Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
06/01/2024, 20:18
General
-
Target
4718067e3e7b2de52dcdb60475f4f800.exe
-
Size
12.5MB
-
MD5
4718067e3e7b2de52dcdb60475f4f800
-
SHA1
e8dc7059536917d1e9bd7d0aff721f945785db1d
-
SHA256
b2b52413eb8374756d3fff43e2f16d6229dc1327edd1f5fb225bd3c0fecad4f8
-
SHA512
3f5866d8bf4ea81143be22e032643677d01d7fa8e2cc77d5a5c68c03c2c8697b8241ebe6c60f96bc7b36651d26073f568a9204158523ab48962c1e337eb55561
-
SSDEEP
49152:CWqmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm7:
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass 2 TTPs 1 IoCs
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4718067e3e7b2de52dcdb60475f4f800.exe"C:\Users\Admin\AppData\Local\Temp\4718067e3e7b2de52dcdb60475f4f800.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\mbewaztd\2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\qpdftqrj.exe" C:\Windows\SysWOW64\mbewaztd\2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create mbewaztd binPath= "C:\Windows\SysWOW64\mbewaztd\qpdftqrj.exe /d\"C:\Users\Admin\AppData\Local\Temp\4718067e3e7b2de52dcdb60475f4f800.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description mbewaztd "wifi internet conection"2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start mbewaztd2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe1⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
-
C:\Windows\SysWOW64\mbewaztd\qpdftqrj.exeC:\Windows\SysWOW64\mbewaztd\qpdftqrj.exe /d"C:\Users\Admin\AppData\Local\Temp\4718067e3e7b2de52dcdb60475f4f800.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5186ed3c672f177f7e0e38d64a6814cd0
SHA1baa9578bef95b0f789d3f8fce1cde1082da95244
SHA2563a781f48de359cc6b5e59123dcdb90ed1ee303f227cfc591a6b9693134a3c4c1
SHA512e055a08f7347d2fbf899fe3f4b819c902fd43d0f9a0d4789d46566a1d7a25b6805294ed2e7092af5f6b1cd6cb5a1667dba2025c7ccc979582e09cd3a930534ac
-
Filesize
384KB
MD57d692acaaa56433c9326f2cf369f69b0
SHA17e808d6215ce16c9bf1bc9d7d0fd2e8ce474b3de
SHA2560a0ee55f85fb1ccf894b406b6b16a5da8a670e5008a58042101a944a8316a522
SHA512815952a375ac3d74dfbc1a94365997ca1a5e6657398dba062cc946ffc781a94fbf86665579b9c3eee58b7ff6b04491f54dff50d4fb6a99ac1eba0768a03e058d
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
76KB
-
Filesize
1024KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
4KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
1024KB