tofsee | 490bc8f75eabcae07ac5e9fa5ed53ffcbad759f14ac911066e797e31484e34aa

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2025, 20:22 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-01_883021a16023250914bf6e596896bc2b_mafia.exe
Size

12.3MB
MD5

883021a16023250914bf6e596896bc2b
SHA1

e450db5b3594990d2655a2cac96a412f7138723c
SHA256

490bc8f75eabcae07ac5e9fa5ed53ffcbad759f14ac911066e797e31484e34aa
SHA512

34fd89169b0ec202f7460d41cb29c9ed70a238c8c920b72b24368260df116b38708eace1d235f0c6ad19a9f3699f9f46d104a51deca1a93550c0dd51f6df05c9
SSDEEP

3072:FLBgXOXcdW8tar7vGdq8c7YMl2b8anmMXnb58XuDP9het3Zv1oSW1za2E+w5C2/Y:oOMdRQr7OB0ypmMXnl8XEPM3noSWOC

Score

10^/10

tofsee defense_evasion discovery execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Tofsee family
tofsee
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2400	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\xpanpogo\ImagePath = "C:\\Windows\\SysWOW64\\xpanpogo\\nscxrdac.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	2025-02-01_883021a16023250914bf6e596896bc2b_mafia.exe

Deletes itself 1 IoCs

pid	Process
2140	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
4368	nscxrdac.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4368 set thread context of 2140	4368	nscxrdac.exe	103

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3452	sc.exe
868	sc.exe
1724	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4920	1712	WerFault.exe	82
1932	4368	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-01_883021a16023250914bf6e596896bc2b_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nscxrdac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 3752	1712	2025-02-01_883021a16023250914bf6e596896bc2b_mafia.exe	86
PID 1712 wrote to memory of 3752	1712	2025-02-01_883021a16023250914bf6e596896bc2b_mafia.exe	86
PID 1712 wrote to memory of 3752	1712	2025-02-01_883021a16023250914bf6e596896bc2b_mafia.exe	86
PID 1712 wrote to memory of 636	1712	2025-02-01_883021a16023250914bf6e596896bc2b_mafia.exe	88
PID 1712 wrote to memory of 636	1712	2025-02-01_883021a16023250914bf6e596896bc2b_mafia.exe	88
PID 1712 wrote to memory of 636	1712	2025-02-01_883021a16023250914bf6e596896bc2b_mafia.exe	88
PID 1712 wrote to memory of 1724	1712	2025-02-01_883021a16023250914bf6e596896bc2b_mafia.exe	90
PID 1712 wrote to memory of 1724	1712	2025-02-01_883021a16023250914bf6e596896bc2b_mafia.exe	90
PID 1712 wrote to memory of 1724	1712	2025-02-01_883021a16023250914bf6e596896bc2b_mafia.exe	90
PID 1712 wrote to memory of 3452	1712	2025-02-01_883021a16023250914bf6e596896bc2b_mafia.exe	92
PID 1712 wrote to memory of 3452	1712	2025-02-01_883021a16023250914bf6e596896bc2b_mafia.exe	92
PID 1712 wrote to memory of 3452	1712	2025-02-01_883021a16023250914bf6e596896bc2b_mafia.exe	92
PID 1712 wrote to memory of 868	1712	2025-02-01_883021a16023250914bf6e596896bc2b_mafia.exe	94
PID 1712 wrote to memory of 868	1712	2025-02-01_883021a16023250914bf6e596896bc2b_mafia.exe	94
PID 1712 wrote to memory of 868	1712	2025-02-01_883021a16023250914bf6e596896bc2b_mafia.exe	94
PID 1712 wrote to memory of 2400	1712	2025-02-01_883021a16023250914bf6e596896bc2b_mafia.exe	97
PID 1712 wrote to memory of 2400	1712	2025-02-01_883021a16023250914bf6e596896bc2b_mafia.exe	97
PID 1712 wrote to memory of 2400	1712	2025-02-01_883021a16023250914bf6e596896bc2b_mafia.exe	97
PID 4368 wrote to memory of 2140	4368	nscxrdac.exe	103
PID 4368 wrote to memory of 2140	4368	nscxrdac.exe	103
PID 4368 wrote to memory of 2140	4368	nscxrdac.exe	103
PID 4368 wrote to memory of 2140	4368	nscxrdac.exe	103
PID 4368 wrote to memory of 2140	4368	nscxrdac.exe	103

