Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    189s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    10/02/2023, 20:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    385KB

  • MD5

    ba2cc72879e8642a04545a795cf2c154

  • SHA1

    f0b9d522c0f6ab5eba74825d89c8c9a01ebc4202

  • SHA256

    f2dc9e5e517f8be39cde8bb164f2d9ed51c814f6584511e996940f4746a874f6

  • SHA512

    4e80c171ab5ed6aa2ba12a20dc9bca8d32768c10c0c1334f79df6b4203c9ebdf8ab85ec914da509d0da1d4f5dea4d7265d0acbd03749be5fe57b999c222c1bc9

  • SSDEEP

    3072:xr8AV4Mha55dPRY9UWprNBSBajLjyVXl9nf6N58IUZK2UU7:dQ3h6qOqasXTnfW53AK

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 2 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\mhimukdj\
      2⤵
        PID:2016
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\iogvatk.exe" C:\Windows\SysWOW64\mhimukdj\
        2⤵
          PID:1240
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create mhimukdj binPath= "C:\Windows\SysWOW64\mhimukdj\iogvatk.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:1920
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description mhimukdj "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:384
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start mhimukdj
          2⤵
          • Launches sc.exe
          PID:1468
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:1448
        • C:\Users\Admin\jzsqnwdc.exe
          "C:\Users\Admin\jzsqnwdc.exe" /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:948
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ebvwtbry.exe" C:\Windows\SysWOW64\mhimukdj\
            3⤵
              PID:1472
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" config mhimukdj binPath= "C:\Windows\SysWOW64\mhimukdj\ebvwtbry.exe /d\"C:\Users\Admin\jzsqnwdc.exe\""
              3⤵
              • Launches sc.exe
              PID:1408
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start mhimukdj
              3⤵
              • Launches sc.exe
              PID:1976
            • C:\Windows\SysWOW64\netsh.exe
              "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
              3⤵
              • Modifies Windows Firewall
              PID:1548
        • C:\Windows\SysWOW64\mhimukdj\ebvwtbry.exe
          C:\Windows\SysWOW64\mhimukdj\ebvwtbry.exe /d"C:\Users\Admin\jzsqnwdc.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1848
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe
            2⤵
            • Sets service image path in registry
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            PID:1612

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\ebvwtbry.exe
          Filesize

          11.7MB

          MD5

          35cd143446471b0cf0b3687acb0115b2

          SHA1

          706a94b9e5ba76112eea664d9e9f2b45af353d96

          SHA256

          3b20f89fc6689e971cc373b639a38572a418c3b10aa36f8f8434df1b37e33947

          SHA512

          c88cf528bfaad1af2b5f66715d863462314272c894119abb53330ccfab98a319bcd3dd1e508c18ac75699eaea96b40ab5455d99c818ad98f85e98d736e067f14

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\iogvatk.exe
          Filesize

          14.0MB

          MD5

          13abe91cc56541d46d9c8599108e3b57

          SHA1

          bfdd739d64b01583f75a1697d788e4658e1b84e8

          SHA256

          8c92841579498eed540313297657d443d341142ed7697bdf3f53c3f080660ea8

          SHA512

          28893c948d83ee343cdea6c48f383d26d8fafa1ac7c4700c69b5e67fb469179b3b6f52b30a6dc81627c7d284bb653d2611b0053f1113981466aae825f1ae1ae5

          Download Submit

        • C:\Users\Admin\jzsqnwdc.exe
          Filesize

          13.8MB

          MD5

          f1b2dc41ae1f181cdc32c23e23a4e3c6

          SHA1

          942a85b1c7781c0c2c61ec747caa1d8d9308ea9c

          SHA256

          ffebb7a6afc65bbcb3798bb6e03aa151e6e071c204eb667975e979cae3fc3900

          SHA512

          9275cde2c749f73bf4e2482319a7872092e6f311aacc79509292531bc2d3671c6d65fb46c8ccf2b28c833f13180480ab177cc33d7030b84440170a10fb4955b4

          Download Submit

        • C:\Users\Admin\jzsqnwdc.exe
          Filesize

          13.8MB

          MD5

          f1b2dc41ae1f181cdc32c23e23a4e3c6

          SHA1

          942a85b1c7781c0c2c61ec747caa1d8d9308ea9c

          SHA256

          ffebb7a6afc65bbcb3798bb6e03aa151e6e071c204eb667975e979cae3fc3900

          SHA512

          9275cde2c749f73bf4e2482319a7872092e6f311aacc79509292531bc2d3671c6d65fb46c8ccf2b28c833f13180480ab177cc33d7030b84440170a10fb4955b4

          Download Submit

        • C:\Windows\SysWOW64\mhimukdj\ebvwtbry.exe
          Filesize

          11.7MB

          MD5

          35cd143446471b0cf0b3687acb0115b2

          SHA1

          706a94b9e5ba76112eea664d9e9f2b45af353d96

          SHA256

          3b20f89fc6689e971cc373b639a38572a418c3b10aa36f8f8434df1b37e33947

          SHA512

          c88cf528bfaad1af2b5f66715d863462314272c894119abb53330ccfab98a319bcd3dd1e508c18ac75699eaea96b40ab5455d99c818ad98f85e98d736e067f14

          Download Submit

        • \Users\Admin\jzsqnwdc.exe
          Filesize

          13.8MB

          MD5

          f1b2dc41ae1f181cdc32c23e23a4e3c6

          SHA1

          942a85b1c7781c0c2c61ec747caa1d8d9308ea9c

          SHA256

          ffebb7a6afc65bbcb3798bb6e03aa151e6e071c204eb667975e979cae3fc3900

          SHA512

          9275cde2c749f73bf4e2482319a7872092e6f311aacc79509292531bc2d3671c6d65fb46c8ccf2b28c833f13180480ab177cc33d7030b84440170a10fb4955b4

          Download Submit

        • \Users\Admin\jzsqnwdc.exe
          Filesize

          13.8MB

          MD5

          f1b2dc41ae1f181cdc32c23e23a4e3c6

          SHA1

          942a85b1c7781c0c2c61ec747caa1d8d9308ea9c

          SHA256

          ffebb7a6afc65bbcb3798bb6e03aa151e6e071c204eb667975e979cae3fc3900

          SHA512

          9275cde2c749f73bf4e2482319a7872092e6f311aacc79509292531bc2d3671c6d65fb46c8ccf2b28c833f13180480ab177cc33d7030b84440170a10fb4955b4

          Download Submit

        • memory/948-81-0x00000000006BD000-0x00000000006D3000-memory.dmp

          Filesize

          88KB

          Download

        • memory/948-78-0x0000000000400000-0x00000000004C7000-memory.dmp

          Filesize

          796KB

          Download

        • memory/948-77-0x00000000006BD000-0x00000000006D3000-memory.dmp

          Filesize

          88KB

          Download

        • memory/948-84-0x00000000006BD000-0x00000000006D3000-memory.dmp

          Filesize

          88KB

          Download

        • memory/948-85-0x0000000000400000-0x00000000004C7000-memory.dmp

          Filesize

          796KB

          Download

        • memory/1612-105-0x00000000001D0000-0x00000000001E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1612-99-0x00000000018D0000-0x0000000001ADF000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/1612-111-0x00000000059B0000-0x0000000005DBB000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/1612-108-0x00000000001E0000-0x00000000001E5000-memory.dmp

          Filesize

          20KB

          Download

        • memory/1612-98-0x00000000000D0000-0x00000000000E5000-memory.dmp

          Filesize

          84KB

          Download

        • memory/1612-91-0x00000000000D0000-0x00000000000E5000-memory.dmp

          Filesize

          84KB

          Download

        • memory/1612-117-0x00000000000D0000-0x00000000000E5000-memory.dmp

          Filesize

          84KB

          Download

        • memory/1612-89-0x00000000000D0000-0x00000000000E5000-memory.dmp

          Filesize

          84KB

          Download

        • memory/1612-102-0x00000000001C0000-0x00000000001C6000-memory.dmp

          Filesize

          24KB

          Download

        • memory/1612-114-0x00000000001F0000-0x00000000001F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1848-93-0x000000000058D000-0x00000000005A3000-memory.dmp

          Filesize

          88KB

          Download

        • memory/1848-95-0x0000000000400000-0x00000000004C7000-memory.dmp

          Filesize

          796KB

          Download

        • memory/2036-61-0x0000000000220000-0x0000000000233000-memory.dmp

          Filesize

          76KB

          Download

        • memory/2036-55-0x000000000059D000-0x00000000005B3000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2036-56-0x0000000000220000-0x0000000000233000-memory.dmp

          Filesize

          76KB

          Download

        • memory/2036-58-0x0000000000400000-0x00000000004C7000-memory.dmp

          Filesize

          796KB

          Download

        • memory/2036-73-0x0000000000400000-0x00000000004C7000-memory.dmp

          Filesize

          796KB

          Download

        • memory/2036-62-0x000000000059D000-0x00000000005B3000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2036-54-0x0000000076411000-0x0000000076413000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2036-72-0x000000000059D000-0x00000000005B3000-memory.dmp

          Filesize

          88KB

          Download