Analysis
-
max time kernel
148s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
04-11-2024 22:16
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia.exe
-
Size
13.8MB
-
MD5
9c51a91c066c0450f73e9094bff5b3d4
-
SHA1
69443b3cd6392afd4d9abd4191cc83979fbf1cf5
-
SHA256
1bbf4d3f017661eb57be195c6c53319731eb6c36aee2ddecf39b53ec91bcfdb2
-
SHA512
2eaabc50c4f270dbd8e9bb93221456fb1270ceda504b127765679eda4403c4c6efae4a18ed79fc1780acc885fd29b5e676479858a3a962a680941f0324fcca84
-
SSDEEP
49152:AVdrl/8HAzGCbGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG3:AVdrl/9zG
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Tofsee family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\efvxghaw = "0" svchost.exe -
Creates new service(s) 2 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2564 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\efvxghaw\ImagePath = "C:\\Windows\\SysWOW64\\efvxghaw\\pcqtvvtg.exe" svchost.exe -
Deletes itself 1 IoCs
pid Process 2816 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2828 pcqtvvtg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2828 set thread context of 2816 2828 pcqtvvtg.exe 43 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2964 sc.exe 2952 sc.exe 2796 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pcqtvvtg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2052 wrote to memory of 1932 2052 2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia.exe 30 PID 2052 wrote to memory of 1932 2052 2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia.exe 30 PID 2052 wrote to memory of 1932 2052 2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia.exe 30 PID 2052 wrote to memory of 1932 2052 2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia.exe 30 PID 2052 wrote to memory of 320 2052 2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia.exe 32 PID 2052 wrote to memory of 320 2052 2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia.exe 32 PID 2052 wrote to memory of 320 2052 2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia.exe 32 PID 2052 wrote to memory of 320 2052 2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia.exe 32 PID 2052 wrote to memory of 2796 2052 2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia.exe 34 PID 2052 wrote to memory of 2796 2052 2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia.exe 34 PID 2052 wrote to memory of 2796 2052 2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia.exe 34 PID 2052 wrote to memory of 2796 2052 2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia.exe 34 PID 2052 wrote to memory of 2964 2052 2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia.exe 36 PID 2052 wrote to memory of 2964 2052 2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia.exe 36 PID 2052 wrote to memory of 2964 2052 2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia.exe 36 PID 2052 wrote to memory of 2964 2052 2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia.exe 36 PID 2052 wrote to memory of 2952 2052 2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia.exe 38 PID 2052 wrote to memory of 2952 2052 2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia.exe 38 PID 2052 wrote to memory of 2952 2052 2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia.exe 38 PID 2052 wrote to memory of 2952 2052 2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia.exe 38 PID 2052 wrote to memory of 2564 2052 2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia.exe 41 PID 2052 wrote to memory of 2564 2052 2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia.exe 41 PID 2052 wrote to memory of 2564 2052 2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia.exe 41 PID 2052 wrote to memory of 2564 2052 2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia.exe 41 PID 2828 wrote to memory of 2816 2828 pcqtvvtg.exe 43 PID 2828 wrote to memory of 2816 2828 pcqtvvtg.exe 43 PID 2828 wrote to memory of 2816 2828 pcqtvvtg.exe 43 PID 2828 wrote to memory of 2816 2828 pcqtvvtg.exe 43 PID 2828 wrote to memory of 2816 2828 pcqtvvtg.exe 43 PID 2828 wrote to memory of 2816 2828 pcqtvvtg.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\efvxghaw\2⤵
- System Location Discovery: System Language Discovery
PID:1932
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pcqtvvtg.exe" C:\Windows\SysWOW64\efvxghaw\2⤵
- System Location Discovery: System Language Discovery
PID:320
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create efvxghaw binPath= "C:\Windows\SysWOW64\efvxghaw\pcqtvvtg.exe /d\"C:\Users\Admin\AppData\Local\Temp\2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2796
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description efvxghaw "wifi internet conection"2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2964
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start efvxghaw2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2952
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2564
-
-
C:\Windows\SysWOW64\efvxghaw\pcqtvvtg.exeC:\Windows\SysWOW64\efvxghaw\pcqtvvtg.exe /d"C:\Users\Admin\AppData\Local\Temp\2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2816
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.9MB
MD55f215099f12613b137efea720fb506b1
SHA161cef63ccbcab011b186f97548e5d2321740e6e1
SHA256949a222c76ccf98578469d149852ea48f09721335c290428601ea7f7d1ad71d3
SHA512768cb3e399dc411144444102b59cdfc81235c1ddea28a576c31b636be7dd115be706a887efb41b4d520636247377fabdf9fc258dd3193cafa8767112dce3bb2a