Overview

overview

10

Static

static

3

2024-06-30...ia.exe

windows7-x64

10

2024-06-30...ia.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    0s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    30-06-2024 19:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-30_7d693e888c68bc619f8a1a8ad54c5047_mafia.exe

  • Size

    14.7MB

  • MD5

    7d693e888c68bc619f8a1a8ad54c5047

  • SHA1

    2b2c4bc19afe94bddddc96c552092a0fb91e7d4c

  • SHA256

    51849ac5d43fc8106dc522583520818363452d02faf0d3dac8ddd86c53d9c328

  • SHA512

    1ce61b0efdeea672bfdf24cc9d084f5e19f72d31ff194ebad428813911154a89edc94f6af695b364f23a2739ef3fbe98cf400422e6925ead1befe39f21b3c885

  • SSDEEP

    6144:x+rWO2zeSPDjMXMH7Ll4aFpWVqIwUAP97GEwHrG2+e1x2:x+r1IeSXMXc7LlxWV4Ug97GZ+ej

Score
10/10
tofseeevasionexecutionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-30_7d693e888c68bc619f8a1a8ad54c5047_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-30_7d693e888c68bc619f8a1a8ad54c5047_mafia.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ztfjqlwn\
      2⤵
        PID:1756
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jiyubxc.exe" C:\Windows\SysWOW64\ztfjqlwn\
        2⤵
          PID:2836
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create ztfjqlwn binPath= "C:\Windows\SysWOW64\ztfjqlwn\jiyubxc.exe /d\"C:\Users\Admin\AppData\Local\Temp\2024-06-30_7d693e888c68bc619f8a1a8ad54c5047_mafia.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2608
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description ztfjqlwn "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2816
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start ztfjqlwn
          2⤵
          • Launches sc.exe
          PID:2640
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2652
      • C:\Windows\SysWOW64\ztfjqlwn\jiyubxc.exe
        C:\Windows\SysWOW64\ztfjqlwn\jiyubxc.exe /d"C:\Users\Admin\AppData\Local\Temp\2024-06-30_7d693e888c68bc619f8a1a8ad54c5047_mafia.exe"
        1⤵
          PID:1928
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe
            2⤵
              PID:2100

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\jiyubxc.exe
            Filesize

            12.3MB

            MD5

            a908bcab1a29a94273119e97187b02af

            SHA1

            c12a238f232299e9d343dbedc34e68d585d41901

            SHA256

            ac75c12068f418f737d4d99b43b6c93ae04aed33cff0992e6f9bbc331a5fdcbd

            SHA512

            3a4d5fbdc56a0428bbef85f4c10ed6c59648ed51ed462be1066c9cfa45bc1fc11c7834a4d2ca092bfa0f7ba6541b58254fcb6a152333b926a7cfd6091802b8bd

            Download Submit
          • C:\Windows\SysWOW64\ztfjqlwn\jiyubxc.exe
            Filesize

            11.9MB

            MD5

            b35a460e181601f23c5b6e73f3e8ea44

            SHA1

            51c91c160367df777341f9858af17cb2506ca571

            SHA256

            9ef6b9a2e9312adacb0c766bdcf6c1173449adc83e4d15dd40410363d8f4cc15

            SHA512

            384c1da69abd3a6077f0f822bc9c9ea6c7483692ece8ed575b1015e136b6f395041fdc98d74efb08f57db1cb46b91d604ba1ac842be0d76285360032c1af6898

            Download Submit
          • memory/1928-12-0x0000000000400000-0x000000000051A000-memory.dmp
            Filesize

            1.1MB

            Download
          • memory/2100-7-0x0000000000080000-0x0000000000095000-memory.dmp
            Filesize

            84KB

            Download
          • memory/2100-10-0x0000000000080000-0x0000000000095000-memory.dmp
            Filesize

            84KB

            Download
          • memory/2100-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2100-16-0x0000000000080000-0x0000000000095000-memory.dmp
            Filesize

            84KB

            Download
          • memory/2100-17-0x0000000000080000-0x0000000000095000-memory.dmp
            Filesize

            84KB

            Download
          • memory/2980-1-0x0000000000660000-0x0000000000760000-memory.dmp
            Filesize

            1024KB

            Download
          • memory/2980-15-0x0000000000400000-0x0000000000415000-memory.dmp
            Filesize

            84KB

            Download
          • memory/2980-14-0x0000000000660000-0x0000000000760000-memory.dmp
            Filesize

            1024KB

            Download
          • memory/2980-13-0x0000000000400000-0x000000000051A000-memory.dmp
            Filesize

            1.1MB

            Download
          • memory/2980-2-0x0000000000400000-0x0000000000415000-memory.dmp
            Filesize

            84KB

            Download