tofsee | 5d36fd5b1c9ad5e0c71086c6a0f8fbf283023e1c6100766016845a1ca9cc90b2

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2025, 20:24 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-01_8c2617eac4af14f03388966694e2c891_mafia.exe
Size

14.6MB
MD5

8c2617eac4af14f03388966694e2c891
SHA1

0e703dd33d84d269b3038c4d64b976478d53b7ac
SHA256

5d36fd5b1c9ad5e0c71086c6a0f8fbf283023e1c6100766016845a1ca9cc90b2
SHA512

0c6eef79f995da65fc44e33b1331a59b08b529915f44c06ee59d048dbb204e1693b77dff9fca6819d0709bcb03d76fd368c430cd029254f204446f56c21c2eea
SSDEEP

393216:cXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXn:

Score

10^/10

tofsee defense_evasion discovery execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Tofsee family
tofsee
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2668	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\qdymmapd\ImagePath = "C:\\Windows\\SysWOW64\\qdymmapd\\veydvupl.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	2025-02-01_8c2617eac4af14f03388966694e2c891_mafia.exe

Deletes itself 1 IoCs

pid	Process
3764	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
4348	veydvupl.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4348 set thread context of 3764	4348	veydvupl.exe	98

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5084	sc.exe
1440	sc.exe
1920	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	veydvupl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-01_8c2617eac4af14f03388966694e2c891_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4040 wrote to memory of 5044	4040	2025-02-01_8c2617eac4af14f03388966694e2c891_mafia.exe	86
PID 4040 wrote to memory of 5044	4040	2025-02-01_8c2617eac4af14f03388966694e2c891_mafia.exe	86
PID 4040 wrote to memory of 5044	4040	2025-02-01_8c2617eac4af14f03388966694e2c891_mafia.exe	86
PID 4040 wrote to memory of 2916	4040	2025-02-01_8c2617eac4af14f03388966694e2c891_mafia.exe	88
PID 4040 wrote to memory of 2916	4040	2025-02-01_8c2617eac4af14f03388966694e2c891_mafia.exe	88
PID 4040 wrote to memory of 2916	4040	2025-02-01_8c2617eac4af14f03388966694e2c891_mafia.exe	88
PID 4040 wrote to memory of 5084	4040	2025-02-01_8c2617eac4af14f03388966694e2c891_mafia.exe	90
PID 4040 wrote to memory of 5084	4040	2025-02-01_8c2617eac4af14f03388966694e2c891_mafia.exe	90
PID 4040 wrote to memory of 5084	4040	2025-02-01_8c2617eac4af14f03388966694e2c891_mafia.exe	90
PID 4040 wrote to memory of 1440	4040	2025-02-01_8c2617eac4af14f03388966694e2c891_mafia.exe	92
PID 4040 wrote to memory of 1440	4040	2025-02-01_8c2617eac4af14f03388966694e2c891_mafia.exe	92
PID 4040 wrote to memory of 1440	4040	2025-02-01_8c2617eac4af14f03388966694e2c891_mafia.exe	92
PID 4040 wrote to memory of 1920	4040	2025-02-01_8c2617eac4af14f03388966694e2c891_mafia.exe	94
PID 4040 wrote to memory of 1920	4040	2025-02-01_8c2617eac4af14f03388966694e2c891_mafia.exe	94
PID 4040 wrote to memory of 1920	4040	2025-02-01_8c2617eac4af14f03388966694e2c891_mafia.exe	94
PID 4348 wrote to memory of 3764	4348	veydvupl.exe	98
PID 4348 wrote to memory of 3764	4348	veydvupl.exe	98
PID 4348 wrote to memory of 3764	4348	veydvupl.exe	98
PID 4348 wrote to memory of 3764	4348	veydvupl.exe	98
PID 4348 wrote to memory of 3764	4348	veydvupl.exe	98
PID 4040 wrote to memory of 2668	4040	2025-02-01_8c2617eac4af14f03388966694e2c891_mafia.exe	97
PID 4040 wrote to memory of 2668	4040	2025-02-01_8c2617eac4af14f03388966694e2c891_mafia.exe	97
PID 4040 wrote to memory of 2668	4040	2025-02-01_8c2617eac4af14f03388966694e2c891_mafia.exe	97

C:\Users\Admin\AppData\Local\Temp\2025-02-01_8c2617eac4af14f03388966694e2c891_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-01_8c2617eac4af14f03388966694e2c891_mafia.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4040
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qdymmapd\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5044
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\veydvupl.exe" C:\Windows\SysWOW64\qdymmapd\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2916
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create qdymmapd binPath= "C:\Windows\SysWOW64\qdymmapd\veydvupl.exe /d\"C:\Users\Admin\AppData\Local\Temp\2025-02-01_8c2617eac4af14f03388966694e2c891_mafia.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:5084
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description qdymmapd "wifi internet conection"
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:1440
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start qdymmapd
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:1920
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2668

C:\Windows\SysWOW64\qdymmapd\veydvupl.exe
C:\Windows\SysWOW64\qdymmapd\veydvupl.exe /d"C:\Users\Admin\AppData\Local\Temp\2025-02-01_8c2617eac4af14f03388966694e2c891_mafia.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3764

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.ax-0001.ax-msedge.net

g-bing-com.ax-0001.ax-msedge.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4c76a3b48436494eab47536c57759724&localId=w:BD540486-7284-18D7-F423-ED0B38A0579E&deviceId=6825842710383264&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4c76a3b48436494eab47536c57759724&localId=w:BD540486-7284-18D7-F423-ED0B38A0579E&deviceId=6825842710383264&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=36A99574E39E6693242380F2E22567C5; domain=.bing.com; expires=Thu, 26-Feb-2026 20:24:11 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6E0B7A597725420CAB487E5BDB683257 Ref B: LON04EDGE0807 Ref C: 2025-02-01T20:24:11Z
date: Sat, 01 Feb 2025 20:24:11 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=4c76a3b48436494eab47536c57759724&localId=w:BD540486-7284-18D7-F423-ED0B38A0579E&deviceId=6825842710383264&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=4c76a3b48436494eab47536c57759724&localId=w:BD540486-7284-18D7-F423-ED0B38A0579E&deviceId=6825842710383264&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=36A99574E39E6693242380F2E22567C5

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=SBLkP7G5bqazAvtZVj9R53vlsdCXLe1RwmY_bqfeyBY; domain=.bing.com; expires=Thu, 26-Feb-2026 20:24:11 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: FB17CEBB0BE544A28BE6C4DF59A6A82B Ref B: LON04EDGE0807 Ref C: 2025-02-01T20:24:11Z
date: Sat, 01 Feb 2025 20:24:11 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4c76a3b48436494eab47536c57759724&localId=w:BD540486-7284-18D7-F423-ED0B38A0579E&deviceId=6825842710383264&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4c76a3b48436494eab47536c57759724&localId=w:BD540486-7284-18D7-F423-ED0B38A0579E&deviceId=6825842710383264&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=36A99574E39E6693242380F2E22567C5; MSPTC=SBLkP7G5bqazAvtZVj9R53vlsdCXLe1RwmY_bqfeyBY

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 50FBC1563CC442F0A3122ECF71B62F3D Ref B: LON04EDGE0807 Ref C: 2025-02-01T20:24:11Z
date: Sat, 01 Feb 2025 20:24:11 GMT
DNS

131.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

131.160.190.20.in-addr.arpa

IN PTR

Response
DNS

10.28.171.150.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.28.171.150.in-addr.arpa

IN PTR

Response
DNS

79.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.190.18.2.in-addr.arpa

IN PTR

Response

79.190.18.2.in-addr.arpa

IN PTR

a2-18-190-79deploystaticakamaitechnologiescom
DNS

microsoft.com

svchost.exe

Remote address:

8.8.8.8:53

Request

microsoft.com

IN A

Response

microsoft.com

IN A

20.112.250.133

microsoft.com

IN A

20.76.201.171

microsoft.com

IN A

20.70.246.20

microsoft.com

IN A

20.231.239.246

microsoft.com

IN A

20.236.44.162
DNS

microsoft.com

svchost.exe

Remote address:

8.8.8.8:53

Request

microsoft.com

IN MX

Response

microsoft.com

IN MX

microsoft-commail protectionoutlook�
DNS

microsoft-com.mail.protection.outlook.com

svchost.exe

Remote address:

