Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    143s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    14/04/2023, 20:49

General

  • Target

    77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe

  • Size

    276KB

  • MD5

    80ee506064ae22c8ea34ffb2431f2488

  • SHA1

    0c5a71beb97751a781203d598e97e5a746df62df

  • SHA256

    77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb

  • SHA512

    39be470cc5e8f170296371c7cfb7727b402e4c8b6e1ea6d66fe4195aa83f090cb9cf17d941dbb15214ae9e0a20f0015a190eb35a563067f2d645ea3f21609a6c

  • SSDEEP

    3072:/3czQeDsw9vCdirSqJ4GGueYDDwOtDUeblv8zMrnwg5o6JP3WJ0nWFok:GQmstdiDJ4xuHDwiDpd8z+w56J+Dak

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs 1 IoCs
  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe
    "C:\Users\Admin\AppData\Local\Temp\77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\mnpdcisa\
      2⤵
        PID:1708
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vcfazttn.exe" C:\Windows\SysWOW64\mnpdcisa\
        2⤵
          PID:864
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create mnpdcisa binPath= "C:\Windows\SysWOW64\mnpdcisa\vcfazttn.exe /d\"C:\Users\Admin\AppData\Local\Temp\77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:664
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description mnpdcisa "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:320
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start mnpdcisa
          2⤵
          • Launches sc.exe
          PID:700
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:1488
      • C:\Windows\SysWOW64\mnpdcisa\vcfazttn.exe
        C:\Windows\SysWOW64\mnpdcisa\vcfazttn.exe /d"C:\Users\Admin\AppData\Local\Temp\77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2016
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:1904

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\vcfazttn.exe

        Filesize

        14.4MB

        MD5

        649d62a13cad40b60bb6a0c44065a574

        SHA1

        fa23cc57af0e2dd40dbc8244731d6467bf6ec7d2

        SHA256

        82dafa715329ca2f026fe1f42c31eefb4a449077b3b11d3916c4091987f5aa03

        SHA512

        d28a121bf33cab395ab737f9d5ec373ba7c528068d15f756fd5f0ab29a1f27d9748111db28bd7aab3d4ec8210fdea5f5cbf8980d52bbba2b1ccf973d7bfb45a3

      • C:\Windows\SysWOW64\mnpdcisa\vcfazttn.exe

        Filesize

        14.4MB

        MD5

        649d62a13cad40b60bb6a0c44065a574

        SHA1

        fa23cc57af0e2dd40dbc8244731d6467bf6ec7d2

        SHA256

        82dafa715329ca2f026fe1f42c31eefb4a449077b3b11d3916c4091987f5aa03

        SHA512

        d28a121bf33cab395ab737f9d5ec373ba7c528068d15f756fd5f0ab29a1f27d9748111db28bd7aab3d4ec8210fdea5f5cbf8980d52bbba2b1ccf973d7bfb45a3

      • memory/1056-56-0x0000000000220000-0x0000000000233000-memory.dmp

        Filesize

        76KB

      • memory/1056-65-0x0000000000400000-0x00000000004B3000-memory.dmp

        Filesize

        716KB

      • memory/1904-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/1904-60-0x00000000000C0000-0x00000000000D5000-memory.dmp

        Filesize

        84KB

      • memory/1904-62-0x00000000000C0000-0x00000000000D5000-memory.dmp

        Filesize

        84KB

      • memory/1904-67-0x00000000000C0000-0x00000000000D5000-memory.dmp

        Filesize

        84KB

      • memory/1904-68-0x00000000000C0000-0x00000000000D5000-memory.dmp

        Filesize

        84KB

      • memory/1904-69-0x00000000000C0000-0x00000000000D5000-memory.dmp

        Filesize

        84KB

      • memory/1904-71-0x00000000000C0000-0x00000000000D5000-memory.dmp

        Filesize

        84KB

      • memory/2016-66-0x0000000000400000-0x00000000004B3000-memory.dmp

        Filesize

        716KB