Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/11/2023, 19:03

General

  • Target

    281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913.exe

  • Size

    13.1MB

  • MD5

    873c0a981c80da05593897c6aec0e842

  • SHA1

    3fb083e944c36cc3a938e64d9c10ace3065d444a

  • SHA256

    281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913

  • SHA512

    27c119c25dbe7cca2da3043eff931bfc0d9ad5b34cd7489000181cf3d8aa6814b83ef1185f6e7f692e9e87cca17d9b5c5d89ab0402e9264840fa80f5da21800d

  • SSDEEP

    393216:tkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk7:tkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk7

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913.exe
    "C:\Users\Admin\AppData\Local\Temp\281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3080
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rlzhnbug\
      2⤵
        PID:1808
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nzauplmj.exe" C:\Windows\SysWOW64\rlzhnbug\
        2⤵
          PID:980
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create rlzhnbug binPath= "C:\Windows\SysWOW64\rlzhnbug\nzauplmj.exe /d\"C:\Users\Admin\AppData\Local\Temp\281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:1292
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description rlzhnbug "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:1336
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start rlzhnbug
          2⤵
          • Launches sc.exe
          PID:4664
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2840
      • C:\Windows\SysWOW64\rlzhnbug\nzauplmj.exe
        C:\Windows\SysWOW64\rlzhnbug\nzauplmj.exe /d"C:\Users\Admin\AppData\Local\Temp\281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:764
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          PID:2784

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\nzauplmj.exe

        Filesize

        12.0MB

        MD5

        e53c5065714275906dbd62cd4a071d0f

        SHA1

        7e5eace3ba31dd0358758fdb7995f0dce02b5b45

        SHA256

        90b1664f8c5c837bf888ff2b82d15cf104e8bb3ce11b2c7c9238352907b1945f

        SHA512

        0a1b3afc08e7a5a928559d61ab089f206b4753f25353e1bf1b4f17ff43c4df5842c45e4833ef06973f81b3f7c0ed1c46000844b62e32a8852e77649a6d4e207b

      • C:\Windows\SysWOW64\rlzhnbug\nzauplmj.exe

        Filesize

        12.0MB

        MD5

        e53c5065714275906dbd62cd4a071d0f

        SHA1

        7e5eace3ba31dd0358758fdb7995f0dce02b5b45

        SHA256

        90b1664f8c5c837bf888ff2b82d15cf104e8bb3ce11b2c7c9238352907b1945f

        SHA512

        0a1b3afc08e7a5a928559d61ab089f206b4753f25353e1bf1b4f17ff43c4df5842c45e4833ef06973f81b3f7c0ed1c46000844b62e32a8852e77649a6d4e207b

      • memory/764-12-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

      • memory/764-8-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

        Filesize

        4KB

      • memory/2784-10-0x0000000000CF0000-0x0000000000D05000-memory.dmp

        Filesize

        84KB

      • memory/2784-15-0x0000000000CF0000-0x0000000000D05000-memory.dmp

        Filesize

        84KB

      • memory/2784-14-0x0000000000CF0000-0x0000000000D05000-memory.dmp

        Filesize

        84KB

      • memory/2784-16-0x0000000000CF0000-0x0000000000D05000-memory.dmp

        Filesize

        84KB

      • memory/2784-17-0x0000000000CF0000-0x0000000000D05000-memory.dmp

        Filesize

        84KB

      • memory/3080-4-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

      • memory/3080-0-0x0000000002270000-0x0000000002271000-memory.dmp

        Filesize

        4KB

      • memory/3080-6-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

      • memory/3080-2-0x00000000005C0000-0x00000000005C1000-memory.dmp

        Filesize

        4KB

      • memory/3080-1-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB