Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-01-2025 15:46
Static task
static1
Behavioral task
behavioral1
Sample
2025-01-10_e131e7ea13ef16f914940ac7fa24064c_mafia.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2025-01-10_e131e7ea13ef16f914940ac7fa24064c_mafia.exe
Resource
win10v2004-20241007-en
General
-
Target
2025-01-10_e131e7ea13ef16f914940ac7fa24064c_mafia.exe
-
Size
10.0MB
-
MD5
e131e7ea13ef16f914940ac7fa24064c
-
SHA1
75039b2cc40d3c616042957b016b4b9097495820
-
SHA256
163e6be7e3d945dc57382762b6857e47f6c966d0e8529ba1775cc7143e0bc39e
-
SHA512
9e8c2dd4cda0351845218bd84abc4b5dc05060b68ba50bae8281616311092443ce178a377aa97522a955da95423b8b4f6ec3ef0384945ca9ac2642d01f87c146
-
SSDEEP
6144:BVXdWonWCgHBEJE968VNNXSB3sFD+yZpp:7bnWvHBEJM6WNNCB36D+y
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Tofsee family
-
Creates new service(s) 2 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 228 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\kmydljud\ImagePath = "C:\\Windows\\SysWOW64\\kmydljud\\keevgpgi.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 2025-01-10_e131e7ea13ef16f914940ac7fa24064c_mafia.exe -
Deletes itself 1 IoCs
pid Process 628 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 1652 keevgpgi.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1652 set thread context of 628 1652 keevgpgi.exe 103 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4344 sc.exe 1984 sc.exe 2708 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 956 1652 WerFault.exe 96 3576 1652 WerFault.exe 96 2588 1652 WerFault.exe 96 -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-01-10_e131e7ea13ef16f914940ac7fa24064c_mafia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language keevgpgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 4624 wrote to memory of 1660 4624 2025-01-10_e131e7ea13ef16f914940ac7fa24064c_mafia.exe 83 PID 4624 wrote to memory of 1660 4624 2025-01-10_e131e7ea13ef16f914940ac7fa24064c_mafia.exe 83 PID 4624 wrote to memory of 1660 4624 2025-01-10_e131e7ea13ef16f914940ac7fa24064c_mafia.exe 83 PID 4624 wrote to memory of 708 4624 2025-01-10_e131e7ea13ef16f914940ac7fa24064c_mafia.exe 86 PID 4624 wrote to memory of 708 4624 2025-01-10_e131e7ea13ef16f914940ac7fa24064c_mafia.exe 86 PID 4624 wrote to memory of 708 4624 2025-01-10_e131e7ea13ef16f914940ac7fa24064c_mafia.exe 86 PID 4624 wrote to memory of 4344 4624 2025-01-10_e131e7ea13ef16f914940ac7fa24064c_mafia.exe 88 PID 4624 wrote to memory of 4344 4624 2025-01-10_e131e7ea13ef16f914940ac7fa24064c_mafia.exe 88 PID 4624 wrote to memory of 4344 4624 2025-01-10_e131e7ea13ef16f914940ac7fa24064c_mafia.exe 88 PID 4624 wrote to memory of 1984 4624 2025-01-10_e131e7ea13ef16f914940ac7fa24064c_mafia.exe 92 PID 4624 wrote to memory of 1984 4624 2025-01-10_e131e7ea13ef16f914940ac7fa24064c_mafia.exe 92 PID 4624 wrote to memory of 1984 4624 2025-01-10_e131e7ea13ef16f914940ac7fa24064c_mafia.exe 92 PID 4624 wrote to memory of 2708 4624 2025-01-10_e131e7ea13ef16f914940ac7fa24064c_mafia.exe 94 PID 4624 wrote to memory of 2708 4624 2025-01-10_e131e7ea13ef16f914940ac7fa24064c_mafia.exe 94 PID 4624 wrote to memory of 2708 4624 2025-01-10_e131e7ea13ef16f914940ac7fa24064c_mafia.exe 94 PID 4624 wrote to memory of 228 4624 2025-01-10_e131e7ea13ef16f914940ac7fa24064c_mafia.exe 101 PID 4624 wrote to memory of 228 4624 2025-01-10_e131e7ea13ef16f914940ac7fa24064c_mafia.exe 101 PID 4624 wrote to memory of 228 4624 2025-01-10_e131e7ea13ef16f914940ac7fa24064c_mafia.exe 101 PID 1652 wrote to memory of 628 1652 keevgpgi.exe 103 PID 1652 wrote to memory of 628 1652 keevgpgi.exe 103 PID 1652 wrote to memory of 628 1652 keevgpgi.exe 103 PID 1652 wrote to memory of 628 1652 keevgpgi.exe 103 PID 1652 wrote to memory of 628 1652 keevgpgi.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-01-10_e131e7ea13ef16f914940ac7fa24064c_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2025-01-10_e131e7ea13ef16f914940ac7fa24064c_mafia.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kmydljud\2⤵
- System Location Discovery: System Language Discovery
PID:1660
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\keevgpgi.exe" C:\Windows\SysWOW64\kmydljud\2⤵
- System Location Discovery: System Language Discovery
PID:708
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create kmydljud binPath= "C:\Windows\SysWOW64\kmydljud\keevgpgi.exe /d\"C:\Users\Admin\AppData\Local\Temp\2025-01-10_e131e7ea13ef16f914940ac7fa24064c_mafia.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4344
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description kmydljud "wifi internet conection"2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1984
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start kmydljud2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2708
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:228
-
-
C:\Windows\SysWOW64\kmydljud\keevgpgi.exeC:\Windows\SysWOW64\kmydljud\keevgpgi.exe /d"C:\Users\Admin\AppData\Local\Temp\2025-01-10_e131e7ea13ef16f914940ac7fa24064c_mafia.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
- System Location Discovery: System Language Discovery
PID:628
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 6602⤵
- Program crash
PID:956
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 9082⤵
- Program crash
PID:3576
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 9162⤵
- Program crash
PID:2588
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1652 -ip 16521⤵PID:2668
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1652 -ip 16521⤵PID:3856
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1652 -ip 16521⤵PID:1372
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11.2MB
MD50fd98d0e3a3e49643dd451626bf4e0d1
SHA14bb68d4a6d2e79479211df506548bc5ab4298b6b
SHA2561397e612ecf323118b1bd3fd2f1e85250301e019c50347868a09bf84536ac616
SHA512d1a5542212d9587d964c9d132b657190b24aa997f567acadc92109d85d299332ab63829de6bbb96ba2626a1458f2bd621c7cbd3fe9df74270e9104400af36f4f