Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    29/01/2024, 07:52

General

  • Target

    7f4ac2fafc02d4f6144c8aeee6627ec8.exe

  • Size

    13.6MB

  • MD5

    7f4ac2fafc02d4f6144c8aeee6627ec8

  • SHA1

    9b97a23034cd97993b6c55d5a4ac16d4e8ac8e3b

  • SHA256

    84c7cf500a3f80503733ee11075b15399a1d6af01485e19c3caaecb52c2909c8

  • SHA512

    ca74d14d415f20c44a0f26975c95f0ef8618ae2cf57dd4db039e8483bae70d83074d67d1c04cbdccffdc0f6c54f998de88de6da77814b5a8bbb537b60ca17466

  • SSDEEP

    24576:1htJbmFQuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuX:SF

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs 1 IoCs
  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7f4ac2fafc02d4f6144c8aeee6627ec8.exe
    "C:\Users\Admin\AppData\Local\Temp\7f4ac2fafc02d4f6144c8aeee6627ec8.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\invdprtb\
      2⤵
        PID:1724
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xqiecnb.exe" C:\Windows\SysWOW64\invdprtb\
        2⤵
          PID:2044
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create invdprtb binPath= "C:\Windows\SysWOW64\invdprtb\xqiecnb.exe /d\"C:\Users\Admin\AppData\Local\Temp\7f4ac2fafc02d4f6144c8aeee6627ec8.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2772
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description invdprtb "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2340
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start invdprtb
          2⤵
          • Launches sc.exe
          PID:2740
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2860
      • C:\Windows\SysWOW64\invdprtb\xqiecnb.exe
        C:\Windows\SysWOW64\invdprtb\xqiecnb.exe /d"C:\Users\Admin\AppData\Local\Temp\7f4ac2fafc02d4f6144c8aeee6627ec8.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2780
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:2828

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\xqiecnb.exe

        Filesize

        3.9MB

        MD5

        8c90c2cf17a47dcf316d0b5310d68f46

        SHA1

        e119f3facaf36e30003a5a997d78b47c47ed7a9d

        SHA256

        17539ef20b031aa18233c8d2fc3d575083d241dea45bd83ddd680e3f0826e51b

        SHA512

        c0bb883efa1ad92ef4cbcae55c7752e41495a011237f91773320c502b317714bc18772748335bf727caa377953d67046d39c9cd761746480700410e45a07cdc8

      • C:\Windows\SysWOW64\invdprtb\xqiecnb.exe

        Filesize

        117KB

        MD5

        140367e57a90410c33e809e46d004f24

        SHA1

        ef3cf24b1e40f7da6640880bd6cf9e149df404e6

        SHA256

        b979c7ff522d1ead67d1faf8591e16a6dd428162eb4be5049222ca576a1df9eb

        SHA512

        343fe3053e4cf39a6c7a164a558cf4f6cf0f5314db792432c06185e1b940c8c6e37e7386949d577c6ce55c75fce083c8f35aad37d47ccbac089befe18ea9ff3a

      • memory/2212-2-0x0000000000220000-0x0000000000233000-memory.dmp

        Filesize

        76KB

      • memory/2212-4-0x0000000000400000-0x0000000000456000-memory.dmp

        Filesize

        344KB

      • memory/2212-8-0x0000000000400000-0x0000000000456000-memory.dmp

        Filesize

        344KB

      • memory/2212-9-0x0000000000630000-0x0000000000730000-memory.dmp

        Filesize

        1024KB

      • memory/2212-1-0x0000000000630000-0x0000000000730000-memory.dmp

        Filesize

        1024KB

      • memory/2780-17-0x0000000000400000-0x0000000000456000-memory.dmp

        Filesize

        344KB

      • memory/2780-11-0x00000000002B0000-0x00000000003B0000-memory.dmp

        Filesize

        1024KB

      • memory/2780-13-0x0000000000400000-0x0000000000456000-memory.dmp

        Filesize

        344KB

      • memory/2828-15-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2828-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/2828-10-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2828-19-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2828-20-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2828-21-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB