Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/01/2024, 18:14

General

  • Target

    f1bdc796ba64b96cd4aaaf20ff3da0cc.exe

  • Size

    13.1MB

  • MD5

    f1bdc796ba64b96cd4aaaf20ff3da0cc

  • SHA1

    3853853e87d469821b136c75f4bc16b09a9c5a2b

  • SHA256

    46c879741fc6d476d4ff3edcd1b33c43c5b6107958925d706dd83fb0b1035f20

  • SHA512

    e6876df269d2c0559484e37b0da780191c45ae3a6b3d48b7dc01002e5a789e696a6fe7b9674e60d90e94bd5214a7ebb2012a3bd39bf381bc79d40aa33b5bf92a

  • SSDEEP

    24576:Vl3YWRibbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbn:

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1bdc796ba64b96cd4aaaf20ff3da0cc.exe
    "C:\Users\Admin\AppData\Local\Temp\f1bdc796ba64b96cd4aaaf20ff3da0cc.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:528
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\htrofery\
      2⤵
        PID:2608
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ehrxepiy.exe" C:\Windows\SysWOW64\htrofery\
        2⤵
          PID:4424
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create htrofery binPath= "C:\Windows\SysWOW64\htrofery\ehrxepiy.exe /d\"C:\Users\Admin\AppData\Local\Temp\f1bdc796ba64b96cd4aaaf20ff3da0cc.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:1556
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description htrofery "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:4580
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start htrofery
          2⤵
          • Launches sc.exe
          PID:4480
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:316
      • C:\Windows\SysWOW64\htrofery\ehrxepiy.exe
        C:\Windows\SysWOW64\htrofery\ehrxepiy.exe /d"C:\Users\Admin\AppData\Local\Temp\f1bdc796ba64b96cd4aaaf20ff3da0cc.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4888
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          PID:5100

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\ehrxepiy.exe

        Filesize

        1.3MB

        MD5

        2cf38946970ecb0f4ec259d6cbaf7d3d

        SHA1

        a8e7d43a52968a3c70768a07bbfb60eaa0f4d888

        SHA256

        bc491513179fb643e3863b439c9ee1efd742afce6be742aa215be119e7ae8e23

        SHA512

        d68c4f66b56ffa576808c5f77f94ca5e18636cec252fe8a4465d2342a9ae780a3d379e232398a8cecae9a6a0531071a7490d40693f6502b612344ba19a90c9bc

      • C:\Windows\SysWOW64\htrofery\ehrxepiy.exe

        Filesize

        99KB

        MD5

        07506671ae860c321526f3b43f8f44a3

        SHA1

        d9467b184f45cfb99f9b91829f9f4b1f4156f98e

        SHA256

        99c362704a185960aad4a01b42276c746f441bb490e18d36ea8ae0bc24dc83c6

        SHA512

        48023648ba17fa87c00f724d9b22541d839fdf4d6897ac8455ddccb1c855ad97f10af74aec248dfeb091c2152affc43f6826a10aa6c95d319ba33fc7837c3d6a

      • memory/528-2-0x00000000005E0000-0x00000000005E1000-memory.dmp

        Filesize

        4KB

      • memory/528-1-0x00000000005D0000-0x00000000005D1000-memory.dmp

        Filesize

        4KB

      • memory/528-0-0x0000000000400000-0x0000000000425000-memory.dmp

        Filesize

        148KB

      • memory/528-6-0x0000000000400000-0x0000000000425000-memory.dmp

        Filesize

        148KB

      • memory/4888-9-0x0000000000400000-0x0000000000425000-memory.dmp

        Filesize

        148KB

      • memory/4888-7-0x0000000000400000-0x0000000000425000-memory.dmp

        Filesize

        148KB

      • memory/5100-13-0x0000000000A60000-0x0000000000A75000-memory.dmp

        Filesize

        84KB

      • memory/5100-14-0x0000000000A60000-0x0000000000A75000-memory.dmp

        Filesize

        84KB

      • memory/5100-8-0x0000000000A60000-0x0000000000A75000-memory.dmp

        Filesize

        84KB

      • memory/5100-15-0x0000000000A60000-0x0000000000A75000-memory.dmp

        Filesize

        84KB