Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
-
submitted
09/01/2024, 18:14
General
-
Target
f1bdc796ba64b96cd4aaaf20ff3da0cc.exe
-
Size
13.1MB
-
MD5
f1bdc796ba64b96cd4aaaf20ff3da0cc
-
SHA1
3853853e87d469821b136c75f4bc16b09a9c5a2b
-
SHA256
46c879741fc6d476d4ff3edcd1b33c43c5b6107958925d706dd83fb0b1035f20
-
SHA512
e6876df269d2c0559484e37b0da780191c45ae3a6b3d48b7dc01002e5a789e696a6fe7b9674e60d90e94bd5214a7ebb2012a3bd39bf381bc79d40aa33b5bf92a
-
SSDEEP
24576:Vl3YWRibbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbn:
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1bdc796ba64b96cd4aaaf20ff3da0cc.exe"C:\Users\Admin\AppData\Local\Temp\f1bdc796ba64b96cd4aaaf20ff3da0cc.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\htrofery\2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ehrxepiy.exe" C:\Windows\SysWOW64\htrofery\2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create htrofery binPath= "C:\Windows\SysWOW64\htrofery\ehrxepiy.exe /d\"C:\Users\Admin\AppData\Local\Temp\f1bdc796ba64b96cd4aaaf20ff3da0cc.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description htrofery "wifi internet conection"2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start htrofery2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\htrofery\ehrxepiy.exeC:\Windows\SysWOW64\htrofery\ehrxepiy.exe /d"C:\Users\Admin\AppData\Local\Temp\f1bdc796ba64b96cd4aaaf20ff3da0cc.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD52cf38946970ecb0f4ec259d6cbaf7d3d
SHA1a8e7d43a52968a3c70768a07bbfb60eaa0f4d888
SHA256bc491513179fb643e3863b439c9ee1efd742afce6be742aa215be119e7ae8e23
SHA512d68c4f66b56ffa576808c5f77f94ca5e18636cec252fe8a4465d2342a9ae780a3d379e232398a8cecae9a6a0531071a7490d40693f6502b612344ba19a90c9bc
-
Filesize
99KB
MD507506671ae860c321526f3b43f8f44a3
SHA1d9467b184f45cfb99f9b91829f9f4b1f4156f98e
SHA25699c362704a185960aad4a01b42276c746f441bb490e18d36ea8ae0bc24dc83c6
SHA51248023648ba17fa87c00f724d9b22541d839fdf4d6897ac8455ddccb1c855ad97f10af74aec248dfeb091c2152affc43f6826a10aa6c95d319ba33fc7837c3d6a
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
148KB
-
Filesize
148KB
-
Filesize
148KB
-
Filesize
148KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB