Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

df050e76b4...JC.exe

windows7-x64

10

df050e76b4...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2023, 15:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    df050e76b4d3cfb9a43d67ef1359ac8f98697ad987dbf3602f35e62a77144cfe_JC.exe

  • Size

    238KB

  • MD5

    51ffe610f2d2622d296524c8fb85f879

  • SHA1

    72e064dc54e07262f34c2c80ca4f0855d893817a

  • SHA256

    df050e76b4d3cfb9a43d67ef1359ac8f98697ad987dbf3602f35e62a77144cfe

  • SHA512

    4f0215560d1c37fc5c54921099ea18e41cdf73d3dbc98927f424a13c2905d02a6f060581a9e0589210456077e5a23ed4fd6fd1854d2cfa5f70325885f0f744a3

  • SSDEEP

    3072:8vWq9BylhWz4dSXiei87VmTOakmo0SykjTlpP0fsfCGZ5Ffy6Jp4bo6:8uZCzySXZbMsmo0GDPKsfCD6Jp4

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\df050e76b4d3cfb9a43d67ef1359ac8f98697ad987dbf3602f35e62a77144cfe_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\df050e76b4d3cfb9a43d67ef1359ac8f98697ad987dbf3602f35e62a77144cfe_JC.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5056
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zoxjynym\
      2⤵
        PID:4240
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ywltmcxt.exe" C:\Windows\SysWOW64\zoxjynym\
        2⤵
          PID:1952
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create zoxjynym binPath= "C:\Windows\SysWOW64\zoxjynym\ywltmcxt.exe /d\"C:\Users\Admin\AppData\Local\Temp\df050e76b4d3cfb9a43d67ef1359ac8f98697ad987dbf3602f35e62a77144cfe_JC.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:1048
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description zoxjynym "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:3348
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start zoxjynym
          2⤵
          • Launches sc.exe
          PID:3220
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:4772
      • C:\Windows\SysWOW64\zoxjynym\ywltmcxt.exe
        C:\Windows\SysWOW64\zoxjynym\ywltmcxt.exe /d"C:\Users\Admin\AppData\Local\Temp\df050e76b4d3cfb9a43d67ef1359ac8f98697ad987dbf3602f35e62a77144cfe_JC.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1872
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:3716
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
        1⤵
          PID:2024
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k UnistackSvcGroup
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:556

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\ywltmcxt.exe
          Filesize

          13.5MB

          MD5

          a92de2698c31778161e4ac545a0ae927

          SHA1

          cbf64d8e0b2da3a55acb4a691d781656d7afc671

          SHA256

          cf9d299aa22903002c1c36ccab100702a6b2c437b81b0f9ff0c8490aa2025dd9

          SHA512

          99f00d3a546c70ae1950eb5393970e7ad7a5b8a571fa2cb9d43e66c90b3d5b843defa2e536897efcd0ef38874088484b5ee74aaa098ae5a0a86d97315c79c290

          Download Submit

        • C:\Windows\SysWOW64\zoxjynym\ywltmcxt.exe
          Filesize

          13.5MB

          MD5

          a92de2698c31778161e4ac545a0ae927

          SHA1

          cbf64d8e0b2da3a55acb4a691d781656d7afc671

          SHA256

          cf9d299aa22903002c1c36ccab100702a6b2c437b81b0f9ff0c8490aa2025dd9

          SHA512

          99f00d3a546c70ae1950eb5393970e7ad7a5b8a571fa2cb9d43e66c90b3d5b843defa2e536897efcd0ef38874088484b5ee74aaa098ae5a0a86d97315c79c290

          Download Submit

        • memory/556-76-0x000001B5E8B40000-0x000001B5E8B50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/556-60-0x000001B5E8A40000-0x000001B5E8A50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1872-10-0x00000000025D0000-0x00000000026D0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/1872-18-0x0000000000400000-0x0000000002436000-memory.dmp

          Filesize

          32.2MB

          Download

        • memory/1872-15-0x0000000000400000-0x0000000002436000-memory.dmp

          Filesize

          32.2MB

          Download

        • memory/3716-33-0x0000000002180000-0x0000000002190000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3716-36-0x0000000002180000-0x0000000002190000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3716-14-0x0000000000CC0000-0x0000000000CD5000-memory.dmp

          Filesize

          84KB

          Download

        • memory/3716-56-0x00000000021E0000-0x00000000021E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3716-16-0x0000000000CC0000-0x0000000000CD5000-memory.dmp

          Filesize

          84KB

          Download

        • memory/3716-17-0x0000000000CC0000-0x0000000000CD5000-memory.dmp

          Filesize

          84KB

          Download

        • memory/3716-55-0x0000000007900000-0x0000000007D0B000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/3716-20-0x0000000000CC0000-0x0000000000CD5000-memory.dmp

          Filesize

          84KB

          Download

        • memory/3716-21-0x0000000002A00000-0x0000000002C0F000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/3716-24-0x0000000002A00000-0x0000000002C0F000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/3716-25-0x0000000002170000-0x0000000002176000-memory.dmp

          Filesize

          24KB

          Download

        • memory/3716-28-0x0000000002180000-0x0000000002190000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3716-32-0x0000000002180000-0x0000000002190000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3716-52-0x0000000007900000-0x0000000007D0B000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/3716-31-0x0000000002180000-0x0000000002190000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3716-34-0x0000000002180000-0x0000000002190000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3716-35-0x0000000002180000-0x0000000002190000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3716-11-0x0000000000CC0000-0x0000000000CD5000-memory.dmp

          Filesize

          84KB

          Download

        • memory/3716-37-0x0000000002180000-0x0000000002190000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3716-39-0x0000000002180000-0x0000000002190000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3716-38-0x0000000002180000-0x0000000002190000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3716-40-0x0000000002180000-0x0000000002190000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3716-41-0x0000000002180000-0x0000000002190000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3716-42-0x0000000002180000-0x0000000002190000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3716-44-0x0000000002180000-0x0000000002190000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3716-43-0x0000000002180000-0x0000000002190000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3716-45-0x0000000002180000-0x0000000002190000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3716-46-0x0000000002180000-0x0000000002190000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3716-47-0x0000000002180000-0x0000000002190000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3716-48-0x00000000021D0000-0x00000000021D5000-memory.dmp

          Filesize

          20KB

          Download

        • memory/3716-51-0x00000000021D0000-0x00000000021D5000-memory.dmp

          Filesize

          20KB

          Download

        • memory/5056-1-0x00000000026F0000-0x00000000027F0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/5056-8-0x0000000000400000-0x0000000002436000-memory.dmp

          Filesize

          32.2MB

          Download

        • memory/5056-9-0x0000000004190000-0x00000000041A3000-memory.dmp

          Filesize

          76KB

          Download

        • memory/5056-4-0x0000000000400000-0x0000000002436000-memory.dmp

          Filesize

          32.2MB

          Download

        • memory/5056-2-0x0000000004190000-0x00000000041A3000-memory.dmp

          Filesize

          76KB

          Download