C:\Users\Admin\AppData\Local\Temp\2025-02-01_883021a16023250914bf6e596896bc2b_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-01_883021a16023250914bf6e596896bc2b_mafia.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xpanpogo\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3752
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nscxrdac.exe" C:\Windows\SysWOW64\xpanpogo\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:636
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create xpanpogo binPath= "C:\Windows\SysWOW64\xpanpogo\nscxrdac.exe /d\"C:\Users\Admin\AppData\Local\Temp\2025-02-01_883021a16023250914bf6e596896bc2b_mafia.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:1724
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description xpanpogo "wifi internet conection"
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:3452
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start xpanpogo
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:868
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 1272
  2⤵
  - Program crash
  PID:4920

C:\Windows\SysWOW64\xpanpogo\nscxrdac.exe
C:\Windows\SysWOW64\xpanpogo\nscxrdac.exe /d"C:\Users\Admin\AppData\Local\Temp\2025-02-01_883021a16023250914bf6e596896bc2b_mafia.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2140
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 508
  2⤵
  - Program crash
  PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1712 -ip 1712
1⤵
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4368 -ip 4368
1⤵
PID:4076

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.ax-0001.ax-msedge.net

g-bing-com.ax-0001.ax-msedge.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8i254hf_Rr_EwrQNFESjyHTVUCUzcIHDHMC-sjY74BJcf0CbYtA_C7nT3ogjVBCOZIcRUTF4sI7-WnkZi3aT_D-vaNBg0QU8tyZTTS3ayH1qFZhReZdlIUXDZLexoN92EoPa6vQYubDswwvZarm3x1_5oUZZzrYhaxNwAvE2j9ANvjoNR%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZmJ1eSUyZmNvbXBhcmUtYWxsLW1pY3Jvc29mdC0zNjUtcHJvZHVjdHMlM2ZPQ0lEJTNkY21tNmNyMTkxM20lMjZmb3JtJTNkTTUwMDZY%26rlid%3D3e61a97d294d1f548b05cee72a4c08b7&TIME=20250129T102950Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&muid=D0A40F9BE32078A2894BEDD71C20EBC5

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8i254hf_Rr_EwrQNFESjyHTVUCUzcIHDHMC-sjY74BJcf0CbYtA_C7nT3ogjVBCOZIcRUTF4sI7-WnkZi3aT_D-vaNBg0QU8tyZTTS3ayH1qFZhReZdlIUXDZLexoN92EoPa6vQYubDswwvZarm3x1_5oUZZzrYhaxNwAvE2j9ANvjoNR%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZmJ1eSUyZmNvbXBhcmUtYWxsLW1pY3Jvc29mdC0zNjUtcHJvZHVjdHMlM2ZPQ0lEJTNkY21tNmNyMTkxM20lMjZmb3JtJTNkTTUwMDZY%26rlid%3D3e61a97d294d1f548b05cee72a4c08b7&TIME=20250129T102950Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&muid=D0A40F9BE32078A2894BEDD71C20EBC5 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=1C85A1A482B668850B25B422835669BA; domain=.bing.com; expires=Thu, 26-Feb-2026 20:22:29 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E9CFDEC378C84AFB81D8DA2F78C35A60 Ref B: LON04EDGE1213 Ref C: 2025-02-01T20:22:29Z
date: Sat, 01 Feb 2025 20:22:28 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8i254hf_Rr_EwrQNFESjyHTVUCUzcIHDHMC-sjY74BJcf0CbYtA_C7nT3ogjVBCOZIcRUTF4sI7-WnkZi3aT_D-vaNBg0QU8tyZTTS3ayH1qFZhReZdlIUXDZLexoN92EoPa6vQYubDswwvZarm3x1_5oUZZzrYhaxNwAvE2j9ANvjoNR%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZmJ1eSUyZmNvbXBhcmUtYWxsLW1pY3Jvc29mdC0zNjUtcHJvZHVjdHMlM2ZPQ0lEJTNkY21tNmNyMTkxM20lMjZmb3JtJTNkTTUwMDZY%26rlid%3D3e61a97d294d1f548b05cee72a4c08b7&TIME=20250129T102950Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&muid=D0A40F9BE32078A2894BEDD71C20EBC5

