Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    7e9ccdf57f7fe03c9e2efd738b6490aabed53615f70a101a8c1cd008716fa6d2.zip

  • Size

    178KB

  • Sample

    231119-zj6ghsbd96

  • MD5

    af12c7aa9a8e7b7d0af8dc4e5ecfa731

  • SHA1

    90392fed00197e41ac7cf384e7adc30ac0da7780

  • SHA256

    71f5ed5ba9b8b6461ab8446c318bf11d8a1b42cf13b02eda3f8cb4908cdd206d

  • SHA512

    7f0ab69d1a27ac6eb80e7ae78007ddb4bc9db9a63680a4346654635fb1eecdae643a40c9beab8bd2c67331796d1137872403d2639ce296db7f678dde2b5c3d34

  • SSDEEP

    3072:I9MCpdr7mXBPlUDHEiv9oPzg6/apydPjL2B6tLjtDFpFFcDuL3Gbrdt0cLHe8:ZSmxPlUFmzgIaMdP/4c/F7L3G/dt0cbp

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      7e9ccdf57f7fe03c9e2efd738b6490aabed53615f70a101a8c1cd008716fa6d2.exe

    • Size

      338KB

    • MD5

      5c5387efb7f70cd46012c6f8f4cc0e1a

    • SHA1

      c2ad2a7be652d8b73cdeb794b498c03d8f783bc4

    • SHA256

      7e9ccdf57f7fe03c9e2efd738b6490aabed53615f70a101a8c1cd008716fa6d2

    • SHA512

      bc6a38573e87fc6bc7b945ee76f5b8102e5adfa1ff6262356212a0fb66f2b4cb071193df75f05da715627d1d4c5cb2cd733f786371bf271e5ee94f88557de65d

    • SSDEEP

      3072:M9xApN8qo8I+HI0C+iUn9wYaA8MqfvJLAiT12Rerybp80C:wTqoQHIbYatRJLAiT3ry3

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks