Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
7s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
01/01/2024, 06:47
General
-
Target
3c29b2a85beb671f0504afc7c3e1346a.exe
-
Size
12.5MB
-
MD5
3c29b2a85beb671f0504afc7c3e1346a
-
SHA1
4db3c724d1d4377bcb85ed2d625ef23867308ce9
-
SHA256
38d1de62b07f072de9aab3a81d82d3066eadf97a016504e7188864f29328b6c2
-
SHA512
89668f1629ea80ec2ebe9e754327abd34bb2b4ffbe75afdf4fe0c50a3e0198f64bf8b8fd95a9752254bc998e751edef0db9a7cf148a5c96946c98bba3cd9311f
-
SSDEEP
24576:ojDuKnh7YzbKBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB3:onh
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c29b2a85beb671f0504afc7c3e1346a.exe"C:\Users\Admin\AppData\Local\Temp\3c29b2a85beb671f0504afc7c3e1346a.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\vxfrgnhp\2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\oolgjarj.exe" C:\Windows\SysWOW64\vxfrgnhp\2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create vxfrgnhp binPath= "C:\Windows\SysWOW64\vxfrgnhp\oolgjarj.exe /d\"C:\Users\Admin\AppData\Local\Temp\3c29b2a85beb671f0504afc7c3e1346a.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description vxfrgnhp "wifi internet conection"2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start vxfrgnhp2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\vxfrgnhp\oolgjarj.exeC:\Windows\SysWOW64\vxfrgnhp\oolgjarj.exe /d"C:\Users\Admin\AppData\Local\Temp\3c29b2a85beb671f0504afc7c3e1346a.exe"1⤵
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD51d084d1506f374e642204ccd2f68e2d5
SHA12d6547c6db94a222d08be946a53e0aac11bf9381
SHA2562a864fae1e1d4b98656db7869f738ad6e2efd550957b512137ec22c3265b1d34
SHA51271f94bb750ee18c9fb4fd13814fdf9894b7961e4569a9cc11ad41b5a93d1f01532dbb4d10b766b1ad05df66004b64fd9c1dedc4e6c050c69e4138757f712ecd9
-
Filesize
35KB
MD5bec816630e6c0e9eada8cefd8ffe1f63
SHA11991e01cf841421709c1f729619eb831caf96db7
SHA256516d7c8c8756d238fea571d0741a17ea0e6449afc5de8ef45f15a3ec3c901736
SHA512281c23b5779d0924e1d980c92bca35c112c4d9e0e931db7a1ccdc5fe525ab0a98403338e4a8a6eeb516281889d1079500675dfb59a1dbcc02828dbfcaa354c70
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
1024KB
-
Filesize
440KB
-
Filesize
76KB
-
Filesize
440KB
-
Filesize
1024KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
1024KB
-
Filesize
76KB