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8i254hf_Rr_EwrQNFESjyHTVUCUzcIHDHMC-sjY74BJcf0CbYtA_C7nT3ogjVBCOZIcRUTF4sI7-WnkZi3aT_D-vaNBg0QU8tyZTTS3ayH1qFZhReZdlIUXDZLexoN92EoPa6vQYubDswwvZarm3x1_5oUZZzrYhaxNwAvE2j9ANvjoNR%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZmJ1eSUyZmNvbXBhcmUtYWxsLW1pY3Jvc29mdC0zNjUtcHJvZHVjdHMlM2ZPQ0lEJTNkY21tNmNyMTkxM20lMjZmb3JtJTNkTTUwMDZY%26rlid%3D3e61a97d294d1f548b05cee72a4c08b7&TIME=20250129T102950Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&muid=D0A40F9BE32078A2894BEDD71C20EBC5 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1C85A1A482B668850B25B422835669BA; _EDGE_S=SID=1ED4712A01CF6584072B64AC00E864A6

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=zVCDwoyawa4qFjJGW-ybeqRgog3372EfdEtEE3tQmWQ; domain=.bing.com; expires=Thu, 26-Feb-2026 20:22:29 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B1539C12D68841AA8ED1104539E8B541 Ref B: LON04EDGE1213 Ref C: 2025-02-01T20:22:29Z
date: Sat, 01 Feb 2025 20:22:28 GMT
DNS

182.129.81.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

182.129.81.91.in-addr.arpa

IN PTR

Response
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
GET

https://www.bing.com/aes/c.gif?RG=4ed55bb49be24417bf841f977069f337&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20250129T102950Z&adUnitId=11730597&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370

Remote address:

88.221.135.34:443

Request

GET /aes/c.gif?RG=4ed55bb49be24417bf841f977069f337&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20250129T102950Z&adUnitId=11730597&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1C85A1A482B668850B25B422835669BA

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8A05C93453B14C1BB83A1E9B7CAE54BF Ref B: LON04EDGE0707 Ref C: 2025-02-01T20:22:29Z
content-length: 0
date: Sat, 01 Feb 2025 20:22:29 GMT
set-cookie: _EDGE_S=SID=1ED4712A01CF6584072B64AC00E864A6; path=/; httponly; domain=bing.com
set-cookie: MUIDB=1C85A1A482B668850B25B422835669BA; path=/; httponly; expires=Thu, 26-Feb-2026 20:22:29 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.45367a5c.1738441349.787f93e
DNS

34.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

34.135.221.88.in-addr.arpa

IN PTR

Response

34.135.221.88.in-addr.arpa

IN PTR

a88-221-135-34deploystaticakamaitechnologiescom
DNS

microsoft.com

svchost.exe

Remote address:

8.8.8.8:53

Request

microsoft.com

IN A

Response

microsoft.com

IN A

20.112.250.133

microsoft.com

IN A

20.231.239.246

microsoft.com

IN A

20.76.201.171

microsoft.com

IN A

20.70.246.20

microsoft.com

IN A

20.236.44.162
DNS

microsoft.com

svchost.exe

Remote address:

8.8.8.8:53

Request

microsoft.com

IN MX

Response

microsoft.com

IN MX

microsoft-commail protectionoutlook�
DNS

microsoft-com.mail.protection.outlook.com

svchost.exe

Remote address:

8.8.8.8:53

Request

microsoft-com.mail.protection.outlook.com

IN A

Response

microsoft-com.mail.protection.outlook.com

IN A

52.101.8.49

microsoft-com.mail.protection.outlook.com

IN A

52.101.40.26

microsoft-com.mail.protection.outlook.com

IN A

52.101.42.0

microsoft-com.mail.protection.outlook.com

IN A

52.101.11.0
DNS

133.250.112.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.250.112.20.in-addr.arpa

IN PTR

Response
DNS

yahoo.com

svchost.exe

Remote address:

8.8.8.8:53

Request

yahoo.com

IN MX

Response

yahoo.com

IN MX

mta6am0yahoodnsnet

yahoo.com

IN MX

mta5�.

yahoo.com

IN MX

mta7�.
DNS

mta6.am0.yahoodns.net

svchost.exe

Remote address:

8.8.8.8:53

Request

mta6.am0.yahoodns.net

IN A

Response

mta6.am0.yahoodns.net

IN A

98.136.96.76

mta6.am0.yahoodns.net

IN A

67.195.228.106

mta6.am0.yahoodns.net

IN A

67.195.228.110

mta6.am0.yahoodns.net

IN A

67.195.204.79

mta6.am0.yahoodns.net

IN A

67.195.204.77

mta6.am0.yahoodns.net

IN A

98.136.96.74

mta6.am0.yahoodns.net

IN A

67.195.228.94

mta6.am0.yahoodns.net

IN A

98.136.96.91
DNS

56.163.245.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.163.245.4.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

21.49.80.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.49.80.91.in-addr.arpa

IN PTR

Response
DNS

google.com

svchost.exe

Remote address:

8.8.8.8:53

Request

google.com

IN MX

Response

google.com

IN MX

smtp�
DNS

smtp.google.com

svchost.exe

Remote address:

8.8.8.8:53

Request

smtp.google.com

IN A

Response

smtp.google.com

IN A

142.250.110.26

smtp.google.com

IN A

142.250.110.27

smtp.google.com

IN A

142.251.5.26

smtp.google.com

IN A

66.102.1.26

smtp.google.com

IN A

142.251.5.27
DNS

79.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.190.18.2.in-addr.arpa

IN PTR

Response

79.190.18.2.in-addr.arpa

IN PTR

a2-18-190-79deploystaticakamaitechnologiescom
DNS

mail.ru

svchost.exe

Remote address:

8.8.8.8:53

Request

mail.ru

IN MX

Response

mail.ru

IN MX

mxs�
DNS

mxs.mail.ru

svchost.exe

Remote address:

8.8.8.8:53

Request

mxs.mail.ru

IN A

Response

mxs.mail.ru

IN A

217.69.139.150

mxs.mail.ru

IN A

94.100.180.31
DNS

11.153.16.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.153.16.2.in-addr.arpa

IN PTR

Response

11.153.16.2.in-addr.arpa

IN PTR

a2-16-153-11deploystaticakamaitechnologiescom
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

Response
DNS

67.112.168.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

67.112.168.52.in-addr.arpa

IN PTR

Response

150.171.28.10:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8i254hf_Rr_EwrQNFESjyHTVUCUzcIHDHMC-sjY74BJcf0CbYtA_C7nT3ogjVBCOZIcRUTF4sI7-WnkZi3aT_D-vaNBg0QU8tyZTTS3ayH1qFZhReZdlIUXDZLexoN92EoPa6vQYubDswwvZarm3x1_5oUZZzrYhaxNwAvE2j9ANvjoNR%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZmJ1eSUyZmNvbXBhcmUtYWxsLW1pY3Jvc29mdC0zNjUtcHJvZHVjdHMlM2ZPQ0lEJTNkY21tNmNyMTkxM20lMjZmb3JtJTNkTTUwMDZY%26rlid%3D3e61a97d294d1f548b05cee72a4c08b7&TIME=20250129T102950Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&muid=D0A40F9BE32078A2894BEDD71C20EBC5

tls, http2

2.6kB
9.2kB
19
17

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8i254hf_Rr_EwrQNFESjyHTVUCUzcIHDHMC-sjY74BJcf0CbYtA_C7nT3ogjVBCOZIcRUTF4sI7-WnkZi3aT_D-vaNBg0QU8tyZTTS3ayH1qFZhReZdlIUXDZLexoN92EoPa6vQYubDswwvZarm3x1_5oUZZzrYhaxNwAvE2j9ANvjoNR%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZmJ1eSUyZmNvbXBhcmUtYWxsLW1pY3Jvc29mdC0zNjUtcHJvZHVjdHMlM2ZPQ0lEJTNkY21tNmNyMTkxM20lMjZmb3JtJTNkTTUwMDZY%26rlid%3D3e61a97d294d1f548b05cee72a4c08b7&TIME=20250129T102950Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&muid=D0A40F9BE32078A2894BEDD71C20EBC5

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8i254hf_Rr_EwrQNFESjyHTVUCUzcIHDHMC-sjY74BJcf0CbYtA_C7nT3ogjVBCOZIcRUTF4sI7-WnkZi3aT_D-vaNBg0QU8tyZTTS3ayH1qFZhReZdlIUXDZLexoN92EoPa6vQYubDswwvZarm3x1_5oUZZzrYhaxNwAvE2j9ANvjoNR%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZmJ1eSUyZmNvbXBhcmUtYWxsLW1pY3Jvc29mdC0zNjUtcHJvZHVjdHMlM2ZPQ0lEJTNkY21tNmNyMTkxM20lMjZmb3JtJTNkTTUwMDZY%26rlid%3D3e61a97d294d1f548b05cee72a4c08b7&TIME=20250129T102950Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&muid=D0A40F9BE32078A2894BEDD71C20EBC5

HTTP Response

204
88.221.135.34:443

https://www.bing.com/aes/c.gif?RG=4ed55bb49be24417bf841f977069f337&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20250129T102950Z&adUnitId=11730597&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370

tls, http2

1.4kB
5.4kB
16
12

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=4ed55bb49be24417bf841f977069f337&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20250129T102950Z&adUnitId=11730597&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370

HTTP Response

200
20.112.250.133:80

microsoft.com

svchost.exe

190 B
132 B
4
3
52.101.8.49:25

microsoft-com.mail.protection.outlook.com

svchost.exe

260 B
5
43.231.4.7:443

svchost.exe

260 B
5
98.136.96.76:25

mta6.am0.yahoodns.net

svchost.exe

260 B
5
142.250.110.26:25

smtp.google.com

svchost.exe

260 B
5
43.231.4.7:443

svchost.exe

260 B
5
217.69.139.150:25

mxs.mail.ru

svchost.exe

260 B
5
43.231.4.7:443

svchost.exe

260 B
5

8.8.8.8:53

g.bing.com

dns

56 B
148 B
1
1

DNS Request

g.bing.com

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

182.129.81.91.in-addr.arpa

dns

72 B
147 B
1
1

DNS Request

182.129.81.91.in-addr.arpa
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

34.135.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

34.135.221.88.in-addr.arpa
8.8.8.8:53

microsoft.com

dns

svchost.exe

59 B
139 B
1
1

DNS Request

microsoft.com

DNS Response

20.112.250.133

20.231.239.246

20.76.201.171

20.70.246.20

20.236.44.162
8.8.8.8:53

microsoft.com

dns

svchost.exe

59 B
113 B
1
1

DNS Request

microsoft.com
8.8.8.8:53

microsoft-com.mail.protection.outlook.com

dns

svchost.exe

87 B
151 B
1
1

DNS Request

microsoft-com.mail.protection.outlook.com

DNS Response

52.101.8.49

52.101.40.26

52.101.42.0

52.101.11.0
8.8.8.8:53

133.250.112.20.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

133.250.112.20.in-addr.arpa
8.8.8.8:53

yahoo.com

dns

svchost.exe

55 B
134 B
1
1

DNS Request

yahoo.com
8.8.8.8:53

mta6.am0.yahoodns.net

dns

svchost.exe

67 B
195 B
1
1

DNS Request

mta6.am0.yahoodns.net

DNS Response

98.136.96.76

67.195.228.106

67.195.228.110

67.195.204.79

67.195.204.77

98.136.96.74

67.195.228.94

98.136.96.91
8.8.8.8:53

56.163.245.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

56.163.245.4.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

21.49.80.91.in-addr.arpa

dns

70 B
145 B
1
1

DNS Request

21.49.80.91.in-addr.arpa
8.8.8.8:53

google.com

dns

svchost.exe

56 B
77 B
1
1

DNS Request

google.com
8.8.8.8:53

smtp.google.com

dns

svchost.exe

61 B
141 B
1
1

DNS Request

smtp.google.com

DNS Response

142.250.110.26

142.250.110.27

142.251.5.26

66.102.1.26

142.251.5.27
8.8.8.8:53

79.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

79.190.18.2.in-addr.arpa
8.8.8.8:53

mail.ru

dns

svchost.exe

53 B
73 B
1
1

DNS Request

mail.ru
8.8.8.8:53

mxs.mail.ru

dns

svchost.exe

57 B
89 B
1
1

DNS Request

mxs.mail.ru

DNS Response

217.69.139.150

94.100.180.31
8.8.8.8:53

11.153.16.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

11.153.16.2.in-addr.arpa
8.8.8.8:53

13.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

13.227.111.52.in-addr.arpa
8.8.8.8:53

67.112.168.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

67.112.168.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nscxrdac.exe

Filesize
11.8MB

MD5
25dc4e3616c51862684bf615b35f409b

SHA1
83ce66c0deb5e02fd6e30171091f4583aa0efc70

SHA256
e770be0ee3ccb431d2eeaad3e0eb0c3f2f6018158c5b85f920f7b75913ed9c14

SHA512
b5c94768c786e112dd772d84dba9163697a5368857524620100631a15e90d99f7f0f6380a784db4614d5ff7718cbdaa1f7fd30ebf983371b3e97279a27ecc2c6

Download Submit
memory/1712-7-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1712-3-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1712-2-0x0000000000490000-0x00000000004A3000-memory.dmp

Filesize
76KB

Download
memory/1712-9-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1712-8-0x0000000000490000-0x00000000004A3000-memory.dmp

Filesize
76KB

Download
memory/1712-1-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/2140-14-0x00000000005A0000-0x00000000005B5000-memory.dmp

Filesize
84KB

Download
memory/2140-16-0x00000000005A0000-0x00000000005B5000-memory.dmp

Filesize
84KB

Download
memory/2140-17-0x00000000005A0000-0x00000000005B5000-memory.dmp

Filesize
84KB

Download
memory/4368-13-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4368-12-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4368-11-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4368-18-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.