Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2570fd0805...a0.exe

windows7-x64

10

2570fd0805...a0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    184s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31/12/2023, 02:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2570fd0805f9ef4070865a06a14ec7a0.exe

  • Size

    13.2MB

  • MD5

    2570fd0805f9ef4070865a06a14ec7a0

  • SHA1

    164161104d9d8a343bff12048fdf578c6bbfc7f4

  • SHA256

    705a1a64abd45caa351fcdf99d7c7d30ccb7740b7e66eb5b892e16db4bb4bbf9

  • SHA512

    f3020219a4f1bcd7118b8579bc38dd9b56ed768d5596ed5e12791782c18a0665a8e0f29c61ca52c284860e73479acd38ac4b830507279a1d70e8adb1cb899355

  • SSDEEP

    12288:RB9zHI0G+1OD5eLRriDvvZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZz:RBRXLlo

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2570fd0805f9ef4070865a06a14ec7a0.exe
    "C:\Users\Admin\AppData\Local\Temp\2570fd0805f9ef4070865a06a14ec7a0.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gezbihje\
      2⤵
        PID:2340
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\oxfdwybb.exe" C:\Windows\SysWOW64\gezbihje\
        2⤵
          PID:2712
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create gezbihje binPath= "C:\Windows\SysWOW64\gezbihje\oxfdwybb.exe /d\"C:\Users\Admin\AppData\Local\Temp\2570fd0805f9ef4070865a06a14ec7a0.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2568
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description gezbihje "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2796
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start gezbihje
          2⤵
          • Launches sc.exe
          PID:2804
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2732
      • C:\Windows\SysWOW64\gezbihje\oxfdwybb.exe
        C:\Windows\SysWOW64\gezbihje\oxfdwybb.exe /d"C:\Users\Admin\AppData\Local\Temp\2570fd0805f9ef4070865a06a14ec7a0.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:808
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:1948

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\oxfdwybb.exe
        Filesize

        1.2MB

        MD5

        9285756eb53a71a52b273a30ccffa89c

        SHA1

        85e4e3ef971b2b9af86b452d0304c1ce5490e87f

        SHA256

        59789e98065bc2085a1473803702e7376c276cb7aef24d4861354dc8a2e20753

        SHA512

        b5c809681ca758b524db3fd68025f0f2fc8ac199dc4a1abe351445dab87643a2d9b856f3f9bab7021bc10bdc3967fa40acc61d5801051ea2f377a8d5e0b6e05f

        Download Submit

      • C:\Windows\SysWOW64\gezbihje\oxfdwybb.exe
        Filesize

        2.2MB

        MD5

        c22ea5d4895f606dccf041295d1aaea0

        SHA1

        03d897e2a74d1334a12adbbcc38c19710311e451

        SHA256

        364497d93970294365b6ee4a15dcef69c433ba24672a3bf0adf0740597d71dd0

        SHA512

        55f8e2d647f8229272ed6fee783b9ef88dfd7f2a765088b47eac1e3a6188d2ff240c62a8d662cd3937ec69c63568ef4d723360dc0625aa05406a12c5944ae537

        Download Submit

      • memory/808-19-0x0000000000400000-0x000000000324C000-memory.dmp

        Filesize

        46.3MB

        Download

      • memory/808-18-0x0000000000400000-0x000000000324C000-memory.dmp

        Filesize

        46.3MB

        Download

      • memory/808-11-0x00000000033C0000-0x00000000034C0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1948-12-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/1948-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1948-15-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/1948-20-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/1948-21-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/1948-22-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2016-8-0x0000000000230000-0x0000000000243000-memory.dmp

        Filesize

        76KB

        Download

      • memory/2016-7-0x0000000000400000-0x000000000324C000-memory.dmp

        Filesize

        46.3MB

        Download

      • memory/2016-1-0x00000000033B0000-0x00000000034B0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2016-6-0x0000000000400000-0x000000000324C000-memory.dmp

        Filesize

        46.3MB

        Download

      • memory/2016-4-0x0000000000400000-0x000000000324C000-memory.dmp

        Filesize

        46.3MB

        Download

      • memory/2016-2-0x0000000000230000-0x0000000000243000-memory.dmp

        Filesize

        76KB

        Download