Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    file

  • Size

    304KB

  • Sample

    230703-3a4s4sad63

  • MD5

    f7a4259a3b2ab96e30cb58c4e5cda3e6

  • SHA1

    40bb757854553230616307cd50c811ac25ba535f

  • SHA256

    3c7379928cdae48f4a016111467d0ecf2abba802e3e0003b79fa93dc48e62087

  • SHA512

    3c0a22e0692c964013f3799686647cab9f37f88fe4121c18d18d9c62b33d52da612780fd69ff055d7b8104197ea7483294575ef996c3fe83cf4718aa4a9eae84

  • SSDEEP

    3072:qnlW2D7U6wBsgnSPpXU1ReqVY9qnGw7nHHVKJ0TN6YrhHwCD25Gja:QU6gSRXU1lVY9SGink0NzrdDX

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      file

    • Size

      304KB

    • MD5

      f7a4259a3b2ab96e30cb58c4e5cda3e6

    • SHA1

      40bb757854553230616307cd50c811ac25ba535f

    • SHA256

      3c7379928cdae48f4a016111467d0ecf2abba802e3e0003b79fa93dc48e62087

    • SHA512

      3c0a22e0692c964013f3799686647cab9f37f88fe4121c18d18d9c62b33d52da612780fd69ff055d7b8104197ea7483294575ef996c3fe83cf4718aa4a9eae84

    • SSDEEP

      3072:qnlW2D7U6wBsgnSPpXU1ReqVY9qnGw7nHHVKJ0TN6YrhHwCD25Gja:QU6gSRXU1lVY9SGink0NzrdDX

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks