Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
18/01/2024, 16:17
General
-
Target
6579b65897fd523a9df7f1f271b83937.exe
-
Size
12.9MB
-
MD5
6579b65897fd523a9df7f1f271b83937
-
SHA1
74efe89236c786277be4c231e3d0e31f37515cc9
-
SHA256
a72fe0e974100d0d8d1bf79aed12e9ced6d30e1858d02d2cfa96346073de4555
-
SHA512
479c3899f74cf5a7739532998edc1dddf274c74824f4ac4fa38a5b212700838ae0e2452ed17d1fc6bbc2ba274af9b1e45c142ca909f6078d3c52db2537e05396
-
SSDEEP
24576:KUqa71YB5DHlommmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmn:KF15
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass 2 TTPs 1 IoCs
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6579b65897fd523a9df7f1f271b83937.exe"C:\Users\Admin\AppData\Local\Temp\6579b65897fd523a9df7f1f271b83937.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\vnrrfdxs\2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\fowunpss.exe" C:\Windows\SysWOW64\vnrrfdxs\2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create vnrrfdxs binPath= "C:\Windows\SysWOW64\vnrrfdxs\fowunpss.exe /d\"C:\Users\Admin\AppData\Local\Temp\6579b65897fd523a9df7f1f271b83937.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description vnrrfdxs "wifi internet conection"2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start vnrrfdxs2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\vnrrfdxs\fowunpss.exeC:\Windows\SysWOW64\vnrrfdxs\fowunpss.exe /d"C:\Users\Admin\AppData\Local\Temp\6579b65897fd523a9df7f1f271b83937.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
888KB
MD5e57552971719669b11d705fc42769b1a
SHA16cccc2cdc259dd1e9dd4003c44a3a0871707b60f
SHA25667b567d15197cc5b92c42098e09c5a1f0ea3b870c583396b9f1d58abaca8290f
SHA51201873630f0ada8d828dcd06d9183ce60daa01d0d86b8cde54d790f00cc97547c0c437dd0cfdd748a523d345b758734cf836cccd5c8b7fd89d47ec3074a1a4ad0
-
Filesize
1.2MB
MD5a1678622a2473a41ea78de54f1ecc028
SHA1560b779d43dae273070019155df12117910613a9
SHA256764266700b960b1676ecb9c492afbb10f0bde7699d39e0d14787f2d0176c4c1e
SHA5126f0e321aacb8ee312b77d9fc62e79ced41a4895e664b5cfca2c8c9a911bf2399b16641bcf532e0db9503b912b3f7797d3a2286b96f35db28c18c09c073233711
-
Filesize
76KB
-
Filesize
1024KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
84KB
-
Filesize
4KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
1024KB
-
Filesize
416KB
-
Filesize
416KB