Overview

overview

10

Static

static

3

2025-01-29...ia.exe

windows7-x64

10

2025-01-29...ia.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    5s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2025 17:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-29_9d96d9c5193edd88a9d0186b176ce37c_mafia.exe

  • Size

    13.5MB

  • MD5

    9d96d9c5193edd88a9d0186b176ce37c

  • SHA1

    2bb0f83db1e961217eaf2c4a9ffbf638fd9e22e8

  • SHA256

    996e55ff7dfab4bdc3cd2bd847658ac6da3c5a1e8634e5e9d0e64bcb784ea52b

  • SHA512

    d254a77387342070434f346f52faf1cb5ceca3df4d6331eb558685704f180774ad64be410923db6cba0c30978df07cd40e50f99bb85fd7d98e836300c367f8bb

  • SSDEEP

    3072:zLBgXOXcdW8tar7vGdq8c7YMl2b8anmMXnb58XuDP9het3Zv1oSW1za2E+w5C2/Y:6OMdRQr7OB0ypmMXnl8XEPM3noSWOC

Score
10/10
tofseedefense_evasiondiscoveryexecutionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-29_9d96d9c5193edd88a9d0186b176ce37c_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-29_9d96d9c5193edd88a9d0186b176ce37c_mafia.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2256
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\agajdzzs\
      2⤵
        PID:1464
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\oqjubjxn.exe" C:\Windows\SysWOW64\agajdzzs\
        2⤵
          PID:4928
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create agajdzzs binPath= "C:\Windows\SysWOW64\agajdzzs\oqjubjxn.exe /d\"C:\Users\Admin\AppData\Local\Temp\2025-01-29_9d96d9c5193edd88a9d0186b176ce37c_mafia.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:1432
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description agajdzzs "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:4324
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start agajdzzs
          2⤵
          • Launches sc.exe
          PID:4728
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2712
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 596
          2⤵
          • Program crash
          PID:412
      • C:\Windows\SysWOW64\agajdzzs\oqjubjxn.exe
        C:\Windows\SysWOW64\agajdzzs\oqjubjxn.exe /d"C:\Users\Admin\AppData\Local\Temp\2025-01-29_9d96d9c5193edd88a9d0186b176ce37c_mafia.exe"
        1⤵
          PID:2416
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe
            2⤵
              PID:4920
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 512
              2⤵
              • Program crash
              PID:4932
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2256 -ip 2256
            1⤵
              PID:1608
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2416 -ip 2416
              1⤵
                PID:1132

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\oqjubjxn.exe
                Filesize

                11.9MB

                MD5

                8d0341e2f29fe413381e62419f0c517d

                SHA1

                3d245dae612e7854a68ccf35644e2e9009bd31a5

                SHA256

                053fabc1ed76327272fb89724448f254a98cd8e62b266e0f70a1747ef8f8cc30

                SHA512

                9ce23b8d972dcbb8ac6269dee84dbf55281d0abe3bfeb892c05745d18da9cf2a7d21759df50b6e718ccd5833cef94ab29bb3c136c7e5242f80b1da9b93bc5403

                Download Submit

              • memory/2256-7-0x0000000000400000-0x000000000044E000-memory.dmp

                Filesize

                312KB

                Download

              • memory/2256-1-0x0000000000450000-0x0000000000550000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/2256-3-0x0000000000400000-0x0000000000415000-memory.dmp

                Filesize

                84KB

                Download

              • memory/2256-9-0x0000000000400000-0x0000000000415000-memory.dmp

                Filesize

                84KB

                Download

              • memory/2256-8-0x0000000000590000-0x00000000005A3000-memory.dmp

                Filesize

                76KB

                Download

              • memory/2256-2-0x0000000000590000-0x00000000005A3000-memory.dmp

                Filesize

                76KB

                Download

              • memory/2416-18-0x0000000000400000-0x000000000044E000-memory.dmp

                Filesize

                312KB

                Download

              • memory/2416-13-0x0000000000400000-0x000000000044E000-memory.dmp

                Filesize

                312KB

                Download

              • memory/2416-12-0x0000000000400000-0x000000000044E000-memory.dmp

                Filesize

                312KB

                Download

              • memory/2416-11-0x0000000000400000-0x000000000044E000-memory.dmp

                Filesize

                312KB

                Download

              • memory/4920-17-0x00000000003B0000-0x00000000003C5000-memory.dmp

                Filesize

                84KB

                Download

              • memory/4920-16-0x00000000003B0000-0x00000000003C5000-memory.dmp

                Filesize

                84KB

                Download

              • memory/4920-14-0x00000000003B0000-0x00000000003C5000-memory.dmp

                Filesize

                84KB

                Download