tofsee | 2fd8f88bc46e5e872b6c915dc29ffa177befb1c1133d3bab1191d3a40e528a7c

General

Target

2025-01-29_8614dd7f7e2db20e233fd456212d78f9_mafia.exe
Size

12.2MB
MD5

8614dd7f7e2db20e233fd456212d78f9
SHA1

bf6d968a0d9ca44dc10e7e7ee73e3d4c19b386ba
SHA256

2fd8f88bc46e5e872b6c915dc29ffa177befb1c1133d3bab1191d3a40e528a7c
SHA512

d84c4099832f7bae96e521586ed2a571850c928b330690e97ab8ca4b1f4b537405fc04fd857ddd85655e1fb56461973bf0d5efbf9a18f620736017b09e4375a0
SSDEEP

393216:VXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXn:

Score

10^/10

tofsee defense_evasion discovery execution persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Tofsee family
tofsee
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2576	netsh.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4652	sc.exe
1948	sc.exe
624	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-29_8614dd7f7e2db20e233fd456212d78f9_mafia.exe

C:\Users\Admin\AppData\Local\Temp\2025-01-29_8614dd7f7e2db20e233fd456212d78f9_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-29_8614dd7f7e2db20e233fd456212d78f9_mafia.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3168
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\otugklrj\
  2⤵
  PID:3608
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\bdyexku.exe" C:\Windows\SysWOW64\otugklrj\
  2⤵
  PID:4880
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create otugklrj binPath= "C:\Windows\SysWOW64\otugklrj\bdyexku.exe /d\"C:\Users\Admin\AppData\Local\Temp\2025-01-29_8614dd7f7e2db20e233fd456212d78f9_mafia.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  PID:4652
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description otugklrj "wifi internet conection"
  2⤵
  - Launches sc.exe
  PID:1948
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start otugklrj
  2⤵
  - Launches sc.exe
  PID:624
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  PID:2576

C:\Windows\SysWOW64\otugklrj\bdyexku.exe
C:\Windows\SysWOW64\otugklrj\bdyexku.exe /d"C:\Users\Admin\AppData\Local\Temp\2025-01-29_8614dd7f7e2db20e233fd456212d78f9_mafia.exe"
1⤵
PID:3184
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:3856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bdyexku.exe

Filesize
1.1MB

MD5
3c8a9307bcd9aaa961842a3cc04dd593

SHA1
a4a7db86a7e0a40d8e4a90d5e1b229b47aec5725

SHA256
58bc170546932d64e9ec473d3c71e8cb9a2f8e79bcd7eb96400222f6809d40e0

SHA512
ad33feccda49e07920230b41fb28435e5fbcf0ff8b82274c3308083d31861e8afcfe047ba395b268c0d4d22aac8dc4b542d7d6d6eeb80074d86bf4aa1e332f9c

Download Submit
C:\Windows\SysWOW64\otugklrj\bdyexku.exe

Filesize
845KB

MD5
36157482efbea3f94c9bb026e13b7b87

SHA1
49a292a6a280348111d817911733d07be83561cb

SHA256
181fb75b99afb13418fc9cff0e6d75b9d0362d0b839c307570b335e53c96f3f5

SHA512
cf24f8a0a07f42a6f09123631d56afdcb6a73852cf680e6b895556c03bc49367e05d05f41076803f167c3bbfa77bac9f13b097ac06667923a76513e98c0330e4

Download Submit
memory/3168-7-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3168-3-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3168-1-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/3168-9-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3168-2-0x0000000000570000-0x0000000000583000-memory.dmp

Filesize
76KB

Download
memory/3168-8-0x0000000000570000-0x0000000000583000-memory.dmp

Filesize
76KB

Download
memory/3184-17-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3184-13-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3184-12-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3184-11-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3856-19-0x0000000000D00000-0x0000000000D15000-memory.dmp

Filesize
84KB

Download
memory/3856-18-0x0000000000D00000-0x0000000000D15000-memory.dmp

Filesize
84KB

Download
memory/3856-14-0x0000000000D00000-0x0000000000D15000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads