Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

7e434a6cbc...cb.exe

windows7-x64

10

7e434a6cbc...cb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    245s
  • max time network
    249s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/01/2024, 16:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7e434a6cbcc3d938039a2db91259dfcb.exe

  • Size

    11.9MB

  • MD5

    7e434a6cbcc3d938039a2db91259dfcb

  • SHA1

    c7654ecaa2e52a2fec9083b62d4871ba58c67929

  • SHA256

    22271e2c71304fbe07ac384b7900a449ac4e16252e63d916096399ba972ed16a

  • SHA512

    d7bb6e2180e73ba01928dd6c087e0ab8cf64a5225f53a948521b64b205c57c00a3219a6b8ee321ac7a55bf83dafa19af22da04260025d51b9376da7f616c14a2

  • SSDEEP

    49152:cBpQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ3:

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7e434a6cbcc3d938039a2db91259dfcb.exe
    "C:\Users\Admin\AppData\Local\Temp\7e434a6cbcc3d938039a2db91259dfcb.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hlswegpy\
      2⤵
        PID:1088
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\iijrxsug.exe" C:\Windows\SysWOW64\hlswegpy\
        2⤵
          PID:1400
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create hlswegpy binPath= "C:\Windows\SysWOW64\hlswegpy\iijrxsug.exe /d\"C:\Users\Admin\AppData\Local\Temp\7e434a6cbcc3d938039a2db91259dfcb.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2728
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description hlswegpy "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:4100
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start hlswegpy
          2⤵
          • Launches sc.exe
          PID:2532
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:1300
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 1044
          2⤵
          • Program crash
          PID:760
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1736 -ip 1736
        1⤵
          PID:4964

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\iijrxsug.exe
          Filesize

          11.3MB

          MD5

          222895bebec2d707e938458292d4cca4

          SHA1

          fb14eb8d48a5e9555986f063a8514443e82302ed

          SHA256

          76dcc513f5f4657caff2b818a72112bbbd50c141c491502da0a5aab9e6b4f102

          SHA512

          260216c8027f01d7acc185126a80155dd011205d3b86a0e75a16864d911262511faf21346616f154f97db9c537574f0b4b181b2bbbdffea85c2dfc9decab5fcd

          Download Submit

        • memory/1736-1-0x00000000033B0000-0x00000000034B0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/1736-2-0x0000000000400000-0x000000000323B000-memory.dmp

          Filesize

          46.2MB

          Download

        • memory/1736-3-0x0000000004E50000-0x0000000004E63000-memory.dmp

          Filesize

          76KB

          Download

        • memory/1736-6-0x00000000033B0000-0x00000000034B0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/1736-8-0x0000000000400000-0x000000000323B000-memory.dmp

          Filesize

          46.2MB

          Download

        • memory/1736-10-0x0000000000400000-0x000000000323B000-memory.dmp

          Filesize

          46.2MB

          Download

        • memory/1736-11-0x0000000000400000-0x000000000323B000-memory.dmp

          Filesize

          46.2MB

          Download

        • memory/1736-12-0x0000000000400000-0x000000000323B000-memory.dmp

          Filesize

          46.2MB

          Download

        • memory/1736-17-0x0000000000400000-0x000000000323B000-memory.dmp

          Filesize

          46.2MB

          Download

        • memory/1736-19-0x0000000004E50000-0x0000000004E63000-memory.dmp

          Filesize

          76KB

          Download