Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

7d622157c4...06.exe

windows7-x64

10

7d622157c4...06.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    156s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/01/2024, 15:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7d622157c4c9861a2bb4a1c5ffd85106.exe

  • Size

    12.5MB

  • MD5

    7d622157c4c9861a2bb4a1c5ffd85106

  • SHA1

    8950e8c7908624eecf9c59f978446f1cafa2fded

  • SHA256

    8dd3ef051e815d7e2e7bd153477614356dac6f34f6510a06e5a19a4f84a0fb9e

  • SHA512

    38d6ba9613e13f07e91db844d856fc87da698dadacc0086a0b63e2ad365292fbbbad571099d0c70ce73f682df8fc46e1a33a5614d8010a400d4d2af05f2c8db7

  • SSDEEP

    49152:BaBVqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqm:4

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d622157c4c9861a2bb4a1c5ffd85106.exe
    "C:\Users\Admin\AppData\Local\Temp\7d622157c4c9861a2bb4a1c5ffd85106.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1028
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\cqgwrkja\
      2⤵
        PID:4216
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vvsnqhyq.exe" C:\Windows\SysWOW64\cqgwrkja\
        2⤵
          PID:1484
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create cqgwrkja binPath= "C:\Windows\SysWOW64\cqgwrkja\vvsnqhyq.exe /d\"C:\Users\Admin\AppData\Local\Temp\7d622157c4c9861a2bb4a1c5ffd85106.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2632
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description cqgwrkja "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2500
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start cqgwrkja
          2⤵
          • Launches sc.exe
          PID:3480
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2200
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 792
          2⤵
          • Program crash
          PID:2412
      • C:\Windows\SysWOW64\cqgwrkja\vvsnqhyq.exe
        C:\Windows\SysWOW64\cqgwrkja\vvsnqhyq.exe /d"C:\Users\Admin\AppData\Local\Temp\7d622157c4c9861a2bb4a1c5ffd85106.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3756
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          PID:3004
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 556
          2⤵
          • Program crash
          PID:2552
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1028 -ip 1028
        1⤵
          PID:4604
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3756 -ip 3756
          1⤵
            PID:4368

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\vvsnqhyq.exe
            Filesize

            13.4MB

            MD5

            cc1d1153f6fefc2bd04e759cbf6d58e2

            SHA1

            dd2aee1f7973146d57853e03e7708848f1fc2785

            SHA256

            e3430b0aedc2ae6686bec1e427e2202b56e6abe24971e2d340ffe99134c45ad9

            SHA512

            8f90236a590f322d7905c7ccbb38df027238886c47196afe511591425e735a72cdfa8dbfbaa5b9b1800e78282a1a8cadcfad77a958fe57008ffccf58c7c668a0

            Download Submit

          • C:\Windows\SysWOW64\cqgwrkja\vvsnqhyq.exe
            Filesize

            6.1MB

            MD5

            cab15c9efaa0afcf5a9b314ec480370a

            SHA1

            e8b4f15721d8d3e2fa21c552f8672f7408cb1552

            SHA256

            d93c7308803597b89f463a02d6e61f23f285a17643278ff908d3ac6c5d9cb2e5

            SHA512

            0f5058482b85948035553774a8b70f137c7ceda9e1883df0ce50761743fd0c2264aa49fe43e29c47db75669dee72fb60ca9a986aefe9752a8407ed523ee911a5

            Download Submit

          • memory/1028-5-0x0000000000400000-0x0000000002CC0000-memory.dmp

            Filesize

            40.8MB

            Download

          • memory/1028-6-0x0000000000400000-0x0000000002CC0000-memory.dmp

            Filesize

            40.8MB

            Download

          • memory/1028-3-0x0000000000400000-0x0000000002CC0000-memory.dmp

            Filesize

            40.8MB

            Download

          • memory/1028-2-0x0000000004A00000-0x0000000004A13000-memory.dmp

            Filesize

            76KB

            Download

          • memory/1028-10-0x0000000002E20000-0x0000000002F20000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/1028-1-0x0000000002E20000-0x0000000002F20000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/1028-16-0x0000000000400000-0x0000000002CC0000-memory.dmp

            Filesize

            40.8MB

            Download

          • memory/3004-20-0x0000000000150000-0x0000000000165000-memory.dmp

            Filesize

            84KB

            Download

          • memory/3004-12-0x0000000000150000-0x0000000000165000-memory.dmp

            Filesize

            84KB

            Download

          • memory/3004-22-0x0000000000150000-0x0000000000165000-memory.dmp

            Filesize

            84KB

            Download

          • memory/3004-21-0x0000000000150000-0x0000000000165000-memory.dmp

            Filesize

            84KB

            Download

          • memory/3004-19-0x0000000000150000-0x0000000000165000-memory.dmp

            Filesize

            84KB

            Download

          • memory/3756-13-0x0000000002EF0000-0x0000000002F03000-memory.dmp

            Filesize

            76KB

            Download

          • memory/3756-18-0x0000000000400000-0x0000000002CC0000-memory.dmp

            Filesize

            40.8MB

            Download

          • memory/3756-11-0x0000000002F60000-0x0000000003060000-memory.dmp

            Filesize

            1024KB

            Download