Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    185s
  • max time network
    186s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 02:59

General

  • Target

    2577b910eeaf33608920f2202a64b07c.exe

  • Size

    10.4MB

  • MD5

    2577b910eeaf33608920f2202a64b07c

  • SHA1

    e3a0dd0c1cab946b2ba8fdb24dca6db350ae6630

  • SHA256

    958fed2ae0ab7d68ce87e0694d6dca03c67d318a7d7cda91db4d1ad711b771d4

  • SHA512

    824bec1b9ce5b3a4087cf434910ebb40c2b779deb22260b755e49282c9c651322f9c00242e97c39de44d5a6b6e44c51bb59ba3d390750fcae66e1b0f41e87e4c

  • SSDEEP

    6144:d5VCb4QuzFYpIozzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzv:D8NKFYp

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2577b910eeaf33608920f2202a64b07c.exe
    "C:\Users\Admin\AppData\Local\Temp\2577b910eeaf33608920f2202a64b07c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3336
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hiinsiru\
      2⤵
        PID:3588
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nsffihxc.exe" C:\Windows\SysWOW64\hiinsiru\
        2⤵
          PID:3724
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create hiinsiru binPath= "C:\Windows\SysWOW64\hiinsiru\nsffihxc.exe /d\"C:\Users\Admin\AppData\Local\Temp\2577b910eeaf33608920f2202a64b07c.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:3496
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description hiinsiru "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:4204
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start hiinsiru
          2⤵
          • Launches sc.exe
          PID:2984
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2380
      • C:\Windows\SysWOW64\hiinsiru\nsffihxc.exe
        C:\Windows\SysWOW64\hiinsiru\nsffihxc.exe /d"C:\Users\Admin\AppData\Local\Temp\2577b910eeaf33608920f2202a64b07c.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4432
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          PID:3744

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\nsffihxc.exe

        Filesize

        9.2MB

        MD5

        b9d18e98dc7bc0d184da4680de44930f

        SHA1

        04e22156bf9b2db111ab547c778bb7ed1847c3aa

        SHA256

        08f5abf36b515a7b30dd1e2ee95f8351354cb0cae56c88675c7a8a36b1de873a

        SHA512

        6865d3d8b879efda1e70f2344a960e404d53f03daa27c2f3c1f5a68c862456bcdf8284473d525ab6b6e6babb2dc4e84f21c528972ab964470dd7b44bf73f545e

      • C:\Windows\SysWOW64\hiinsiru\nsffihxc.exe

        Filesize

        4.0MB

        MD5

        a540a6f6257dd515ef94fbdaa11ad994

        SHA1

        4a2837df50d5339d89ad1358906f87591d06824f

        SHA256

        478fbb2e9a2aa81316cfb5dcceb2cdd1871095e790cc19587600012298dc0cdb

        SHA512

        de33961d1d34b2eff4371a1bac0cc221c03aceff5e6c2ae4704d659f2510333f3368bc68035dc042a23cc7c3a4f06c359dc10dec3eeae4d1037f2927720b6e64

      • memory/3744-3-0x0000000000140000-0x0000000000155000-memory.dmp

        Filesize

        84KB

      • memory/3744-6-0x0000000000140000-0x0000000000155000-memory.dmp

        Filesize

        84KB

      • memory/3744-7-0x0000000000140000-0x0000000000155000-memory.dmp

        Filesize

        84KB

      • memory/3744-8-0x0000000000140000-0x0000000000155000-memory.dmp

        Filesize

        84KB

      • memory/3744-9-0x0000000000140000-0x0000000000155000-memory.dmp

        Filesize

        84KB