tofsee | d67388ec3b91421ee068477e5170d1bff68d8d0cd580cff790a811bafab400b6

General

Target

2025-02-08_1191304561e1a1c77c9d4dd5bdab0d27_mafia.exe
Size

12.2MB
MD5

1191304561e1a1c77c9d4dd5bdab0d27
SHA1

c7bbe9fa83757f6286a53daf14c193d6b700f62c
SHA256

d67388ec3b91421ee068477e5170d1bff68d8d0cd580cff790a811bafab400b6
SHA512

65f220531455f87d4e87b1542b786ae8879d4a6262b92b9be5f677cde4a5a397f1b37b32a507ca82b63abcae346f71f5a0620148bcd7c2ca60c186110bcdbbdf
SSDEEP

3072:QLBgXOXcdW8tar7vGdq8c7YMl2b8anmMXnb58XuDP9het3Zv1oSW1za2E+w5C2/Y:tOMdRQr7OB0ypmMXnl8XEPM3noSWOC

Score

10^/10

tofsee defense_evasion discovery execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Tofsee family
tofsee
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 1 IoCs

flow	pid	Process
49	3828	Process not Found

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3248	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vypnnkym\ImagePath = "C:\\Windows\\SysWOW64\\vypnnkym\\rllcnwnp.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	2025-02-08_1191304561e1a1c77c9d4dd5bdab0d27_mafia.exe

Deletes itself 1 IoCs

pid	Process
760	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2116	rllcnwnp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2116 set thread context of 760	2116	rllcnwnp.exe	105

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2564	sc.exe
4688	sc.exe
3844	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4552	908	WerFault.exe	85
1888	2116	WerFault.exe	99

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rllcnwnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-08_1191304561e1a1c77c9d4dd5bdab0d27_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2508	MicrosoftEdgeUpdate.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 908 wrote to memory of 4172	908	2025-02-08_1191304561e1a1c77c9d4dd5bdab0d27_mafia.exe	89
PID 908 wrote to memory of 4172	908	2025-02-08_1191304561e1a1c77c9d4dd5bdab0d27_mafia.exe	89
PID 908 wrote to memory of 4172	908	2025-02-08_1191304561e1a1c77c9d4dd5bdab0d27_mafia.exe	89
PID 908 wrote to memory of 4160	908	2025-02-08_1191304561e1a1c77c9d4dd5bdab0d27_mafia.exe	91
PID 908 wrote to memory of 4160	908	2025-02-08_1191304561e1a1c77c9d4dd5bdab0d27_mafia.exe	91
PID 908 wrote to memory of 4160	908	2025-02-08_1191304561e1a1c77c9d4dd5bdab0d27_mafia.exe	91
PID 908 wrote to memory of 2564	908	2025-02-08_1191304561e1a1c77c9d4dd5bdab0d27_mafia.exe	93
PID 908 wrote to memory of 2564	908	2025-02-08_1191304561e1a1c77c9d4dd5bdab0d27_mafia.exe	93
PID 908 wrote to memory of 2564	908	2025-02-08_1191304561e1a1c77c9d4dd5bdab0d27_mafia.exe	93
PID 908 wrote to memory of 4688	908	2025-02-08_1191304561e1a1c77c9d4dd5bdab0d27_mafia.exe	95
PID 908 wrote to memory of 4688	908	2025-02-08_1191304561e1a1c77c9d4dd5bdab0d27_mafia.exe	95
PID 908 wrote to memory of 4688	908	2025-02-08_1191304561e1a1c77c9d4dd5bdab0d27_mafia.exe	95
PID 908 wrote to memory of 3844	908	2025-02-08_1191304561e1a1c77c9d4dd5bdab0d27_mafia.exe	97
PID 908 wrote to memory of 3844	908	2025-02-08_1191304561e1a1c77c9d4dd5bdab0d27_mafia.exe	97
PID 908 wrote to memory of 3844	908	2025-02-08_1191304561e1a1c77c9d4dd5bdab0d27_mafia.exe	97
PID 908 wrote to memory of 3248	908	2025-02-08_1191304561e1a1c77c9d4dd5bdab0d27_mafia.exe	100
PID 908 wrote to memory of 3248	908	2025-02-08_1191304561e1a1c77c9d4dd5bdab0d27_mafia.exe	100
PID 908 wrote to memory of 3248	908	2025-02-08_1191304561e1a1c77c9d4dd5bdab0d27_mafia.exe	100
PID 2116 wrote to memory of 760	2116	rllcnwnp.exe	105
PID 2116 wrote to memory of 760	2116	rllcnwnp.exe	105
PID 2116 wrote to memory of 760	2116	rllcnwnp.exe	105
PID 2116 wrote to memory of 760	2116	rllcnwnp.exe	105
PID 2116 wrote to memory of 760	2116	rllcnwnp.exe	105

C:\Users\Admin\AppData\Local\Temp\2025-02-08_1191304561e1a1c77c9d4dd5bdab0d27_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-08_1191304561e1a1c77c9d4dd5bdab0d27_mafia.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:908
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\vypnnkym\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4172
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rllcnwnp.exe" C:\Windows\SysWOW64\vypnnkym\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4160
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create vypnnkym binPath= "C:\Windows\SysWOW64\vypnnkym\rllcnwnp.exe /d\"C:\Users\Admin\AppData\Local\Temp\2025-02-08_1191304561e1a1c77c9d4dd5bdab0d27_mafia.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2564
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description vypnnkym "wifi internet conection"
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:4688
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start vypnnkym
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:3844
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3248
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 1200
  2⤵
  - Program crash
  PID:4552

C:\Windows\SysWOW64\vypnnkym\rllcnwnp.exe
C:\Windows\SysWOW64\vypnnkym\rllcnwnp.exe /d"C:\Users\Admin\AppData\Local\Temp\2025-02-08_1191304561e1a1c77c9d4dd5bdab0d27_mafia.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 536
  2⤵
  - Program crash
  PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 908 -ip 908
1⤵
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2116 -ip 2116
1⤵
PID:1060

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NDEyNkQzODUtMzY4NS00NEMzLTkxMzctOTBENkZFMDE3QzM4fSIgdXNlcmlkPSJ7MjZFMzFEMEUtNkVDQS00QjU0LUEwNUMtMDJDNzNDOUIwMEY2fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OTkwQkY2MTktNzhDQS00QTEwLUJEMzItNkM4NUI0NUE4RkE5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4ODkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTM2NTgwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzAzODEwNDg0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rllcnwnp.exe

Filesize
12.1MB

MD5
14eb8209c89b4b71bf0b726785c697b1

SHA1
71a363faf9136fa5cf39040c19e4fbe61efbf819

SHA256
03e712f145c0a390c350839162e682be78c0a631a9ca52c8f08a464e0d66e47b

SHA512
a2348a7b253b9832dc3c1e738e1be34cc0e58296d503cd0ccda4d5b40966e7825a883513081c9dc67fcf44cb76387cb997514a2feddfb7f77701ddca3b363547

Download Submit
memory/760-14-0x00000000010A0000-0x00000000010B5000-memory.dmp

Filesize
84KB

Download
memory/760-16-0x00000000010A0000-0x00000000010B5000-memory.dmp

Filesize
84KB

Download
memory/760-17-0x00000000010A0000-0x00000000010B5000-memory.dmp

Filesize
84KB

Download
memory/908-1-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/908-3-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/908-9-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/908-8-0x0000000000450000-0x0000000000463000-memory.dmp

Filesize
76KB

Download
memory/908-7-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/908-2-0x0000000000450000-0x0000000000463000-memory.dmp

Filesize
76KB

Download
memory/2116-12-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2116-11-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2116-13-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2116-19-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads