Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20230824-en
  • resource tags

    arch:x64arch:x86image:win7-20230824-enlocale:en-usos:windows7-x64system
  • submitted
    31/08/2023, 14:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    243KB

  • MD5

    cb7d981a41514e05e06f245e41def1b1

  • SHA1

    e72486411d3f0d30143cca799ff5b22c719db778

  • SHA256

    27fca545923d2b0afc8f1075cb68eea4ebfb38e1e4184883ada0a5f24e9e014d

  • SHA512

    98b2d86c95350993d9adde9b8af9ca6d876b8976bf194f832129c39481ab0f86b547e2a1e3d631e8c783d0e680e91408fb756e95329049604cc1216fb5f4daa5

  • SSDEEP

    3072:ErEg4+jlrQ/peokrb2aapOQ49yDe206gqzANPtyu/uf4nm3CQ4++5lmj:RkQpeoSb2aVZU0+ARtyuW6fT5lm

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1136
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\sfmfuhhf\
      2⤵
        PID:2424
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rurkbdxn.exe" C:\Windows\SysWOW64\sfmfuhhf\
        2⤵
          PID:2364
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create sfmfuhhf binPath= "C:\Windows\SysWOW64\sfmfuhhf\rurkbdxn.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2820
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description sfmfuhhf "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2124
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start sfmfuhhf
          2⤵
          • Launches sc.exe
          PID:2756
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2744
      • C:\Windows\SysWOW64\sfmfuhhf\rurkbdxn.exe
        C:\Windows\SysWOW64\sfmfuhhf\rurkbdxn.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2552
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
            PID:2792

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\rurkbdxn.exe
          Filesize

          13.5MB

          MD5

          5fbb429e9cbf99812ce8137b937faae8

          SHA1

          ae7e0c6fdab8fb6031aac4a69da9c3d2ef0ab84d

          SHA256

          d4584a7e9056e939ddeb1e2a7cdac1df13239503a0c4aae2132cfae6d3c54747

          SHA512

          7a5c74e5a3cf616941c384f36ebbdd8fe204e2fae844cb739bcd3c561fa98d5a663ed7af9006596490552168a0ef6d0695e248a2abcefa9d346e40a8041f2eca

          Download Submit

        • C:\Windows\SysWOW64\sfmfuhhf\rurkbdxn.exe
          Filesize

          13.5MB

          MD5

          5fbb429e9cbf99812ce8137b937faae8

          SHA1

          ae7e0c6fdab8fb6031aac4a69da9c3d2ef0ab84d

          SHA256

          d4584a7e9056e939ddeb1e2a7cdac1df13239503a0c4aae2132cfae6d3c54747

          SHA512

          7a5c74e5a3cf616941c384f36ebbdd8fe204e2fae844cb739bcd3c561fa98d5a663ed7af9006596490552168a0ef6d0695e248a2abcefa9d346e40a8041f2eca

          Download Submit

        • memory/1136-4-0x0000000000400000-0x0000000001F14000-memory.dmp

          Filesize

          27.1MB

          Download

        • memory/1136-2-0x00000000002A0000-0x00000000002B3000-memory.dmp

          Filesize

          76KB

          Download

        • memory/1136-6-0x0000000000400000-0x0000000001F14000-memory.dmp

          Filesize

          27.1MB

          Download

        • memory/1136-7-0x00000000002A0000-0x00000000002B3000-memory.dmp

          Filesize

          76KB

          Download

        • memory/1136-1-0x0000000001F90000-0x0000000002090000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2552-10-0x00000000002D0000-0x00000000003D0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2552-12-0x0000000000400000-0x0000000001F14000-memory.dmp

          Filesize

          27.1MB

          Download

        • memory/2552-15-0x00000000002D0000-0x00000000003D0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2552-16-0x0000000000400000-0x0000000001F14000-memory.dmp

          Filesize

          27.1MB

          Download

        • memory/2792-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2792-11-0x0000000000080000-0x0000000000095000-memory.dmp

          Filesize

          84KB

          Download