Overview

overview

10

Static

static

3

2025-05-08...ee.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/05/2025, 01:39

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-05-08_7156ffc1d2c3942035bd1b5e8b735fde_amadey_elex_gcleaner_rhadamanthys_smoke-loader_tofsee.exe

  • Size

    11.6MB

  • MD5

    7156ffc1d2c3942035bd1b5e8b735fde

  • SHA1

    afd2637ad85ab0740b93d17093ce26e7d312eb46

  • SHA256

    12bcf2e8d6a01a591fc06fc6fdcda9727b24d8e4344476cd589de467a6e2bfbc

  • SHA512

    27970e8d3d2caf89b018f381fa8a636887b417c5be7d17148fd32f85e35e302b22d1f1b5fde95506daea59873cc17ef31a82350e0d51cc4f877dbec0f18603cf

  • SSDEEP

    24576:TsTiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiX:A

Score
10/10
tofseedefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Tofsee family
    tofsee
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    defense_evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-08_7156ffc1d2c3942035bd1b5e8b735fde_amadey_elex_gcleaner_rhadamanthys_smoke-loader_tofsee.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-08_7156ffc1d2c3942035bd1b5e8b735fde_amadey_elex_gcleaner_rhadamanthys_smoke-loader_tofsee.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1092
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gaimigaa\
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3312
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\dlaerpyy.exe" C:\Windows\SysWOW64\gaimigaa\
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3360
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" create gaimigaa binPath= "C:\Windows\SysWOW64\gaimigaa\dlaerpyy.exe /d\"C:\Users\Admin\AppData\Local\Temp\2025-05-08_7156ffc1d2c3942035bd1b5e8b735fde_amadey_elex_gcleaner_rhadamanthys_smoke-loader_tofsee.exe\"" type= own start= auto DisplayName= "wifi support"
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:3316
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" description gaimigaa "wifi internet conection"
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:3296
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" start gaimigaa
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:3684
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:5768
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 1208
      2⤵
      • Program crash
      PID:4500
  • C:\Windows\SysWOW64\gaimigaa\dlaerpyy.exe
    C:\Windows\SysWOW64\gaimigaa\dlaerpyy.exe /d"C:\Users\Admin\AppData\Local\Temp\2025-05-08_7156ffc1d2c3942035bd1b5e8b735fde_amadey_elex_gcleaner_rhadamanthys_smoke-loader_tofsee.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2456
    • C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      2⤵
      • Sets service image path in registry
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:4528
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 508
      2⤵
      • Program crash
      PID:4620
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1092 -ip 1092
    1⤵
      PID:4428
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2456 -ip 2456
      1⤵
        PID:4664

      Network

            MITRE ATT&CK Enterprise v16

            Reconnaissance

            Resource Development

            Initial Access

            Execution

            System Services

            1
            T1569

            Service Execution

            1
            T1569.002

            Persistence

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Create or Modify System Process

            2
            T1543

            Windows Service

            2
            T1543.003

            Event Triggered Execution

            1
            T1546

            Netsh Helper DLL

            1
            T1546.007

            Privilege Escalation

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Create or Modify System Process

            2
            T1543

            Windows Service

            2
            T1543.003

            Event Triggered Execution

            1
            T1546

            Netsh Helper DLL

            1
            T1546.007

            Defense Evasion

            Impair Defenses

            1
            T1562

            Disable or Modify System Firewall

            1
            T1562.004

            Modify Registry

            1
            T1112

            Credential Access

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            2
            T1082

            System Location Discovery

            1
            T1614

            System Language Discovery

            1
            T1614.001

            Lateral Movement

            Collection

            Command and Control

            Exfiltration

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\dlaerpyy.exe
              Filesize

              11.9MB

              MD5

              22623bc1178a50ccb00c668ae329da09

              SHA1

              70a5e16755c37ec02dda1223e5f5602e360deb56

              SHA256

              4fea1fc7a1c52ae1b992eedd6577ed5ea7bdfba6ca9fb9e0786a586a4153b778

              SHA512

              401e687cb12fb94112001b58cd473e84aaf917f407c0d03827f7587aaf7b8ca38a75a35e4cd269f77d41fb5d224aabdeb96d2901f4c0cf0e0a50ea79eea79f7b

              Download Submit

            • memory/1092-1-0x0000000001B10000-0x0000000001C10000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/1092-2-0x00000000001C0000-0x00000000001D3000-memory.dmp

              Filesize

              76KB

              Download

            • memory/1092-3-0x0000000000400000-0x0000000000415000-memory.dmp

              Filesize

              84KB

              Download

            • memory/1092-9-0x0000000000400000-0x0000000000415000-memory.dmp

              Filesize

              84KB

              Download

            • memory/1092-7-0x0000000000400000-0x0000000001A9F000-memory.dmp

              Filesize

              22.6MB

              Download

            • memory/1092-8-0x00000000001C0000-0x00000000001D3000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2456-15-0x0000000000400000-0x0000000001A9F000-memory.dmp

              Filesize

              22.6MB

              Download

            • memory/4528-11-0x0000000000960000-0x0000000000975000-memory.dmp

              Filesize

              84KB

              Download

            • memory/4528-13-0x0000000000960000-0x0000000000975000-memory.dmp

              Filesize

              84KB

              Download

            • memory/4528-14-0x0000000000960000-0x0000000000975000-memory.dmp

              Filesize

              84KB

              Download
            OSZAR »