Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/11/2023, 15:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    272KB

  • MD5

    76c98648f11970e09c160ae0224cb9f2

  • SHA1

    a1c7aa09a9ea241d69b8d378b98b64a7132b8929

  • SHA256

    de3cdc934393a5e4065690686ff7042e51f89efbcd15ca4df1f08dfcca8622f1

  • SHA512

    5e967565241c8d18f79e145e73df6050b480de31f40188d2cd70bd6a9d178c4fa93fcc1696ed7342bcf90b34a4a11168bd8a3852c626e97d636e0b60d03615ab

  • SSDEEP

    3072:yks08uYWLa6HVkluiY+BGzF88GK5ydpRsIgtCT6RsVip39iVR:DvTYivSxYTWXKypVipM

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 2 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 17 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:440
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nncvlyya\
      2⤵
        PID:3736
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\getbukfb.exe" C:\Windows\SysWOW64\nncvlyya\
        2⤵
          PID:3512
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create nncvlyya binPath= "C:\Windows\SysWOW64\nncvlyya\getbukfb.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:4028
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description nncvlyya "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2008
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start nncvlyya
          2⤵
          • Launches sc.exe
          PID:3616
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2236
      • C:\Windows\SysWOW64\nncvlyya\getbukfb.exe
        C:\Windows\SysWOW64\nncvlyya\getbukfb.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"
        1⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        PID:2832
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\mhkrrbfa\
          2⤵
            PID:4084
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C move /Y "C:\Windows\TEMP\wujrkavr.exe" C:\Windows\SysWOW64\mhkrrbfa\
            2⤵
              PID:3780
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" create mhkrrbfa binPath= "C:\Windows\SysWOW64\mhkrrbfa\wujrkavr.exe /d\"C:\Windows\SysWOW64\nncvlyya\getbukfb.exe\"" type= own start= auto DisplayName= "wifi support"
              2⤵
              • Launches sc.exe
              PID:3524
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" description mhkrrbfa "wifi internet conection"
              2⤵
              • Launches sc.exe
              PID:2640
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start mhkrrbfa
              2⤵
              • Launches sc.exe
              PID:4164
            • C:\Windows\SysWOW64\netsh.exe
              "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
              2⤵
              • Modifies Windows Firewall
              PID:1796
          • C:\Windows\SysWOW64\mhkrrbfa\wujrkavr.exe
            C:\Windows\SysWOW64\mhkrrbfa\wujrkavr.exe /d"C:\Windows\SysWOW64\nncvlyya\getbukfb.exe"
            1⤵
            • Modifies data under HKEY_USERS
            • Suspicious use of WriteProcessMemory
            PID:920
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C move /Y "C:\Windows\TEMP\qcsftsko.exe" C:\Windows\SysWOW64\nncvlyya\
              2⤵
                PID:1472
              • C:\Windows\SysWOW64\sc.exe
                "C:\Windows\System32\sc.exe" config nncvlyya binPath= "C:\Windows\SysWOW64\nncvlyya\qcsftsko.exe /d\"C:\Windows\SysWOW64\mhkrrbfa\wujrkavr.exe\""
                2⤵
                • Launches sc.exe
                PID:2304
              • C:\Windows\SysWOW64\sc.exe
                "C:\Windows\System32\sc.exe" start nncvlyya
                2⤵
                • Launches sc.exe
                PID:3356
            • C:\Windows\SysWOW64\nncvlyya\qcsftsko.exe
              C:\Windows\SysWOW64\nncvlyya\qcsftsko.exe /d"C:\Windows\SysWOW64\mhkrrbfa\wujrkavr.exe"
              1⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:768
              • C:\Windows\SysWOW64\svchost.exe
                svchost.exe
                2⤵
                • Sets service image path in registry
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                PID:2244

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\getbukfb.exe
              Filesize

              11.5MB

              MD5

              ea781991a17b5380b936410089cda0af

              SHA1

              499b33c20f90e30d202d33d39b09ad8449690a2f

              SHA256

              4371a741b9dfc6aeb446d1b2d67b4d01d4f18de3e41414cdddc6cfee840751d0

              SHA512

              fe3b4fbbafb74f40e3debbc656f5a8f71f1635c41a92a20dc63fcd535ebed7d879d61f0da865e36c62aaae4290123c7c3358cb110c2d9beec0d29f16192fa2af

              Download Submit

            • C:\Windows\SysWOW64\nncvlyya\getbukfb.exe
              Filesize

              11.5MB

              MD5

              ea781991a17b5380b936410089cda0af

              SHA1

              499b33c20f90e30d202d33d39b09ad8449690a2f

              SHA256

              4371a741b9dfc6aeb446d1b2d67b4d01d4f18de3e41414cdddc6cfee840751d0

              SHA512

              fe3b4fbbafb74f40e3debbc656f5a8f71f1635c41a92a20dc63fcd535ebed7d879d61f0da865e36c62aaae4290123c7c3358cb110c2d9beec0d29f16192fa2af

              Download Submit

            • C:\Windows\SysWOW64\nncvlyya\qcsftsko.exe
              Filesize

              12.5MB

              MD5

              51a5a538e12e1c22836990bca24fd452

              SHA1

              bb2f33d1ce4edbc093f617b07b77093d574099eb

              SHA256

              a7a6473ba4bb7b465ffd548257b655628c53384ede1322b24e216bf0b2453a01

              SHA512

              f390bbf8ca6c5ee4f663181f68c9b42f885fb9d8cf55e0ca37cc8318ea069a685bfcf8e8c0770305ed31ef1d1ced0aa57b4732e3f638265c18f0e5acc9990483

              Download Submit

            • C:\Windows\TEMP\qcsftsko.exe
              Filesize

              12.5MB

              MD5

              51a5a538e12e1c22836990bca24fd452

              SHA1

              bb2f33d1ce4edbc093f617b07b77093d574099eb

              SHA256

              a7a6473ba4bb7b465ffd548257b655628c53384ede1322b24e216bf0b2453a01

              SHA512

              f390bbf8ca6c5ee4f663181f68c9b42f885fb9d8cf55e0ca37cc8318ea069a685bfcf8e8c0770305ed31ef1d1ced0aa57b4732e3f638265c18f0e5acc9990483

              Download Submit

            • memory/440-8-0x0000000000590000-0x00000000005A3000-memory.dmp

              Filesize

              76KB

              Download

            • memory/440-7-0x0000000000400000-0x00000000004F7000-memory.dmp

              Filesize

              988KB

              Download

            • memory/440-1-0x0000000000610000-0x0000000000710000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/440-3-0x0000000000400000-0x00000000004F7000-memory.dmp

              Filesize

              988KB

              Download

            • memory/440-2-0x0000000000590000-0x00000000005A3000-memory.dmp

              Filesize

              76KB

              Download

            • memory/768-21-0x0000000000400000-0x00000000004F7000-memory.dmp

              Filesize

              988KB

              Download

            • memory/768-18-0x00000000007C0000-0x00000000008C0000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/768-19-0x0000000000400000-0x00000000004F7000-memory.dmp

              Filesize

              988KB

              Download

            • memory/920-11-0x00000000005A0000-0x00000000006A0000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/920-13-0x0000000000400000-0x00000000004F7000-memory.dmp

              Filesize

              988KB

              Download

            • memory/920-15-0x0000000000400000-0x00000000004F7000-memory.dmp

              Filesize

              988KB

              Download

            • memory/2244-34-0x0000000002520000-0x0000000002530000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2244-45-0x0000000002520000-0x0000000002530000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2244-24-0x0000000000640000-0x0000000000655000-memory.dmp

              Filesize

              84KB

              Download

            • memory/2244-25-0x0000000000640000-0x0000000000655000-memory.dmp

              Filesize

              84KB

              Download

            • memory/2244-27-0x0000000002200000-0x000000000240F000-memory.dmp

              Filesize

              2.1MB

              Download

            • memory/2244-30-0x0000000002200000-0x000000000240F000-memory.dmp

              Filesize

              2.1MB

              Download

            • memory/2244-31-0x0000000002510000-0x0000000002516000-memory.dmp

              Filesize

              24KB

              Download

            • memory/2244-66-0x0000000000640000-0x0000000000655000-memory.dmp

              Filesize

              84KB

              Download

            • memory/2244-37-0x0000000002520000-0x0000000002530000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2244-38-0x0000000002520000-0x0000000002530000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2244-39-0x0000000002520000-0x0000000002530000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2244-40-0x0000000002520000-0x0000000002530000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2244-41-0x0000000002520000-0x0000000002530000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2244-42-0x0000000002520000-0x0000000002530000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2244-43-0x0000000002520000-0x0000000002530000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2244-20-0x0000000000640000-0x0000000000655000-memory.dmp

              Filesize

              84KB

              Download

            • memory/2244-46-0x0000000002520000-0x0000000002530000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2244-44-0x0000000002520000-0x0000000002530000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2244-47-0x0000000002520000-0x0000000002530000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2244-48-0x0000000002520000-0x0000000002530000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2244-49-0x0000000002520000-0x0000000002530000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2244-50-0x0000000002520000-0x0000000002530000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2244-51-0x0000000002520000-0x0000000002530000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2244-52-0x0000000002520000-0x0000000002530000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2244-53-0x0000000002520000-0x0000000002530000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2244-54-0x00000000027F0000-0x00000000027F5000-memory.dmp

              Filesize

              20KB

              Download

            • memory/2244-57-0x00000000027F0000-0x00000000027F5000-memory.dmp

              Filesize

              20KB

              Download

            • memory/2244-58-0x0000000007200000-0x000000000760B000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/2244-61-0x0000000007200000-0x000000000760B000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/2244-62-0x0000000007750000-0x0000000007757000-memory.dmp

              Filesize

              28KB

              Download

            • memory/2832-9-0x0000000000400000-0x00000000004F7000-memory.dmp

              Filesize

              988KB

              Download