tofsee | 508e0b917e67cc4a91bcb7f6c2935ea1cdddd5133a71a353ca5385f2dfc575ba

General

Target

2025-02-04_38f0a0ac9331f715bef30247af40bbe0_mafia.exe
Size

10.8MB
MD5

38f0a0ac9331f715bef30247af40bbe0
SHA1

a3368fd06f38dd5a16756d481ee39d883b6bc188
SHA256

508e0b917e67cc4a91bcb7f6c2935ea1cdddd5133a71a353ca5385f2dfc575ba
SHA512

97baaa0f165ddd7ad038abc480b7cc76b72ae76bd18b1a8612a60a6c647e2f46acfb9825c09bdca5991a8e1a5f4d9b288012bda99b40d2e7d2326aa948902dfb
SSDEEP

24576:E6WdLQkyQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQr:pWdLQkh

Score

10^/10

tofsee defense_evasion discovery execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Tofsee family
tofsee
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4932	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\xrqodxxu\ImagePath = "C:\\Windows\\SysWOW64\\xrqodxxu\\gtfcvinx.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	2025-02-04_38f0a0ac9331f715bef30247af40bbe0_mafia.exe

Deletes itself 1 IoCs

pid	Process
1660	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
3808	gtfcvinx.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3808 set thread context of 1660	3808	gtfcvinx.exe	102

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2424	sc.exe
3708	sc.exe
2772	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2972	3764	WerFault.exe	82
2284	3808	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-04_38f0a0ac9331f715bef30247af40bbe0_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gtfcvinx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3764 wrote to memory of 1044	3764	2025-02-04_38f0a0ac9331f715bef30247af40bbe0_mafia.exe	86
PID 3764 wrote to memory of 1044	3764	2025-02-04_38f0a0ac9331f715bef30247af40bbe0_mafia.exe	86
PID 3764 wrote to memory of 1044	3764	2025-02-04_38f0a0ac9331f715bef30247af40bbe0_mafia.exe	86
PID 3764 wrote to memory of 2624	3764	2025-02-04_38f0a0ac9331f715bef30247af40bbe0_mafia.exe	88
PID 3764 wrote to memory of 2624	3764	2025-02-04_38f0a0ac9331f715bef30247af40bbe0_mafia.exe	88
PID 3764 wrote to memory of 2624	3764	2025-02-04_38f0a0ac9331f715bef30247af40bbe0_mafia.exe	88
PID 3764 wrote to memory of 2424	3764	2025-02-04_38f0a0ac9331f715bef30247af40bbe0_mafia.exe	90
PID 3764 wrote to memory of 2424	3764	2025-02-04_38f0a0ac9331f715bef30247af40bbe0_mafia.exe	90
PID 3764 wrote to memory of 2424	3764	2025-02-04_38f0a0ac9331f715bef30247af40bbe0_mafia.exe	90
PID 3764 wrote to memory of 3708	3764	2025-02-04_38f0a0ac9331f715bef30247af40bbe0_mafia.exe	92
PID 3764 wrote to memory of 3708	3764	2025-02-04_38f0a0ac9331f715bef30247af40bbe0_mafia.exe	92
PID 3764 wrote to memory of 3708	3764	2025-02-04_38f0a0ac9331f715bef30247af40bbe0_mafia.exe	92
PID 3764 wrote to memory of 2772	3764	2025-02-04_38f0a0ac9331f715bef30247af40bbe0_mafia.exe	94
PID 3764 wrote to memory of 2772	3764	2025-02-04_38f0a0ac9331f715bef30247af40bbe0_mafia.exe	94
PID 3764 wrote to memory of 2772	3764	2025-02-04_38f0a0ac9331f715bef30247af40bbe0_mafia.exe	94
PID 3764 wrote to memory of 4932	3764	2025-02-04_38f0a0ac9331f715bef30247af40bbe0_mafia.exe	97
PID 3764 wrote to memory of 4932	3764	2025-02-04_38f0a0ac9331f715bef30247af40bbe0_mafia.exe	97
PID 3764 wrote to memory of 4932	3764	2025-02-04_38f0a0ac9331f715bef30247af40bbe0_mafia.exe	97
PID 3808 wrote to memory of 1660	3808	gtfcvinx.exe	102
PID 3808 wrote to memory of 1660	3808	gtfcvinx.exe	102
PID 3808 wrote to memory of 1660	3808	gtfcvinx.exe	102
PID 3808 wrote to memory of 1660	3808	gtfcvinx.exe	102
PID 3808 wrote to memory of 1660	3808	gtfcvinx.exe	102

C:\Users\Admin\AppData\Local\Temp\2025-02-04_38f0a0ac9331f715bef30247af40bbe0_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-04_38f0a0ac9331f715bef30247af40bbe0_mafia.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xrqodxxu\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1044
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gtfcvinx.exe" C:\Windows\SysWOW64\xrqodxxu\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2624
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create xrqodxxu binPath= "C:\Windows\SysWOW64\xrqodxxu\gtfcvinx.exe /d\"C:\Users\Admin\AppData\Local\Temp\2025-02-04_38f0a0ac9331f715bef30247af40bbe0_mafia.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2424
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description xrqodxxu "wifi internet conection"
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:3708
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start xrqodxxu
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2772
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4932
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 1264
  2⤵
  - Program crash
  PID:2972

C:\Windows\SysWOW64\xrqodxxu\gtfcvinx.exe
C:\Windows\SysWOW64\xrqodxxu\gtfcvinx.exe /d"C:\Users\Admin\AppData\Local\Temp\2025-02-04_38f0a0ac9331f715bef30247af40bbe0_mafia.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3808
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 508
  2⤵
  - Program crash
  PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3764 -ip 3764
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3808 -ip 3808
1⤵
PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gtfcvinx.exe

Filesize
10.4MB

MD5
b04caf1d694e4b9e961833cfb840ca68

SHA1
eef2310dd576a9e14a031ff715c8fb1b67d95dfb

SHA256
1e81e49ba359eac9e8efeb0e9c04d9c3b9a9ee7e000f3713d6d01239ceb43607

SHA512
d7994e2040e9e223b21b59fe1c423b50a78100ec05383ff479d1e3ec72c2960764cb182c3927c88459e022c9a6587a10f6b50a77b0ce84cb4a1fc8ca2620d3bb

Download Submit
memory/1660-14-0x0000000000BC0000-0x0000000000BD5000-memory.dmp

Filesize
84KB

Download
memory/1660-16-0x0000000000BC0000-0x0000000000BD5000-memory.dmp

Filesize
84KB

Download
memory/1660-17-0x0000000000BC0000-0x0000000000BD5000-memory.dmp

Filesize
84KB

Download
memory/3764-3-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3764-2-0x0000000000880000-0x0000000000893000-memory.dmp

Filesize
76KB

Download
memory/3764-9-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3764-8-0x0000000000880000-0x0000000000893000-memory.dmp

Filesize
76KB

Download
memory/3764-7-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3764-1-0x0000000000580000-0x0000000000680000-memory.dmp

Filesize
1024KB

Download
memory/3808-12-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3808-11-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3808-13-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3808-18-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads