tofsee | 270e15b50f3eb2895ff790fba1b9137672639bbb75d08520c26933364ab010cb

General

Target

270e15b50f3eb2895ff790fba1b9137672639bbb75d08520c26933364ab010cbN.exe
Size

94KB
MD5

78ecd98f4df225f36ad1bf18814c8360
SHA1

30e99fdb525eb0163e76c943e6db50b16dce38f7
SHA256

270e15b50f3eb2895ff790fba1b9137672639bbb75d08520c26933364ab010cb
SHA512

b3f3a9be6d66f697f262383553015be43bb427853399a1f774d4418d202898dd2bbdc1ef7edd899c576020746d6f2b6cd0c78d6318eb03f74a525cf8e6816aa6
SSDEEP

1536:HaT5HC7L9vnEexvevA17dfTWmU6WmQt8upcr/d:HaT5aLaexbditRtsrF

Score

10^/10

tofsee discovery persistence trojan

Malware Config

Extracted

Family

tofsee

C2

91.218.38.211

188.130.237.71

185.25.48.10

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Tofsee family
tofsee

Executes dropped EXE 1 IoCs

pid	Process
1016	ansfkxqy.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\ansfkxqy.exe\""	270e15b50f3eb2895ff790fba1b9137672639bbb75d08520c26933364ab010cbN.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1016 set thread context of 3688	1016	ansfkxqy.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
4248	3688	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	270e15b50f3eb2895ff790fba1b9137672639bbb75d08520c26933364ab010cbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ansfkxqy.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1016	1948	270e15b50f3eb2895ff790fba1b9137672639bbb75d08520c26933364ab010cbN.exe	82
PID 1948 wrote to memory of 1016	1948	270e15b50f3eb2895ff790fba1b9137672639bbb75d08520c26933364ab010cbN.exe	82
PID 1948 wrote to memory of 1016	1948	270e15b50f3eb2895ff790fba1b9137672639bbb75d08520c26933364ab010cbN.exe	82
PID 1016 wrote to memory of 3688	1016	ansfkxqy.exe	83
PID 1016 wrote to memory of 3688	1016	ansfkxqy.exe	83
PID 1016 wrote to memory of 3688	1016	ansfkxqy.exe	83
PID 1016 wrote to memory of 3688	1016	ansfkxqy.exe	83
PID 1016 wrote to memory of 3688	1016	ansfkxqy.exe	83

C:\Users\Admin\AppData\Local\Temp\270e15b50f3eb2895ff790fba1b9137672639bbb75d08520c26933364ab010cbN.exe
"C:\Users\Admin\AppData\Local\Temp\270e15b50f3eb2895ff790fba1b9137672639bbb75d08520c26933364ab010cbN.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\ansfkxqy.exe
  "C:\Users\Admin\ansfkxqy.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:3688
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 368
      4⤵
      Program crash
      PID:4248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0773.bat" "
  2⤵
  PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3688 -ip 3688
1⤵
PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0773.bat

Filesize
304B

MD5
ec810792e03a6d1301b29fa59bc47325

SHA1
db2f2b2daea6c8c4fece7a56ec632bebe31dad70

SHA256
f68525075f9d1f5a20951682abedbd9400ab0cc35f8513e311c1f14edc1cc386

SHA512
78689f139e741289cf934c117d27e6fde85b922c1df1d339a10874b5985d31c2a2e6537de93291da1f005336c7c2a5a362209f31f27b5ce31b269f8ccbe3f3a7

Download Submit
C:\Users\Admin\ansfkxqy.exe

Filesize
22.6MB

MD5
3c7e5efeb5c0e05ed139e920eaaf22ea

SHA1
bca4dd7c1aa3ad3a6805c3a6dc3bb8b339c9fe91

SHA256
465b4d464189e169e83369a670bd90080dcdb7f2708a0dd001d51084f2f28c15

SHA512
fea3e116aefbd520afcf9d2aada46f4c24e8fe4725dce03d2ac40f092bf496cc8452429838a3d75a8fe675286a27fd3f5543b6f210c52b0be1e17ea6e3ed2289

Download Submit
C:\Users\Admin\ansfkxqy.exe

Filesize
21.6MB

MD5
a12bd0ef54ed14b63287484385983bca

SHA1
7f3d7421b6dfed689f29ab745c4b135904b0315e

SHA256
28ead443dc5425366b3a8e51b65d24425045243550d7c61e468290a1cf0c768d

SHA512
259fb57cc0727a698321c6cadc09f11f0c613966f5712e5a783ea63a71eb3dcb1519a0a0a7dd79d85b627ba00c01ed1cf46918c7a8dee95d7775db9b994f714a

Download Submit
memory/1016-8-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1016-10-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1016-7-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1948-21-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1948-1-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1948-23-0x0000000002180000-0x0000000002192000-memory.dmp

Filesize
72KB

Download
memory/1948-0-0x0000000002180000-0x0000000002192000-memory.dmp

Filesize
72KB

Download
memory/3688-9-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/3688-15-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/3688-26-0x0000000002E60000-0x0000000002E61000-memory.dmp

Filesize
4KB

Download
memory/3688-27-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/3688-16-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/3688-28-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads