Overview

overview

10

Static

static

3

2024-06-30...ia.exe

windows7-x64

10

2024-06-30...ia.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    9s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-06-2024 20:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-30_b4c141e1b4b0b3d6dc0a4403f2a1cad5_mafia.exe

  • Size

    12.9MB

  • MD5

    b4c141e1b4b0b3d6dc0a4403f2a1cad5

  • SHA1

    c10584b5259f0339530218dc0f133c63f8fec9ba

  • SHA256

    4712247fd59b13512019fdaca5f34e6c9f1fa3d2755b0be2a74d069e957f9600

  • SHA512

    ef5c31fbc42ac75e634109c6d4275578f9b12cc691a5d9a1d9a2831cb51ace5796ced5515eac16518279e3a47f23492396b09861df4741995b4d7109b3348018

  • SSDEEP

    6144:8+rWO2zeSPDjMXMH7Ll4aFpWVqIwUAP97GEwHrG2+e1x2:8+r1IeSXMXc7LlxWV4Ug97GZ+ej

Score
10/10
tofseeevasionexecutionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-30_b4c141e1b4b0b3d6dc0a4403f2a1cad5_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-30_b4c141e1b4b0b3d6dc0a4403f2a1cad5_mafia.exe"
    1⤵
      PID:948
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\mdtyeozj\
        2⤵
          PID:3908
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\feqmrbly.exe" C:\Windows\SysWOW64\mdtyeozj\
          2⤵
            PID:2128
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" create mdtyeozj binPath= "C:\Windows\SysWOW64\mdtyeozj\feqmrbly.exe /d\"C:\Users\Admin\AppData\Local\Temp\2024-06-30_b4c141e1b4b0b3d6dc0a4403f2a1cad5_mafia.exe\"" type= own start= auto DisplayName= "wifi support"
            2⤵
            • Launches sc.exe
            PID:4324
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description mdtyeozj "wifi internet conection"
            2⤵
            • Launches sc.exe
            PID:208
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" start mdtyeozj
            2⤵
            • Launches sc.exe
            PID:4732
          • C:\Windows\SysWOW64\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
            2⤵
            • Modifies Windows Firewall
            PID:1388
        • C:\Windows\SysWOW64\mdtyeozj\feqmrbly.exe
          C:\Windows\SysWOW64\mdtyeozj\feqmrbly.exe /d"C:\Users\Admin\AppData\Local\Temp\2024-06-30_b4c141e1b4b0b3d6dc0a4403f2a1cad5_mafia.exe"
          1⤵
            PID:3928
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              2⤵
                PID:3068
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
              1⤵
                PID:416

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\feqmrbly.exe
                Filesize

                7.9MB

                MD5

                38a3afa73bc8d5f193a6d8a9540b74a3

                SHA1

                55aff28cb94437f78d323b1e867804a9f1d8d690

                SHA256

                0c1ec870004d192ea020b802f2dec9be9b9a8189708fdf3cda49d34d8b3f7d6d

                SHA512

                c616334b07a9f886c15fcdc1e9e052f70114148f644eac8309f3c51bdc89ab62b0c4116fb1a591d41a72925102c9ab429bc05f06e960c9f262b16d0751dabe69

                Download Submit
              • C:\Windows\SysWOW64\mdtyeozj\feqmrbly.exe
                Filesize

                7.2MB

                MD5

                4281a71e9b8b8c66a6701f818a73acca

                SHA1

                d80646881e37e5aef213232753c8e2e0a7ecce5a

                SHA256

                77b3912320ca6751d0711b42afc0c98faab8251ad79041e268b08bfeb65e56e0

                SHA512

                ec6fa953946f4a8448bc46dcad096cc064be0d6ec55b561ab3f6e22b96070a3e2a6cfc9e1e96a27f06969708548e214f343806d9fd59cb8e6f2a46e7b84d50b3

                Download Submit
              • memory/948-5-0x0000000000400000-0x000000000051A000-memory.dmp
                Filesize

                1.1MB

                Download
              • memory/948-1-0x00000000007B0000-0x00000000008B0000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/948-6-0x0000000000400000-0x000000000051A000-memory.dmp
                Filesize

                1.1MB

                Download
              • memory/948-7-0x0000000000400000-0x0000000000415000-memory.dmp
                Filesize

                84KB

                Download
              • memory/948-2-0x0000000000400000-0x0000000000415000-memory.dmp
                Filesize

                84KB

                Download
              • memory/3068-17-0x00000000010A0000-0x00000000010B5000-memory.dmp
                Filesize

                84KB

                Download
              • memory/3068-18-0x00000000010A0000-0x00000000010B5000-memory.dmp
                Filesize

                84KB

                Download
              • memory/3068-12-0x00000000010A0000-0x00000000010B5000-memory.dmp
                Filesize

                84KB

                Download
              • memory/3068-19-0x00000000010A0000-0x00000000010B5000-memory.dmp
                Filesize

                84KB

                Download
              • memory/3068-20-0x00000000010A0000-0x00000000010B5000-memory.dmp
                Filesize

                84KB

                Download
              • memory/3928-11-0x0000000000400000-0x000000000051A000-memory.dmp
                Filesize

                1.1MB

                Download
              • memory/3928-16-0x0000000000400000-0x000000000051A000-memory.dmp
                Filesize

                1.1MB

                Download
              • memory/3928-10-0x0000000000400000-0x000000000051A000-memory.dmp
                Filesize

                1.1MB

                Download