Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

106162a9e7...53.exe

windows7-x64

10

106162a9e7...53.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 07:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    106162a9e72052611f27b255db7a5d53.exe

  • Size

    10.7MB

  • MD5

    106162a9e72052611f27b255db7a5d53

  • SHA1

    b2c8f9a1c6cd769bdad4d45b3e340b28e0bb2092

  • SHA256

    0bd0d596230aa3958d9f54bd43d3de94685dd9f7ed3e8bd0b5c1a01d48d7e34e

  • SHA512

    0b5966e406ba6c3d861e5b982a539a51c836a8fb08fd1c9295f17c108d29ae72ad687689eadb9fe3540924afab949598dd6f2108f7498d79edffa2a93a7b9ec9

  • SSDEEP

    49152:3nHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH:3

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\106162a9e72052611f27b255db7a5d53.exe
    "C:\Users\Admin\AppData\Local\Temp\106162a9e72052611f27b255db7a5d53.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\cyuenvsv\
      2⤵
        PID:2680
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vvwekfht.exe" C:\Windows\SysWOW64\cyuenvsv\
        2⤵
          PID:2688
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create cyuenvsv binPath= "C:\Windows\SysWOW64\cyuenvsv\vvwekfht.exe /d\"C:\Users\Admin\AppData\Local\Temp\106162a9e72052611f27b255db7a5d53.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2784
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description cyuenvsv "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2812
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start cyuenvsv
          2⤵
          • Launches sc.exe
          PID:2828
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2796
      • C:\Windows\SysWOW64\cyuenvsv\vvwekfht.exe
        C:\Windows\SysWOW64\cyuenvsv\vvwekfht.exe /d"C:\Users\Admin\AppData\Local\Temp\106162a9e72052611f27b255db7a5d53.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2540
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:2068

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\vvwekfht.exe
        Filesize

        13.7MB

        MD5

        b8e797913e6a9619746b1a94d215124d

        SHA1

        6102d4a92d472708b6460a056a91d74c6b0032b8

        SHA256

        c9b40eeff470f9f265a52f5c4fe5790060f04b1b5b54c49728da02d0bf2ddf21

        SHA512

        2ac04353197e60f9f7ecdb0afc8b34d4ef44c92e7155a7695fd0435806304aa99e463d91409d9ce8752f11561da15fd97ef35ac0204a04c005b06d0ab1edd071

        Download Submit

      • memory/1728-1-0x0000000000D00000-0x0000000000E00000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1728-2-0x0000000000220000-0x0000000000233000-memory.dmp

        Filesize

        76KB

        Download

      • memory/1728-4-0x0000000000400000-0x0000000000C14000-memory.dmp

        Filesize

        8.1MB

        Download

      • memory/1728-6-0x0000000000400000-0x0000000000C14000-memory.dmp

        Filesize

        8.1MB

        Download

      • memory/1728-7-0x0000000000220000-0x0000000000233000-memory.dmp

        Filesize

        76KB

        Download

      • memory/2068-11-0x00000000000C0000-0x00000000000D5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2068-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2068-15-0x00000000000C0000-0x00000000000D5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2068-20-0x00000000000C0000-0x00000000000D5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2068-21-0x00000000000C0000-0x00000000000D5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2068-22-0x00000000000C0000-0x00000000000D5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2540-10-0x0000000000CD0000-0x0000000000DD0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2540-13-0x0000000000400000-0x0000000000C14000-memory.dmp

        Filesize

        8.1MB

        Download

      • memory/2540-17-0x0000000000400000-0x0000000000C14000-memory.dmp

        Filesize

        8.1MB

        Download