tofsee | 7f3dd1155932d0c2fc3f916c86be0b5fd310f1cbcc313af19971e8fe90a1acbd

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2025, 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-13_4d509ac17c736d03d2f2e657d4088d12_mafia.exe
Size

13.6MB
MD5

4d509ac17c736d03d2f2e657d4088d12
SHA1

817a43bbbb578ce7648ecb58b91272a9850619ed
SHA256

7f3dd1155932d0c2fc3f916c86be0b5fd310f1cbcc313af19971e8fe90a1acbd
SHA512

d3c79b4242728bf2109d1f8e3b6ee6691a901d1ed9c39543cc09dee6121a58e33930944af379c9859bddd5d8651f4e7d6e4225b90f8b78f800523611760616a5
SSDEEP

393216:IXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXL:k

Score

10^/10

tofsee defense_evasion discovery execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Tofsee family
tofsee
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 1 IoCs

flow	pid	Process
35	4584	Process not Found

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1348	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\lwkgjuhb\ImagePath = "C:\\Windows\\SysWOW64\\lwkgjuhb\\zttkvevx.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation	2025-02-13_4d509ac17c736d03d2f2e657d4088d12_mafia.exe

Deletes itself 1 IoCs

pid	Process
2152	svchost.exe

Executes dropped EXE 3 IoCs

pid	Process
4480	zttkvevx.exe
5012	setup.exe
4588	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4480 set thread context of 2152	4480	zttkvevx.exe	100

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\Entities	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\vulkan-1.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\bn-IN.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge_pwa_launcher.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\BHO\ie_to_edge_bho.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\fr.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ur.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Temp\source5012_290218401\msedge_7z.data	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\vulkan-1.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Fingerprinting	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\Analytics	setup.exe
File opened for modification	C:\Program Files\msedge_installer.log	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Entities	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\prefs_enclave_x64.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Fingerprinting	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\cy.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ka.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\edge_feedback\camera_mf_trace.wprp	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\cy.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ug.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge_100_percent.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win11\identity_helper.Sparse.Internal.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\libGLESv2.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\mk.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\TransparentAdvertisers	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\delegatedWebFeatures.sccd	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge_proxy.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\telclient.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Social	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\icudtl.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\LICENSE	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\nn.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\LogoBeta.png	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\SmallLogo.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\icudtl.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\SmallLogo.png	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\is.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\lo.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\mip_core.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Temp\source5012_290218401\msedge_7z.data	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge_200_percent.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\webview2_integration.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Advertising	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\learning_tools.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\de.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\vccorlib140.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\mip_core.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\en-GB.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\telclient.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\pt-BR.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Analytics	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\as.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\tr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msvcp140_codecvt_ids.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\wns_push_client.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\sq.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\resources.pri	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\libEGL.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\Cryptomining	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Advertising	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\cookie_exporter.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\mspdf.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\BHO\ie_to_edge_stub.exe	setup.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4944	sc.exe
1688	sc.exe
2700	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-13_4d509ac17c736d03d2f2e657d4088d12_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zttkvevx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1096	MicrosoftEdgeUpdate.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	5012	setup.exe
Token: SeIncBasePriorityPrivilege	5012	setup.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 3112	3540	2025-02-13_4d509ac17c736d03d2f2e657d4088d12_mafia.exe	89
PID 3540 wrote to memory of 3112	3540	2025-02-13_4d509ac17c736d03d2f2e657d4088d12_mafia.exe	89
PID 3540 wrote to memory of 3112	3540	2025-02-13_4d509ac17c736d03d2f2e657d4088d12_mafia.exe	89
PID 3540 wrote to memory of 3572	3540	2025-02-13_4d509ac17c736d03d2f2e657d4088d12_mafia.exe	91
PID 3540 wrote to memory of 3572	3540	2025-02-13_4d509ac17c736d03d2f2e657d4088d12_mafia.exe	91
PID 3540 wrote to memory of 3572	3540	2025-02-13_4d509ac17c736d03d2f2e657d4088d12_mafia.exe	91
PID 3540 wrote to memory of 2700	3540	2025-02-13_4d509ac17c736d03d2f2e657d4088d12_mafia.exe	93
PID 3540 wrote to memory of 2700	3540	2025-02-13_4d509ac17c736d03d2f2e657d4088d12_mafia.exe	93
PID 3540 wrote to memory of 2700	3540	2025-02-13_4d509ac17c736d03d2f2e657d4088d12_mafia.exe	93
PID 3540 wrote to memory of 4944	3540	2025-02-13_4d509ac17c736d03d2f2e657d4088d12_mafia.exe	95
PID 3540 wrote to memory of 4944	3540	2025-02-13_4d509ac17c736d03d2f2e657d4088d12_mafia.exe	95
PID 3540 wrote to memory of 4944	3540	2025-02-13_4d509ac17c736d03d2f2e657d4088d12_mafia.exe	95
PID 3540 wrote to memory of 1688	3540	2025-02-13_4d509ac17c736d03d2f2e657d4088d12_mafia.exe	97
PID 3540 wrote to memory of 1688	3540	2025-02-13_4d509ac17c736d03d2f2e657d4088d12_mafia.exe	97
PID 3540 wrote to memory of 1688	3540	2025-02-13_4d509ac17c736d03d2f2e657d4088d12_mafia.exe	97
PID 4480 wrote to memory of 2152	4480	zttkvevx.exe	100
PID 4480 wrote to memory of 2152	4480	zttkvevx.exe	100
PID 4480 wrote to memory of 2152	4480	zttkvevx.exe	100
PID 4480 wrote to memory of 2152	4480	zttkvevx.exe	100
PID 4480 wrote to memory of 2152	4480	zttkvevx.exe	100
PID 3540 wrote to memory of 1348	3540	2025-02-13_4d509ac17c736d03d2f2e657d4088d12_mafia.exe	101
PID 3540 wrote to memory of 1348	3540	2025-02-13_4d509ac17c736d03d2f2e657d4088d12_mafia.exe	101
PID 3540 wrote to memory of 1348	3540	2025-02-13_4d509ac17c736d03d2f2e657d4088d12_mafia.exe	101
PID 4524 wrote to memory of 5012	4524	MicrosoftEdge_X64_133.0.3065.59.exe	111
PID 4524 wrote to memory of 5012	4524	MicrosoftEdge_X64_133.0.3065.59.exe	111
PID 5012 wrote to memory of 4588	5012	setup.exe	112
PID 5012 wrote to memory of 4588	5012	setup.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2025-02-13_4d509ac17c736d03d2f2e657d4088d12_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-13_4d509ac17c736d03d2f2e657d4088d12_mafia.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\lwkgjuhb\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3112
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zttkvevx.exe" C:\Windows\SysWOW64\lwkgjuhb\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3572
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create lwkgjuhb binPath= "C:\Windows\SysWOW64\lwkgjuhb\zttkvevx.exe /d\"C:\Users\Admin\AppData\Local\Temp\2025-02-13_4d509ac17c736d03d2f2e657d4088d12_mafia.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2700
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description lwkgjuhb "wifi internet conection"
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:4944
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start lwkgjuhb
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:1688
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1348

C:\Windows\SysWOW64\lwkgjuhb\zttkvevx.exe
C:\Windows\SysWOW64\lwkgjuhb\zttkvevx.exe /d"C:\Users\Admin\AppData\Local\Temp\2025-02-13_4d509ac17c736d03d2f2e657d4088d12_mafia.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2152

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NjBBNjAwNzgtM0VCRC00QjVGLThGRTItRkRGQzhCMjNBMzIwfSIgdXNlcmlkPSJ7QkQxNDExODktQUUzMC00ODRFLTk2MTctMDI1MTYyQjZENkYwfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MkRCMDhBNkEtOEU3Qy00MTFBLTlDQjQtNTdGMkU2RkU3NDlBfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI2IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY0MzMiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODc1OTU2NTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTIyMzQ2NTMzIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1096

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FA5F3191-97D0-4B2A-A6EF-E4A1B717ACB5}\MicrosoftEdge_X64_133.0.3065.59.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FA5F3191-97D0-4B2A-A6EF-E4A1B717ACB5}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
1⤵
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FA5F3191-97D0-4B2A-A6EF-E4A1B717ACB5}\EDGEMITMP_28381.tmp\setup.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FA5F3191-97D0-4B2A-A6EF-E4A1B717ACB5}\EDGEMITMP_28381.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FA5F3191-97D0-4B2A-A6EF-E4A1B717ACB5}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FA5F3191-97D0-4B2A-A6EF-E4A1B717ACB5}\EDGEMITMP_28381.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FA5F3191-97D0-4B2A-A6EF-E4A1B717ACB5}\EDGEMITMP_28381.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FA5F3191-97D0-4B2A-A6EF-E4A1B717ACB5}\EDGEMITMP_28381.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6dec66a68,0x7ff6dec66a74,0x7ff6dec66a80
    3⤵
    - Executes dropped EXE
    PID:4588
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FA5F3191-97D0-4B2A-A6EF-E4A1B717ACB5}\EDGEMITMP_28381.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FA5F3191-97D0-4B2A-A6EF-E4A1B717ACB5}\EDGEMITMP_28381.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
    3⤵
    PID:1800
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FA5F3191-97D0-4B2A-A6EF-E4A1B717ACB5}\EDGEMITMP_28381.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FA5F3191-97D0-4B2A-A6EF-E4A1B717ACB5}\EDGEMITMP_28381.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FA5F3191-97D0-4B2A-A6EF-E4A1B717ACB5}\EDGEMITMP_28381.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6dec66a68,0x7ff6dec66a74,0x7ff6dec66a80
      4⤵
      PID:4232
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
    3⤵
    PID:2364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff661ff6a68,0x7ff661ff6a74,0x7ff661ff6a80
      4⤵
      PID:1832
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
    3⤵
    PID:4976
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff661ff6a68,0x7ff661ff6a74,0x7ff661ff6a80
      4⤵
      PID:2256
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
    3⤵
    PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FA5F3191-97D0-4B2A-A6EF-E4A1B717ACB5}\EDGEMITMP_28381.tmp\setup.exe

Filesize
6.8MB

MD5
1b3e9c59f9c7a134ec630ada1eb76a39

SHA1
a7e831d392e99f3d37847dcc561dd2e017065439

SHA256
ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae

SHA512
c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

Filesize
2.9MB

MD5
0a18f5217da234c4450d2b86f9cd4b9b

SHA1
e6de5dcc50d9ee5d1a4d51d76d8ac764261c6de5

SHA256
ddbb9de5a00e1d4cb1778c047b88f6fbc1a6850a677a6619e6be8f16b4601378

SHA512
d94f337df8f1702f51c2eef3988918b2f9949b48e0f213e52d9b45d6faae6b2d70c4fa89c5f191a18a24ae7f9fff88e0273fd0e47bbb98b11f38d76beb822dd9

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

Filesize
1.8MB

MD5
777a6be95b6fd35abd01a95c5f157958

SHA1
d86227a224c3113e01dca63e7e209424dbdffd84

SHA256
3b7ac3793ef2ab018d2a0552a7b1196569bdd475cb9270773fde61e3b2132b7d

SHA512
5ce80aaf2238b93525bda2d8bedc174847ceaffd6047519c7afa7cb589418603440180987ee212bb23443b02cdfafc7b001596630b20ff44b5a5b6696eda25d6

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Filesize
3.9MB

MD5
ad5f7dc7ca3e67dce70c0a89c04519e0

SHA1
a10b03234627ca8f3f8034cd5637cda1b8246d83

SHA256
663fe0f4e090583e6aa5204b9a80b7a76f677259066e56a7345aebc6bc3e7d31

SHA512
ad5490e9865caa454c47ec2e96364b9c566b553e64801da60c295acd570017747be1aff6f22ca6c20c6eee6f6d05a058af72569fd6e656f66e48010978c7fd51

Download Submit
C:\Program Files\msedge_installer.log

Filesize
74KB

MD5
315f8e3084c4a1d8e061b777f0ecaace

SHA1
dcc708d39b5d45be3a934b5514d712fd2a629ada

SHA256
6a20d10a6efdfd2662ededf6c459cff19af28738001f5373467ebe6f7af89876

SHA512
7afd6c93c85776949063ac36077ed5b551cf3f8016fc0a574e59f843179c6f545d30d10d263fbfa0bd1f4f706be23f02460fb23c7ffe46f31686ed7b32c98630

Download Submit
C:\Program Files\msedge_installer.log

Filesize
98KB

MD5
da0aaa5d9583a40652d5996a8447b1f4

SHA1
16dbaf39a61b48eb41557427abe5250c5f8b351f

SHA256
62d732768ebde13ac330d68b75108d9ae2bab28f8a084f9c5696cc6352b42f2a

SHA512
bf26751d63657c7f38e6b4405eff32560c92b369cccf61ce77fcb8a0c11b9f2d15938f6805cd328d49b64ec62652a1f49a5d5f44e8e4c72c3a6b4358aea70ce9

Download Submit
C:\Program Files\msedge_installer.log

Filesize
99KB

MD5
99a4f9ff916dad07d1b992522f90098a

SHA1
b7dd8c6aff6c9085992abefa17eb4735637410c6

SHA256
f3755ca321b643d15a42b96d366c120b017bc66b8c8b55d8a1919933d97225c5

SHA512
93f5368c95babb8f4e73e49a6e20a0d813e3ebb09d490c37b555776d3ac444c04351407622b64302c6f0e9b0562d302866e60b95b33dbdba5478e4baf1c0e11f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zttkvevx.exe

Filesize
13.2MB

MD5
6f09fe1836c9fb79f96871e2201a99d9

SHA1
fbee5bfc10a42942bfe574473eaba3ad1f51361a

SHA256
1f5916525ee6048a14639daf9d29e2ad177a944056a2d64572f260473dcdb8b8

SHA512
c670b7b0d3c5bc267460eaa839135805dd2cc2bee127b48e6dbc645e9aab6eadbb76043a40bdcdde1e07d47061aa076373c576e99b1e7526c43d0581e947f770

Download Submit
memory/2152-11-0x0000000001200000-0x0000000001215000-memory.dmp

Filesize
84KB

Download
memory/2152-15-0x0000000001200000-0x0000000001215000-memory.dmp

Filesize
84KB

Download
memory/2152-20-0x0000000001200000-0x0000000001215000-memory.dmp

Filesize
84KB

Download
memory/2152-21-0x0000000001200000-0x0000000001215000-memory.dmp

Filesize
84KB

Download
memory/2152-19-0x0000000001200000-0x0000000001215000-memory.dmp

Filesize
84KB

Download
memory/3540-16-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3540-2-0x00000000005B0000-0x00000000005C3000-memory.dmp

Filesize
76KB

Download
memory/3540-17-0x00000000005B0000-0x00000000005C3000-memory.dmp

Filesize
76KB

Download
memory/3540-18-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3540-1-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/3540-3-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4480-8-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4480-9-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4480-10-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4480-14-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads