Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

4b2636d537...0a.exe

windows7-x64

10

4b2636d537...0a.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    2s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    08/01/2024, 10:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4b2636d5375fabaf5210326d7ddf380a.exe

  • Size

    14.4MB

  • MD5

    4b2636d5375fabaf5210326d7ddf380a

  • SHA1

    1a2de55ee081916d168c71bc917cd39b94332d8c

  • SHA256

    bb7772836afc601ff0ece2b2f1ebe85ffe73392baf08a993ae8330fdb9b04ce8

  • SHA512

    09d8b92fb0fb501e3cae709786a8f6f52434d1ae5ea03100aa69c427478b6165e6fa70776ec0ff652f1e7ece1128dc25a5328d02a022294de244236212004ff2

  • SSDEEP

    49152:yyjfVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVH:

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b2636d5375fabaf5210326d7ddf380a.exe
    "C:\Users\Admin\AppData\Local\Temp\4b2636d5375fabaf5210326d7ddf380a.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\plkqifff\
      2⤵
        PID:1732
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\npkqjwg.exe" C:\Windows\SysWOW64\plkqifff\
        2⤵
          PID:1852
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create plkqifff binPath= "C:\Windows\SysWOW64\plkqifff\npkqjwg.exe /d\"C:\Users\Admin\AppData\Local\Temp\4b2636d5375fabaf5210326d7ddf380a.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2992
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description plkqifff "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2788
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start plkqifff
          2⤵
          • Launches sc.exe
          PID:2720
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2580
      • C:\Windows\SysWOW64\plkqifff\npkqjwg.exe
        C:\Windows\SysWOW64\plkqifff\npkqjwg.exe /d"C:\Users\Admin\AppData\Local\Temp\4b2636d5375fabaf5210326d7ddf380a.exe"
        1⤵
          PID:2708
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe
            2⤵
              PID:2744

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1740-1-0x0000000000CF0000-0x0000000000DF0000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/1740-4-0x0000000000400000-0x0000000000C18000-memory.dmp

            Filesize

            8.1MB

            Download

          • memory/1740-7-0x0000000000400000-0x0000000000C18000-memory.dmp

            Filesize

            8.1MB

            Download

          • memory/1740-8-0x0000000000020000-0x0000000000033000-memory.dmp

            Filesize

            76KB

            Download

          • memory/1740-2-0x0000000000020000-0x0000000000033000-memory.dmp

            Filesize

            76KB

            Download

          • memory/2708-12-0x0000000000400000-0x0000000000C18000-memory.dmp

            Filesize

            8.1MB

            Download

          • memory/2708-10-0x0000000000250000-0x0000000000350000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/2708-17-0x0000000000400000-0x0000000000C18000-memory.dmp

            Filesize

            8.1MB

            Download

          • memory/2744-15-0x00000000000D0000-0x00000000000E5000-memory.dmp

            Filesize

            84KB

            Download

          • memory/2744-20-0x00000000000D0000-0x00000000000E5000-memory.dmp

            Filesize

            84KB

            Download

          • memory/2744-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2744-21-0x00000000000D0000-0x00000000000E5000-memory.dmp

            Filesize

            84KB

            Download

          • memory/2744-11-0x00000000000D0000-0x00000000000E5000-memory.dmp

            Filesize

            84KB

            Download

          • memory/2744-22-0x00000000000D0000-0x00000000000E5000-memory.dmp

            Filesize

            84KB

            Download