tofsee | 1d9218e0d25b5e74a489f12c20e61fcfd1a8d38aaa88e54c116f1af3f0653c14

General

Target

2024-12-30_e67efd20277e5a3049ad251227556ff5_mafia.exe
Size

12.6MB
MD5

e67efd20277e5a3049ad251227556ff5
SHA1

6952895fdd8da9e8956718bdd0f330ca4b2f96ec
SHA256

1d9218e0d25b5e74a489f12c20e61fcfd1a8d38aaa88e54c116f1af3f0653c14
SHA512

2941ef23646633978b6ab614962c862dbdadc64fc1a510fbad972c1fcef62e3490eca7a3b031b04a2bedd9b9a683040efda9ca259927f85af19a798bd203a60b
SSDEEP

3072:4LBgXOXcdW8tar7vGdq8c7YMl2b8anmMXnb58XuDP9het3Zv1oSW1za2E+w5C2/Y:1OMdRQr7OB0ypmMXnl8XEPM3noSWOC

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Tofsee family
tofsee
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2136	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\hwkigoze\ImagePath = "C:\\Windows\\SysWOW64\\hwkigoze\\miaaxmlz.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	2024-12-30_e67efd20277e5a3049ad251227556ff5_mafia.exe

Deletes itself 1 IoCs

pid	Process
5096	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
3156	miaaxmlz.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3156 set thread context of 5096	3156	miaaxmlz.exe	99

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3540	sc.exe
4680	sc.exe
704	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2464	4480	WerFault.exe	82
4024	3156	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-30_e67efd20277e5a3049ad251227556ff5_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	miaaxmlz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 1392	4480	2024-12-30_e67efd20277e5a3049ad251227556ff5_mafia.exe	83
PID 4480 wrote to memory of 1392	4480	2024-12-30_e67efd20277e5a3049ad251227556ff5_mafia.exe	83
PID 4480 wrote to memory of 1392	4480	2024-12-30_e67efd20277e5a3049ad251227556ff5_mafia.exe	83
PID 4480 wrote to memory of 180	4480	2024-12-30_e67efd20277e5a3049ad251227556ff5_mafia.exe	85
PID 4480 wrote to memory of 180	4480	2024-12-30_e67efd20277e5a3049ad251227556ff5_mafia.exe	85
PID 4480 wrote to memory of 180	4480	2024-12-30_e67efd20277e5a3049ad251227556ff5_mafia.exe	85
PID 4480 wrote to memory of 3540	4480	2024-12-30_e67efd20277e5a3049ad251227556ff5_mafia.exe	87
PID 4480 wrote to memory of 3540	4480	2024-12-30_e67efd20277e5a3049ad251227556ff5_mafia.exe	87
PID 4480 wrote to memory of 3540	4480	2024-12-30_e67efd20277e5a3049ad251227556ff5_mafia.exe	87
PID 4480 wrote to memory of 4680	4480	2024-12-30_e67efd20277e5a3049ad251227556ff5_mafia.exe	89
PID 4480 wrote to memory of 4680	4480	2024-12-30_e67efd20277e5a3049ad251227556ff5_mafia.exe	89
PID 4480 wrote to memory of 4680	4480	2024-12-30_e67efd20277e5a3049ad251227556ff5_mafia.exe	89
PID 4480 wrote to memory of 704	4480	2024-12-30_e67efd20277e5a3049ad251227556ff5_mafia.exe	91
PID 4480 wrote to memory of 704	4480	2024-12-30_e67efd20277e5a3049ad251227556ff5_mafia.exe	91
PID 4480 wrote to memory of 704	4480	2024-12-30_e67efd20277e5a3049ad251227556ff5_mafia.exe	91
PID 4480 wrote to memory of 2136	4480	2024-12-30_e67efd20277e5a3049ad251227556ff5_mafia.exe	94
PID 4480 wrote to memory of 2136	4480	2024-12-30_e67efd20277e5a3049ad251227556ff5_mafia.exe	94
PID 4480 wrote to memory of 2136	4480	2024-12-30_e67efd20277e5a3049ad251227556ff5_mafia.exe	94
PID 3156 wrote to memory of 5096	3156	miaaxmlz.exe	99
PID 3156 wrote to memory of 5096	3156	miaaxmlz.exe	99
PID 3156 wrote to memory of 5096	3156	miaaxmlz.exe	99
PID 3156 wrote to memory of 5096	3156	miaaxmlz.exe	99
PID 3156 wrote to memory of 5096	3156	miaaxmlz.exe	99

C:\Users\Admin\AppData\Local\Temp\2024-12-30_e67efd20277e5a3049ad251227556ff5_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-30_e67efd20277e5a3049ad251227556ff5_mafia.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hwkigoze\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1392
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\miaaxmlz.exe" C:\Windows\SysWOW64\hwkigoze\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:180
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create hwkigoze binPath= "C:\Windows\SysWOW64\hwkigoze\miaaxmlz.exe /d\"C:\Users\Admin\AppData\Local\Temp\2024-12-30_e67efd20277e5a3049ad251227556ff5_mafia.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:3540
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description hwkigoze "wifi internet conection"
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:4680
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start hwkigoze
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:704
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2136
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 584
  2⤵
  - Program crash
  PID:2464

C:\Windows\SysWOW64\hwkigoze\miaaxmlz.exe
C:\Windows\SysWOW64\hwkigoze\miaaxmlz.exe /d"C:\Users\Admin\AppData\Local\Temp\2024-12-30_e67efd20277e5a3049ad251227556ff5_mafia.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:5096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 512
  2⤵
  - Program crash
  PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4480 -ip 4480
1⤵
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3156 -ip 3156
1⤵
PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\miaaxmlz.exe

Filesize
11.7MB

MD5
7dbec197ff6c85129a5a5e72e1027316

SHA1
29515c8cb04f108bbe3638e76f08e561f77efaad

SHA256
44a32332833a67040434615ddcd3b9d1b6c6128ebcef49997b91ffd1bd806fbe

SHA512
712871247e12bb18429987c0e9edf0c49fa36e2650ae98ff7cc231ca2932fd28b1853d8361f462e29dd16ba5c08f60a5ed6da2615bfac05f5152ccb00d4d02da

Download Submit
memory/3156-13-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3156-11-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3156-12-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3156-18-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4480-3-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4480-2-0x00000000001C0000-0x00000000001D3000-memory.dmp

Filesize
76KB

Download
memory/4480-7-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4480-9-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4480-8-0x00000000001C0000-0x00000000001D3000-memory.dmp

Filesize
76KB

Download
memory/4480-1-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/5096-14-0x0000000000730000-0x0000000000745000-memory.dmp

Filesize
84KB

Download
memory/5096-16-0x0000000000730000-0x0000000000745000-memory.dmp

Filesize
84KB

Download
memory/5096-17-0x0000000000730000-0x0000000000745000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads