Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
01/01/2024, 20:00
General
-
Target
42447fa47634362aeff2746d2ad7fe43.exe
-
Size
11.4MB
-
MD5
42447fa47634362aeff2746d2ad7fe43
-
SHA1
e4c1aa0f40112f20e1f41f104d61a1ae265c29d4
-
SHA256
8d6d6e9a34683ac82b391d1725b233f7b4713978f6a3a528a2062425fb90f537
-
SHA512
5776f74befea8bbaa87495f57063bc417c7045f251d9f93aac59a10b9032210ccb7bea96dcf904c0ccc3528bb55c50d13451e5c58067aeb6b245d4195c2d3842
-
SSDEEP
49152:nGvEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE:nG
Malware Config
Extracted
tofsee
43.231.4.6
lazystax.ru
Signatures
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass 2 TTPs 1 IoCs
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\42447fa47634362aeff2746d2ad7fe43.exe"C:\Users\Admin\AppData\Local\Temp\42447fa47634362aeff2746d2ad7fe43.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nvuxball\2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\asguihxr.exe" C:\Windows\SysWOW64\nvuxball\2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create nvuxball binPath= "C:\Windows\SysWOW64\nvuxball\asguihxr.exe /d\"C:\Users\Admin\AppData\Local\Temp\42447fa47634362aeff2746d2ad7fe43.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description nvuxball "wifi internet conection"2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start nvuxball2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\nvuxball\asguihxr.exeC:\Windows\SysWOW64\nvuxball\asguihxr.exe /d"C:\Users\Admin\AppData\Local\Temp\42447fa47634362aeff2746d2ad7fe43.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14.1MB
MD53c8ab9cdf5333b9d814d7c9ceaf42c59
SHA13c8742e4dac0a1086d0fc23fe5e668db4fe32804
SHA256a2111e7a49a0d26f462c23222b06ef3e24013f63c3d6631a0b729acd3b0fb2a7
SHA512d1aa868784d5b5adc180d92c62e67eda3fe2e66097dac8a56bfb5bbfd944ad4f6f5366c69b1fb54693b50580cef9b4c51d9d4e78ff24c112ca9ae560cdbb301a
-
Filesize
768KB
MD50422023c6e8bfeda91f112cc18de8bb3
SHA11928851e434cb8ee12da6f1ff1ab561578d65899
SHA2568098c6e961d7343922b1dc5bbe8d9076f6080724aea838f7c5db7dd23dac8556
SHA51223f364467d20623cbe966fca960e7a9316610829e7d2ae1d8366af480a5e48b059d5c96f9ba68d748914ca5f12d626bd42663c67e8c7d4ea9f2e29c5be511475
-
Filesize
1024KB
-
Filesize
76KB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
76KB
-
Filesize
84KB
-
Filesize
4KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
1024KB
-
Filesize
8.1MB
-
Filesize
8.1MB