tofsee | 587d46422210f07b6fa947c32729635b21defda03a4030132ca3a4ac6b6bdd80

General

Target

2025-01-13_ccfdd3b3bd716781c58f384e57832015_mafia.exe
Size

13.2MB
MD5

ccfdd3b3bd716781c58f384e57832015
SHA1

16cbe22c63946bab54a091bbc868f5a1029bf817
SHA256

587d46422210f07b6fa947c32729635b21defda03a4030132ca3a4ac6b6bdd80
SHA512

51ce7ef3d59287d5aa22c98c56e96018d19308cdb12d4be05d1602cd7dabbb17269c9579dbad6907436dc8a5312f92f753f7463890a005dbdc0a2c48dca0e177
SSDEEP

49152:jqE0YKr3fYPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPn:jqtYc3

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Tofsee family
tofsee
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1188	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nxnmnys\ImagePath = "C:\\Windows\\SysWOW64\\nxnmnys\\ttufabzh.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	2025-01-13_ccfdd3b3bd716781c58f384e57832015_mafia.exe

Deletes itself 1 IoCs

pid	Process
2164	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
3488	ttufabzh.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3488 set thread context of 2164	3488	ttufabzh.exe	94

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2040	sc.exe
3688	sc.exe
3328	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2716	3488	WerFault.exe	93
2300	2572	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-13_ccfdd3b3bd716781c58f384e57832015_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ttufabzh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 2076	2572	2025-01-13_ccfdd3b3bd716781c58f384e57832015_mafia.exe	83
PID 2572 wrote to memory of 2076	2572	2025-01-13_ccfdd3b3bd716781c58f384e57832015_mafia.exe	83
PID 2572 wrote to memory of 2076	2572	2025-01-13_ccfdd3b3bd716781c58f384e57832015_mafia.exe	83
PID 2572 wrote to memory of 116	2572	2025-01-13_ccfdd3b3bd716781c58f384e57832015_mafia.exe	85
PID 2572 wrote to memory of 116	2572	2025-01-13_ccfdd3b3bd716781c58f384e57832015_mafia.exe	85
PID 2572 wrote to memory of 116	2572	2025-01-13_ccfdd3b3bd716781c58f384e57832015_mafia.exe	85
PID 2572 wrote to memory of 2040	2572	2025-01-13_ccfdd3b3bd716781c58f384e57832015_mafia.exe	87
PID 2572 wrote to memory of 2040	2572	2025-01-13_ccfdd3b3bd716781c58f384e57832015_mafia.exe	87
PID 2572 wrote to memory of 2040	2572	2025-01-13_ccfdd3b3bd716781c58f384e57832015_mafia.exe	87
PID 2572 wrote to memory of 3688	2572	2025-01-13_ccfdd3b3bd716781c58f384e57832015_mafia.exe	89
PID 2572 wrote to memory of 3688	2572	2025-01-13_ccfdd3b3bd716781c58f384e57832015_mafia.exe	89
PID 2572 wrote to memory of 3688	2572	2025-01-13_ccfdd3b3bd716781c58f384e57832015_mafia.exe	89
PID 2572 wrote to memory of 3328	2572	2025-01-13_ccfdd3b3bd716781c58f384e57832015_mafia.exe	91
PID 2572 wrote to memory of 3328	2572	2025-01-13_ccfdd3b3bd716781c58f384e57832015_mafia.exe	91
PID 2572 wrote to memory of 3328	2572	2025-01-13_ccfdd3b3bd716781c58f384e57832015_mafia.exe	91
PID 3488 wrote to memory of 2164	3488	ttufabzh.exe	94
PID 3488 wrote to memory of 2164	3488	ttufabzh.exe	94
PID 3488 wrote to memory of 2164	3488	ttufabzh.exe	94
PID 3488 wrote to memory of 2164	3488	ttufabzh.exe	94
PID 3488 wrote to memory of 2164	3488	ttufabzh.exe	94
PID 2572 wrote to memory of 1188	2572	2025-01-13_ccfdd3b3bd716781c58f384e57832015_mafia.exe	98
PID 2572 wrote to memory of 1188	2572	2025-01-13_ccfdd3b3bd716781c58f384e57832015_mafia.exe	98
PID 2572 wrote to memory of 1188	2572	2025-01-13_ccfdd3b3bd716781c58f384e57832015_mafia.exe	98

C:\Users\Admin\AppData\Local\Temp\2025-01-13_ccfdd3b3bd716781c58f384e57832015_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-13_ccfdd3b3bd716781c58f384e57832015_mafia.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nxnmnys\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2076
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ttufabzh.exe" C:\Windows\SysWOW64\nxnmnys\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:116
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create nxnmnys binPath= "C:\Windows\SysWOW64\nxnmnys\ttufabzh.exe /d\"C:\Users\Admin\AppData\Local\Temp\2025-01-13_ccfdd3b3bd716781c58f384e57832015_mafia.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2040
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description nxnmnys "wifi internet conection"
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:3688
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start nxnmnys
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:3328
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1188
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 1044
  2⤵
  - Program crash
  PID:2300

C:\Windows\SysWOW64\nxnmnys\ttufabzh.exe
C:\Windows\SysWOW64\nxnmnys\ttufabzh.exe /d"C:\Users\Admin\AppData\Local\Temp\2025-01-13_ccfdd3b3bd716781c58f384e57832015_mafia.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2164
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 560
  2⤵
  - Program crash
  PID:2716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3488 -ip 3488
1⤵
PID:908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2572 -ip 2572
1⤵
PID:3868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ttufabzh.exe

Filesize
10.5MB

MD5
92c84dbbde7c1c0cf2df5c9552bad9b4

SHA1
d9f4e0f23fd1a3a633afec5081233b66d276b51f

SHA256
043f2881f4561891d0adc6b320eb3b72d081fb243b82a6845992d6b2f162b0df

SHA512
eb68995459c42287ace70fb03ddb59e2adda686c4d91a34c384139b72e09ac7dbc532c5664669acf20449e39545d6d6ff74b3fc11a89642a2c98e5a3c84ad4df

Download Submit
memory/2164-8-0x0000000000430000-0x0000000000445000-memory.dmp

Filesize
84KB

Download
memory/2164-14-0x0000000000430000-0x0000000000445000-memory.dmp

Filesize
84KB

Download
memory/2164-15-0x0000000000430000-0x0000000000445000-memory.dmp

Filesize
84KB

Download
memory/2572-1-0x0000000002FD0000-0x00000000030D0000-memory.dmp

Filesize
1024KB

Download
memory/2572-2-0x00000000030D0000-0x00000000030E3000-memory.dmp

Filesize
76KB

Download
memory/2572-3-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2572-13-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2572-12-0x00000000030D0000-0x00000000030E3000-memory.dmp

Filesize
76KB

Download
memory/2572-11-0x0000000000400000-0x0000000002DC3000-memory.dmp

Filesize
41.8MB

Download
memory/3488-10-0x0000000000400000-0x0000000002DC3000-memory.dmp

Filesize
41.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads