Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    10/10/2023, 06:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    294KB

  • MD5

    44b65e6b1c5c97f08604d6386e073755

  • SHA1

    ef3a38c06da42adf5855c9ca04afc3a264189abb

  • SHA256

    6414aa1f08ec3168c6c2630d3ebd5d9a184c0520bfa3c8018d23e74ee088021c

  • SHA512

    bd397b6eafdecfa6e72bb990757650566512a4c7eb12d75479fa9ef7a481542be9ccb57f538f0ed4d2e4fe77444c3aa99043b0b78663d8c740f6736ec8d84e60

  • SSDEEP

    6144:U5ZKe+CEiMKqR3p5X0WVKwn01r7ufeQRM:UzB+CEfv3p5XtVKpCmQ

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ekarqpbu\
      2⤵
        PID:1672
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\twpaajkk.exe" C:\Windows\SysWOW64\ekarqpbu\
        2⤵
          PID:2964
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create ekarqpbu binPath= "C:\Windows\SysWOW64\ekarqpbu\twpaajkk.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:320
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description ekarqpbu "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2360
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start ekarqpbu
          2⤵
          • Launches sc.exe
          PID:2648
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2696
      • C:\Windows\SysWOW64\ekarqpbu\twpaajkk.exe
        C:\Windows\SysWOW64\ekarqpbu\twpaajkk.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2748
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:1888

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\twpaajkk.exe
        Filesize

        10.8MB

        MD5

        1c14997f49f1d76dbe008498ecac01ab

        SHA1

        955629d0b7c6d70b3cc3ae802a9a57e4b69c56cd

        SHA256

        0658cc9da8f47338d838ae6232dd7841ab1450d6e4549f580c29a0a5f963f6ad

        SHA512

        44e05cb0de23186bd99112a1276fc567a95024fec24f3e4e8040709586c42b0fa2affe39a5ec2dc659a97a5f7709d8e2a3913f0759806ccd2a11c288cda8be10

        Download Submit

      • C:\Windows\SysWOW64\ekarqpbu\twpaajkk.exe
        Filesize

        10.8MB

        MD5

        1c14997f49f1d76dbe008498ecac01ab

        SHA1

        955629d0b7c6d70b3cc3ae802a9a57e4b69c56cd

        SHA256

        0658cc9da8f47338d838ae6232dd7841ab1450d6e4549f580c29a0a5f963f6ad

        SHA512

        44e05cb0de23186bd99112a1276fc567a95024fec24f3e4e8040709586c42b0fa2affe39a5ec2dc659a97a5f7709d8e2a3913f0759806ccd2a11c288cda8be10

        Download Submit

      • memory/1888-20-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/1888-23-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/1888-28-0x0000000000110000-0x0000000000116000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1888-27-0x0000000001940000-0x0000000001B4F000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/1888-24-0x0000000001940000-0x0000000001B4F000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/1888-21-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/1888-15-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/1888-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1888-12-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2748-11-0x0000000000400000-0x0000000002287000-memory.dmp

        Filesize

        30.5MB

        Download

      • memory/2748-17-0x0000000000400000-0x0000000002287000-memory.dmp

        Filesize

        30.5MB

        Download

      • memory/2748-10-0x0000000002340000-0x0000000002440000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/3028-1-0x00000000002B0000-0x00000000003B0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/3028-4-0x0000000000400000-0x0000000002287000-memory.dmp

        Filesize

        30.5MB

        Download

      • memory/3028-8-0x00000000001B0000-0x00000000001C3000-memory.dmp

        Filesize

        76KB

        Download

      • memory/3028-6-0x0000000000400000-0x0000000002287000-memory.dmp

        Filesize

        30.5MB

        Download

      • memory/3028-2-0x00000000001B0000-0x00000000001C3000-memory.dmp

        Filesize

        76KB

        Download