tofsee | 0feb3db1f329e0a0a248026b03df0bc76f462d51d13ff1ddd0069d189c3cd7e8

General

Target

2024-05-30_d5163a500b24c2d07720cb4019dd3923_mafia.exe
Size

12.2MB
MD5

d5163a500b24c2d07720cb4019dd3923
SHA1

fc869db383392a90e85191049766eeb046767c10
SHA256

0feb3db1f329e0a0a248026b03df0bc76f462d51d13ff1ddd0069d189c3cd7e8
SHA512

98288e9c075089c90931e65ae8818aa033e6b3957dd445778e991a0ab6b7abc1ac498fa308cb257878300ff406dc8818937c6a28c95283a3cea36087969a1c85
SSDEEP

6144:JqXbY+SAjhUEzmPy0jhM7o8cMp/sP9gdiw1fagj1x2Eqqqqqqqqqqqqqqqqqqqqv:JqLY+4oAfj2o8X/U9gdjj

Score

10^/10

tofsee evasion execution persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3024 netsh.exe

pid	process
3024	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\uhzfzaji\ImagePath = "C:\\Windows\\SysWOW64\\uhzfzaji\\bgttwvlq.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-05-30_d5163a500b24c2d07720cb4019dd3923_mafia.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2024-05-30_d5163a500b24c2d07720cb4019dd3923_mafia.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

3972 svchost.exe
Executes dropped EXE 1 IoCs

Processes:

bgttwvlq.exe

pid process

1032 bgttwvlq.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

bgttwvlq.exe

description pid process target process

PID 1032 set thread context of 3972 1032 bgttwvlq.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2872 sc.exe
216 sc.exe
1352 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3972	svchost.exe

pid	process
1032	bgttwvlq.exe

description	pid	process	target process
PID 1032 set thread context of 3972	1032	bgttwvlq.exe	svchost.exe

pid	process
2872	sc.exe
216	sc.exe
1352	sc.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

2024-05-30_d5163a500b24c2d07720cb4019dd3923_mafia.exebgttwvlq.exe

description	pid	process	target process
PID 1848 wrote to memory of 3816	1848	2024-05-30_d5163a500b24c2d07720cb4019dd3923_mafia.exe	cmd.exe
PID 1848 wrote to memory of 3816	1848	2024-05-30_d5163a500b24c2d07720cb4019dd3923_mafia.exe	cmd.exe
PID 1848 wrote to memory of 3816	1848	2024-05-30_d5163a500b24c2d07720cb4019dd3923_mafia.exe	cmd.exe
PID 1848 wrote to memory of 2752	1848	2024-05-30_d5163a500b24c2d07720cb4019dd3923_mafia.exe	cmd.exe
PID 1848 wrote to memory of 2752	1848	2024-05-30_d5163a500b24c2d07720cb4019dd3923_mafia.exe	cmd.exe
PID 1848 wrote to memory of 2752	1848	2024-05-30_d5163a500b24c2d07720cb4019dd3923_mafia.exe	cmd.exe
PID 1848 wrote to memory of 1352	1848	2024-05-30_d5163a500b24c2d07720cb4019dd3923_mafia.exe	sc.exe
PID 1848 wrote to memory of 1352	1848	2024-05-30_d5163a500b24c2d07720cb4019dd3923_mafia.exe	sc.exe
PID 1848 wrote to memory of 1352	1848	2024-05-30_d5163a500b24c2d07720cb4019dd3923_mafia.exe	sc.exe
PID 1848 wrote to memory of 2872	1848	2024-05-30_d5163a500b24c2d07720cb4019dd3923_mafia.exe	sc.exe
PID 1848 wrote to memory of 2872	1848	2024-05-30_d5163a500b24c2d07720cb4019dd3923_mafia.exe	sc.exe
PID 1848 wrote to memory of 2872	1848	2024-05-30_d5163a500b24c2d07720cb4019dd3923_mafia.exe	sc.exe
PID 1848 wrote to memory of 216	1848	2024-05-30_d5163a500b24c2d07720cb4019dd3923_mafia.exe	sc.exe
PID 1848 wrote to memory of 216	1848	2024-05-30_d5163a500b24c2d07720cb4019dd3923_mafia.exe	sc.exe
PID 1848 wrote to memory of 216	1848	2024-05-30_d5163a500b24c2d07720cb4019dd3923_mafia.exe	sc.exe
PID 1848 wrote to memory of 3024	1848	2024-05-30_d5163a500b24c2d07720cb4019dd3923_mafia.exe	netsh.exe
PID 1848 wrote to memory of 3024	1848	2024-05-30_d5163a500b24c2d07720cb4019dd3923_mafia.exe	netsh.exe
PID 1848 wrote to memory of 3024	1848	2024-05-30_d5163a500b24c2d07720cb4019dd3923_mafia.exe	netsh.exe
PID 1032 wrote to memory of 3972	1032	bgttwvlq.exe	svchost.exe
PID 1032 wrote to memory of 3972	1032	bgttwvlq.exe	svchost.exe
PID 1032 wrote to memory of 3972	1032	bgttwvlq.exe	svchost.exe
PID 1032 wrote to memory of 3972	1032	bgttwvlq.exe	svchost.exe
PID 1032 wrote to memory of 3972	1032	bgttwvlq.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-30_d5163a500b24c2d07720cb4019dd3923_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_d5163a500b24c2d07720cb4019dd3923_mafia.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\uhzfzaji\
2⤵
PID:3816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\bgttwvlq.exe" C:\Windows\SysWOW64\uhzfzaji\
2⤵
PID:2752

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create uhzfzaji binPath= "C:\Windows\SysWOW64\uhzfzaji\bgttwvlq.exe /d\"C:\Users\Admin\AppData\Local\Temp\2024-05-30_d5163a500b24c2d07720cb4019dd3923_mafia.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:1352

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description uhzfzaji "wifi internet conection"
2⤵
- Launches sc.exe
PID:2872

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start uhzfzaji
2⤵
- Launches sc.exe
PID:216

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:3024

C:\Windows\SysWOW64\uhzfzaji\bgttwvlq.exe
C:\Windows\SysWOW64\uhzfzaji\bgttwvlq.exe /d"C:\Users\Admin\AppData\Local\Temp\2024-05-30_d5163a500b24c2d07720cb4019dd3923_mafia.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
- Deletes itself
PID:3972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bgttwvlq.exe

Filesize
11.6MB

MD5
742092c77b19c47ed4067e25eba4ecea

SHA1
792dd6c960ab0b77830fba534b03e28fd84c009d

SHA256
09995251a277afcf646e8bf8a4ea89e2a4f811d181340381f6c5629d6fe7ebb7

SHA512
107d6f6f8f785e15bece45d94d08393e7ff8fffdb189d2dd806e593c7b82c3f7793d635760921dc8aae87134e76b929b2720faf3695ca2669c1ce55a824c7b44

Download Submit
memory/1032-15-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/1032-11-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/1032-10-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/1848-2-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1848-5-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/1848-7-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/1848-8-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1848-1-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/3972-12-0x0000000000520000-0x0000000000535000-memory.dmp

Filesize
84KB

Download
memory/3972-18-0x0000000000520000-0x0000000000535000-memory.dmp

Filesize
84KB

Download
memory/3972-17-0x0000000000520000-0x0000000000535000-memory.dmp

Filesize
84KB

Download
memory/3972-19-0x0000000000520000-0x0000000000535000-memory.dmp

Filesize
84KB

Download
memory/3972-20-0x0000000000520000-0x0000000000535000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads