Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

570cb3c8f1...88.exe

windows7-x64

10

570cb3c8f1...88.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2023, 05:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    570cb3c8f1b4128dccabb856d58cce88.exe

  • Size

    13.7MB

  • MD5

    570cb3c8f1b4128dccabb856d58cce88

  • SHA1

    13a367d5217658076dea133c23f77b38d72c7e7a

  • SHA256

    ed12839b6d59af224c0160bb7431a252658952672b23436f0da75343ad30d9bb

  • SHA512

    5ceb0ab5dda28c22dca372a537270ad386e52a7ffefba94f508141641e6c0abd73e45dd5387b1640de2575d6c11fa808cfcca2d27ae93cae75065e265fafde1d

  • SSDEEP

    24576:kjDuKnh7YzbKBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBX:knh

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

Processes

  • C:\Users\Admin\AppData\Local\Temp\570cb3c8f1b4128dccabb856d58cce88.exe
    "C:\Users\Admin\AppData\Local\Temp\570cb3c8f1b4128dccabb856d58cce88.exe"
    1⤵
      PID:3584
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tsezhles\
        2⤵
          PID:868
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\bbytwnew.exe" C:\Windows\SysWOW64\tsezhles\
          2⤵
            PID:3612
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" create tsezhles binPath= "C:\Windows\SysWOW64\tsezhles\bbytwnew.exe /d\"C:\Users\Admin\AppData\Local\Temp\570cb3c8f1b4128dccabb856d58cce88.exe\"" type= own start= auto DisplayName= "wifi support"
            2⤵
            • Launches sc.exe
            PID:4264
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description tsezhles "wifi internet conection"
            2⤵
            • Launches sc.exe
            PID:3404
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" start tsezhles
            2⤵
            • Launches sc.exe
            PID:4104
          • C:\Windows\SysWOW64\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
            2⤵
            • Modifies Windows Firewall
            PID:4528
        • C:\Windows\SysWOW64\tsezhles\bbytwnew.exe
          C:\Windows\SysWOW64\tsezhles\bbytwnew.exe /d"C:\Users\Admin\AppData\Local\Temp\570cb3c8f1b4128dccabb856d58cce88.exe"
          1⤵
            PID:2360
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              2⤵
                PID:4780

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/2360-10-0x0000000000510000-0x0000000000523000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2360-8-0x00000000005D0000-0x00000000006D0000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2360-12-0x0000000000400000-0x000000000046E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/3584-15-0x0000000000400000-0x000000000046E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/3584-1-0x00000000004C0000-0x00000000005C0000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/3584-3-0x0000000000400000-0x000000000046E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/3584-2-0x00000000021B0000-0x00000000021C3000-memory.dmp

              Filesize

              76KB

              Download

            • memory/3584-23-0x00000000004C0000-0x00000000005C0000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/4780-14-0x0000000000430000-0x0000000000445000-memory.dmp

              Filesize

              84KB

              Download

            • memory/4780-9-0x0000000000430000-0x0000000000445000-memory.dmp

              Filesize

              84KB

              Download

            • memory/4780-16-0x0000000000430000-0x0000000000445000-memory.dmp

              Filesize

              84KB

              Download

            • memory/4780-17-0x0000000000430000-0x0000000000445000-memory.dmp

              Filesize

              84KB

              Download

            • memory/4780-25-0x0000000000430000-0x0000000000445000-memory.dmp

              Filesize

              84KB

              Download