8.8.8.8:53

Request

microsoft-com.mail.protection.outlook.com

IN A

Response

microsoft-com.mail.protection.outlook.com

IN A

52.101.8.49

microsoft-com.mail.protection.outlook.com

IN A

52.101.11.0

microsoft-com.mail.protection.outlook.com

IN A

52.101.40.26

microsoft-com.mail.protection.outlook.com

IN A

52.101.42.0
DNS

133.250.112.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.250.112.20.in-addr.arpa

IN PTR

Response
DNS

yahoo.com

svchost.exe

Remote address:

8.8.8.8:53

Request

yahoo.com

IN MX

Response

yahoo.com

IN MX

mta5am0yahoodnsnet

yahoo.com

IN MX

mta7�.

yahoo.com

IN MX

mta6�.
DNS

mta5.am0.yahoodns.net

svchost.exe

Remote address:

8.8.8.8:53

Request

mta5.am0.yahoodns.net

IN A

Response

mta5.am0.yahoodns.net

IN A

67.195.204.74

mta5.am0.yahoodns.net

IN A

98.136.96.76

mta5.am0.yahoodns.net

IN A

98.136.96.74

mta5.am0.yahoodns.net

IN A

67.195.204.72

mta5.am0.yahoodns.net

IN A

67.195.228.94

mta5.am0.yahoodns.net

IN A

67.195.204.73

mta5.am0.yahoodns.net

IN A

67.195.228.109

mta5.am0.yahoodns.net

IN A

67.195.228.111
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

241.42.69.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.42.69.40.in-addr.arpa

IN PTR

Response
DNS

166.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

166.190.18.2.in-addr.arpa

IN PTR

Response

166.190.18.2.in-addr.arpa

IN PTR

a2-18-190-166deploystaticakamaitechnologiescom
DNS

google.com

svchost.exe

Remote address:

8.8.8.8:53

Request

google.com

IN MX

Response

google.com

IN MX

smtp�
DNS

smtp.google.com

svchost.exe

Remote address:

8.8.8.8:53

Request

smtp.google.com

IN A

Response

smtp.google.com

IN A

142.251.5.27

smtp.google.com

IN A

66.102.1.27

smtp.google.com

IN A

142.250.110.27

smtp.google.com

IN A

142.250.110.26

smtp.google.com

IN A

142.251.5.26
DNS

mail.ru

svchost.exe

Remote address:

8.8.8.8:53

Request

mail.ru

IN MX

Response

mail.ru

IN MX

mxs�
DNS

mxs.mail.ru

svchost.exe

Remote address:

8.8.8.8:53

Request

mxs.mail.ru

IN A

Response

mxs.mail.ru

IN A

94.100.180.31

mxs.mail.ru

IN A

217.69.139.150
DNS

23.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.236.111.52.in-addr.arpa

IN PTR

Response

150.171.28.10:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4c76a3b48436494eab47536c57759724&localId=w:BD540486-7284-18D7-F423-ED0B38A0579E&deviceId=6825842710383264&anid=

tls, http2

2.0kB
9.4kB
22
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4c76a3b48436494eab47536c57759724&localId=w:BD540486-7284-18D7-F423-ED0B38A0579E&deviceId=6825842710383264&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=4c76a3b48436494eab47536c57759724&localId=w:BD540486-7284-18D7-F423-ED0B38A0579E&deviceId=6825842710383264&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4c76a3b48436494eab47536c57759724&localId=w:BD540486-7284-18D7-F423-ED0B38A0579E&deviceId=6825842710383264&anid=

