1056-16-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1056-37-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1480-33-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/1480-41-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/1480-40-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/1480-36-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/1480-28-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/3936-3-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3936-9-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3936-2-0x0000000000406000-0x0000000000407000-memory.dmp

Filesize
4KB

Download
memory/4460-21-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4460-7-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4460-6-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4460-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4832-26-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4832-27-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4832-29-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads