Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

NEAS.d15e7...31.exe

windows7-x64

10

NEAS.d15e7...31.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2023, 05:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.d15e72bad1966732249eb9f860d6dcaad2db09541ad67de8eee39febc706aa31.exe

  • Size

    259KB

  • MD5

    2a1390eb5563d733832c473f1109e872

  • SHA1

    44429ef9a32e8ce931eeb541a3863ed6f9727ccb

  • SHA256

    d15e72bad1966732249eb9f860d6dcaad2db09541ad67de8eee39febc706aa31

  • SHA512

    5ac6fcbd42942d7656c651fab7432a0942570afc5068e96e6a7c41a0b504059605052eab306193f686199c1bf739a2af0982bf480b995e55b9e116abd6c8b4e2

  • SSDEEP

    3072:GVXQ37fLJYJqgU5AoFCE+MBVaXAlXxDAVh5lRIxEnU:OQLfL2k7xCE+U6exDAfRq

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 4 IoCs
  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.d15e72bad1966732249eb9f860d6dcaad2db09541ad67de8eee39febc706aa31.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.d15e72bad1966732249eb9f860d6dcaad2db09541ad67de8eee39febc706aa31.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4784
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kccoltvi\
      2⤵
        PID:1388
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\qckhnage.exe" C:\Windows\SysWOW64\kccoltvi\
        2⤵
          PID:2220
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create kccoltvi binPath= "C:\Windows\SysWOW64\kccoltvi\qckhnage.exe /d\"C:\Users\Admin\AppData\Local\Temp\NEAS.d15e72bad1966732249eb9f860d6dcaad2db09541ad67de8eee39febc706aa31.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:5084
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description kccoltvi "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:4496
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start kccoltvi
          2⤵
          • Launches sc.exe
          PID:3408
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:4428
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 1244
          2⤵
          • Program crash
          PID:5040
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 652
          2⤵
          • Program crash
          PID:3472
      • C:\Windows\SysWOW64\kccoltvi\qckhnage.exe
        C:\Windows\SysWOW64\kccoltvi\qckhnage.exe /d"C:\Users\Admin\AppData\Local\Temp\NEAS.d15e72bad1966732249eb9f860d6dcaad2db09541ad67de8eee39febc706aa31.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4736
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:4996
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 520
          2⤵
          • Program crash
          PID:2792
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 564
          2⤵
          • Program crash
          PID:1000
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4784 -ip 4784
        1⤵
          PID:2892
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4784 -ip 4784
          1⤵
            PID:2640
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4736 -ip 4736
            1⤵
              PID:1860
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4736 -ip 4736
              1⤵
                PID:2308

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\qckhnage.exe
                Filesize

                14.0MB

                MD5

                150576862fe6f4f1b1a24e92d552e986

                SHA1

                bfd4669c9ee017d2120a9c7a90052c8093cb9ee9

                SHA256

                5754a29c80e27633c4d18b1896e3d774a35df445cba1a5ea25179a5c9c46b7f9

                SHA512

                f56802c6bc289b97f0a0b4eaff9cbd7c4c5547a241f1ab8bbf0348e6e8d1425d9df8bba38aac319b2ae7b70e0d767d067d1f00464f5e96def7511fd1db265836

                Download Submit

              • C:\Windows\SysWOW64\kccoltvi\qckhnage.exe
                Filesize

                14.0MB

                MD5

                150576862fe6f4f1b1a24e92d552e986

                SHA1

                bfd4669c9ee017d2120a9c7a90052c8093cb9ee9

                SHA256

                5754a29c80e27633c4d18b1896e3d774a35df445cba1a5ea25179a5c9c46b7f9

                SHA512

                f56802c6bc289b97f0a0b4eaff9cbd7c4c5547a241f1ab8bbf0348e6e8d1425d9df8bba38aac319b2ae7b70e0d767d067d1f00464f5e96def7511fd1db265836

                Download Submit

              • memory/4736-18-0x0000000000400000-0x00000000004F3000-memory.dmp

                Filesize

                972KB

                Download

              • memory/4736-10-0x0000000000610000-0x0000000000710000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/4736-12-0x0000000000400000-0x00000000004F3000-memory.dmp

                Filesize

                972KB

                Download

              • memory/4784-2-0x0000000002250000-0x0000000002263000-memory.dmp

                Filesize

                76KB

                Download

              • memory/4784-3-0x0000000000400000-0x00000000004F3000-memory.dmp

                Filesize

                972KB

                Download

              • memory/4784-9-0x0000000002250000-0x0000000002263000-memory.dmp

                Filesize

                76KB

                Download

              • memory/4784-8-0x0000000000400000-0x00000000004F3000-memory.dmp

                Filesize

                972KB

                Download

              • memory/4784-1-0x0000000000670000-0x0000000000770000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/4996-33-0x0000000002F50000-0x0000000002F60000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4996-38-0x0000000002F50000-0x0000000002F60000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4996-16-0x0000000001080000-0x0000000001095000-memory.dmp

                Filesize

                84KB

                Download

              • memory/4996-20-0x0000000001080000-0x0000000001095000-memory.dmp

                Filesize

                84KB

                Download

              • memory/4996-21-0x0000000002C00000-0x0000000002E0F000-memory.dmp

                Filesize

                2.1MB

                Download

              • memory/4996-24-0x0000000002C00000-0x0000000002E0F000-memory.dmp

                Filesize

                2.1MB

                Download

              • memory/4996-25-0x00000000023F0000-0x00000000023F6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4996-28-0x0000000002F50000-0x0000000002F60000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4996-31-0x0000000002F50000-0x0000000002F60000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4996-32-0x0000000002F50000-0x0000000002F60000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4996-11-0x0000000001080000-0x0000000001095000-memory.dmp

                Filesize

                84KB

                Download

              • memory/4996-35-0x0000000002F50000-0x0000000002F60000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4996-36-0x0000000002F50000-0x0000000002F60000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4996-37-0x0000000002F50000-0x0000000002F60000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4996-34-0x0000000002F50000-0x0000000002F60000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4996-17-0x0000000001080000-0x0000000001095000-memory.dmp

                Filesize

                84KB

                Download

              • memory/4996-39-0x0000000002F50000-0x0000000002F60000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4996-40-0x0000000002F50000-0x0000000002F60000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4996-41-0x0000000002F50000-0x0000000002F60000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4996-43-0x0000000002F50000-0x0000000002F60000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4996-42-0x0000000002F50000-0x0000000002F60000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4996-45-0x0000000002F50000-0x0000000002F60000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4996-46-0x0000000002F50000-0x0000000002F60000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4996-44-0x0000000002F50000-0x0000000002F60000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4996-47-0x0000000002F50000-0x0000000002F60000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4996-48-0x00000000031E0000-0x00000000031E5000-memory.dmp

                Filesize

                20KB

                Download

              • memory/4996-51-0x00000000031E0000-0x00000000031E5000-memory.dmp

                Filesize

                20KB

                Download

              • memory/4996-52-0x0000000007C40000-0x000000000804B000-memory.dmp

                Filesize

                4.0MB

                Download

              • memory/4996-55-0x0000000007C40000-0x000000000804B000-memory.dmp

                Filesize

                4.0MB

                Download

              • memory/4996-56-0x00000000031F0000-0x00000000031F7000-memory.dmp

                Filesize

                28KB

                Download