HTTP Response

204
20.112.250.133:80

microsoft.com

svchost.exe

190 B
92 B
4
2
52.101.8.49:25

microsoft-com.mail.protection.outlook.com

svchost.exe

260 B
5
43.231.4.7:443

svchost.exe

260 B
5
67.195.204.74:25

mta5.am0.yahoodns.net

svchost.exe

260 B
5
142.251.5.27:25

smtp.google.com

svchost.exe

260 B
5
43.231.4.7:443

svchost.exe

260 B
5
94.100.180.31:25

mxs.mail.ru

svchost.exe

260 B
5
43.231.4.7:443

svchost.exe

260 B
5

8.8.8.8:53

g.bing.com

dns

56 B
148 B
1
1

DNS Request

g.bing.com

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

131.160.190.20.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

131.160.190.20.in-addr.arpa
8.8.8.8:53

10.28.171.150.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

10.28.171.150.in-addr.arpa
8.8.8.8:53

79.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

79.190.18.2.in-addr.arpa
8.8.8.8:53

microsoft.com

dns

svchost.exe

59 B
139 B
1
1

DNS Request

microsoft.com

DNS Response

20.112.250.133

20.76.201.171

20.70.246.20

20.231.239.246

20.236.44.162
8.8.8.8:53

microsoft.com

dns

svchost.exe

59 B
113 B
1
1

DNS Request

microsoft.com
8.8.8.8:53

microsoft-com.mail.protection.outlook.com

dns

svchost.exe

87 B
151 B
1
1

DNS Request

microsoft-com.mail.protection.outlook.com

DNS Response

52.101.8.49

52.101.11.0

52.101.40.26

52.101.42.0
8.8.8.8:53

133.250.112.20.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

133.250.112.20.in-addr.arpa
8.8.8.8:53

yahoo.com

dns

svchost.exe

55 B
134 B
1
1

DNS Request

yahoo.com
8.8.8.8:53

mta5.am0.yahoodns.net

dns

svchost.exe

67 B
195 B
1
1

DNS Request

mta5.am0.yahoodns.net

DNS Response

67.195.204.74

98.136.96.76

98.136.96.74

67.195.204.72

67.195.228.94

67.195.204.73

67.195.228.109

67.195.228.111
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

241.42.69.40.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

241.42.69.40.in-addr.arpa
8.8.8.8:53

166.190.18.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

166.190.18.2.in-addr.arpa
8.8.8.8:53

google.com

dns

svchost.exe

56 B
77 B
1
1

DNS Request

google.com
8.8.8.8:53

smtp.google.com

dns

svchost.exe

61 B
141 B
1
1

DNS Request

smtp.google.com

DNS Response

142.251.5.27

66.102.1.27

142.250.110.27

142.250.110.26

142.251.5.26
8.8.8.8:53

mail.ru

dns

svchost.exe

53 B
73 B
1
1

DNS Request

mail.ru
8.8.8.8:53

mxs.mail.ru

dns

svchost.exe

57 B
89 B
1
1

DNS Request

mxs.mail.ru

DNS Response

94.100.180.31

217.69.139.150
8.8.8.8:53

23.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

23.236.111.52.in-addr.arpa
8.8.8.8:53

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\veydvupl.exe

Filesize
14.1MB

MD5
c6a2ee9bf7220df3aed9827e1ee4a096

SHA1
1a162fb9015592473202907f11e6b1ea20c133bd

SHA256
ccb5006edf70aac59554ce54b3ad29bf65233a077e1069fd8d1c5009f6ac0fe3

SHA512
86d386d1d281227ecf64941ebb0f3efc5f1d65d830a89bb3fbe848595060ed16910b12f2296f68dd839b0a1e07e2a8e4103cd9711ab184ee6b61339fd65c4560

Download Submit
memory/3764-12-0x0000000000A60000-0x0000000000A75000-memory.dmp

Filesize
84KB

Download
memory/3764-9-0x0000000000A60000-0x0000000000A75000-memory.dmp

Filesize
84KB

Download
memory/3764-17-0x0000000000A60000-0x0000000000A75000-memory.dmp

Filesize
84KB

Download
memory/3764-18-0x0000000000A60000-0x0000000000A75000-memory.dmp

Filesize
84KB

Download
memory/3764-19-0x0000000000A60000-0x0000000000A75000-memory.dmp

Filesize
84KB

Download
memory/4040-3-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4040-2-0x00000000004A0000-0x00000000004B3000-memory.dmp

Filesize
76KB

Download
memory/4040-1-0x0000000000580000-0x0000000000680000-memory.dmp

Filesize
1024KB

Download
memory/4040-16-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4040-15-0x00000000004A0000-0x00000000004B3000-memory.dmp

Filesize
76KB

Download
memory/4040-14-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4348-8-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4348-13-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.