Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

0bc1320cc6...9e.exe

windows7-x64

10

0bc1320cc6...9e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 02:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0bc1320cc6400eb3d0ef6e0ffd52ad9e.exe

  • Size

    15.0MB

  • MD5

    0bc1320cc6400eb3d0ef6e0ffd52ad9e

  • SHA1

    e507245cc7fae623067823c1e32c3059e68ba267

  • SHA256

    dcc331955bb4aee347e5702cd4311e66266c4bdf2d7e75eaaecec72ff45eaeb5

  • SHA512

    395e3938389375b5a171df71980aa5853ddd662147692a4765f24ccc1d6d9296e6f53d338ce75e045a7bf79ef6c3df8beb77fca32a3f39b141afafe889f9a68a

  • SSDEEP

    24576:CerU5sWbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbH:CsW

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0bc1320cc6400eb3d0ef6e0ffd52ad9e.exe
    "C:\Users\Admin\AppData\Local\Temp\0bc1320cc6400eb3d0ef6e0ffd52ad9e.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rhwusxcg\
      2⤵
        PID:2384
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jetdinfd.exe" C:\Windows\SysWOW64\rhwusxcg\
        2⤵
          PID:2756
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create rhwusxcg binPath= "C:\Windows\SysWOW64\rhwusxcg\jetdinfd.exe /d\"C:\Users\Admin\AppData\Local\Temp\0bc1320cc6400eb3d0ef6e0ffd52ad9e.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2648
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description rhwusxcg "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:1764
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start rhwusxcg
          2⤵
          • Launches sc.exe
          PID:2800
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:1860
      • C:\Windows\SysWOW64\rhwusxcg\jetdinfd.exe
        C:\Windows\SysWOW64\rhwusxcg\jetdinfd.exe /d"C:\Users\Admin\AppData\Local\Temp\0bc1320cc6400eb3d0ef6e0ffd52ad9e.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2864
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:2600

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\jetdinfd.exe
        Filesize

        1024KB

        MD5

        24b770031d80e5482bc2c4d6e0bb447f

        SHA1

        898eac7e1232ccb475b50374d0706ac036de29c1

        SHA256

        eee0bb26d295b60d711ddbf71332b743dc72ff1387c8d56ff712ecf13a5c161e

        SHA512

        bf003b54b05775723f4ec673e1d6ac3f6c15a7b863ed3b3266f4dca34794b7b38e18c4d1c8f3d9942b997cf7754072c50e2a8000bbe3361ac3ff88b129843087

        Download Submit

      • C:\Windows\SysWOW64\rhwusxcg\jetdinfd.exe
        Filesize

        42KB

        MD5

        5d00245ecc14ba0ecce2e7eb79f5c717

        SHA1

        2826ca6ab308f2bbf283848f49e9257f88873521

        SHA256

        b57d9d6a41c329cad76a6e6b26134d80b6877025b010464b70d388791126320c

        SHA512

        bf68307eabc6e3ec633ba563815617419de333f5f9c25ebf22d5dbc74455bfe8e6774712bce433fa5e320ff13b539be21c9808ad9493352fba0ccbf7a9edf6e5

        Download Submit

      • memory/2296-9-0x0000000000290000-0x0000000000390000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2296-4-0x0000000000400000-0x000000000046D000-memory.dmp

        Filesize

        436KB

        Download

      • memory/2296-3-0x00000000001B0000-0x00000000001C3000-memory.dmp

        Filesize

        76KB

        Download

      • memory/2296-8-0x0000000000400000-0x000000000046D000-memory.dmp

        Filesize

        436KB

        Download

      • memory/2296-1-0x0000000000290000-0x0000000000390000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2600-14-0x00000000000C0000-0x00000000000D5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2600-10-0x00000000000C0000-0x00000000000D5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2600-21-0x00000000000C0000-0x00000000000D5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2600-20-0x00000000000C0000-0x00000000000D5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2600-19-0x00000000000C0000-0x00000000000D5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2600-22-0x00000000000C0000-0x00000000000D5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2600-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2864-13-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2864-15-0x0000000000400000-0x000000000046D000-memory.dmp

        Filesize

        436KB

        Download

      • memory/2864-17-0x0000000000400000-0x000000000046D000-memory.dmp

        Filesize

        436KB

        Download