Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

08/05/2023, 12:04

230508-n83alscc6v 10

14/02/2023, 12:24

230214-pljenacf6s 1

14/02/2023, 12:00

230214-n6rq4adb47 10

14/02/2023, 11:52

230214-n1s2zace3s 10

24/01/2023, 09:45

230124-lrfn6sad97 10

Analysis

  • max time kernel
    19s
  • max time network
    22s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    14/02/2023, 12:00

General

  • Target

    8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe

  • Size

    232KB

  • MD5

    f6254a206b59207201f38f69fb018932

  • SHA1

    4109d2edf584ce7f8104410eaa02ddae1aa37117

  • SHA256

    8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45

  • SHA512

    bf6ab8ed99b730a364affed3f341387d82a5fed4ae052f4e897726adae2e963182083a3ba6fa52dfa6f2bd9cc9c3b92643279f46bebf931288545938da5a01b6

  • SSDEEP

    3072:aIGGLok59Gt+ECvLFwyvBnlS1g/tK8MJ2LJDhzLrcSb54VIcVTuh:TLoYC+rK+ztK8MY3bIr

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe
    "C:\Users\Admin\AppData\Local\Temp\8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:856
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\edupxxhy\
      2⤵
        PID:1204
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ynbyrxtw.exe" C:\Windows\SysWOW64\edupxxhy\
        2⤵
          PID:1540
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create edupxxhy binPath= "C:\Windows\SysWOW64\edupxxhy\ynbyrxtw.exe /d\"C:\Users\Admin\AppData\Local\Temp\8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:956
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description edupxxhy "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:1604
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start edupxxhy
          2⤵
          • Launches sc.exe
          PID:2012
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:1644
      • C:\Windows\SysWOW64\edupxxhy\ynbyrxtw.exe
        C:\Windows\SysWOW64\edupxxhy\ynbyrxtw.exe /d"C:\Users\Admin\AppData\Local\Temp\8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:112
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:1832

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\ynbyrxtw.exe

        Filesize

        14.1MB

        MD5

        a26b8b2a3e377ecc320d0f6786b6020f

        SHA1

        100c30429cb88a221f58287110b2f88554e0ba70

        SHA256

        c3abf7fc8a66a932be95f1c5be8e8c29b90d1ce7b60344a8b82234af625074f3

        SHA512

        1aff8ac929835e939e1b4f7e248e8a42d7fb6c4d01de6c5233895ca9afc4b98ea2a78d2b98254c09be88224d88b5d458c1ed566f9f36a0665de138a0fb0cadb2

      • C:\Windows\SysWOW64\edupxxhy\ynbyrxtw.exe

        Filesize

        14.1MB

        MD5

        a26b8b2a3e377ecc320d0f6786b6020f

        SHA1

        100c30429cb88a221f58287110b2f88554e0ba70

        SHA256

        c3abf7fc8a66a932be95f1c5be8e8c29b90d1ce7b60344a8b82234af625074f3

        SHA512

        1aff8ac929835e939e1b4f7e248e8a42d7fb6c4d01de6c5233895ca9afc4b98ea2a78d2b98254c09be88224d88b5d458c1ed566f9f36a0665de138a0fb0cadb2

      • memory/112-76-0x0000000000400000-0x000000000045E000-memory.dmp

        Filesize

        376KB

      • memory/112-74-0x000000000053B000-0x000000000054C000-memory.dmp

        Filesize

        68KB

      • memory/856-66-0x000000000061B000-0x000000000062C000-memory.dmp

        Filesize

        68KB

      • memory/856-57-0x0000000000220000-0x0000000000233000-memory.dmp

        Filesize

        76KB

      • memory/856-56-0x000000000061B000-0x000000000062C000-memory.dmp

        Filesize

        68KB

      • memory/856-58-0x0000000000400000-0x000000000045E000-memory.dmp

        Filesize

        376KB

      • memory/856-54-0x0000000076151000-0x0000000076153000-memory.dmp

        Filesize

        8KB

      • memory/856-67-0x0000000000400000-0x000000000045E000-memory.dmp

        Filesize

        376KB

      • memory/1832-70-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/1832-72-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/1832-79-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB