Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

a1cdfab5a4...15.exe

windows7-x64

10

a1cdfab5a4...15.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    186s
  • max time network
    205s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/02/2024, 11:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a1cdfab5a4af43636fe8141ba9bb2215.exe

  • Size

    14.8MB

  • MD5

    a1cdfab5a4af43636fe8141ba9bb2215

  • SHA1

    fe8e0d854dee3d741167f4c302b5f05c71e23189

  • SHA256

    a492284b3b05e75509bd1b8b6e7f73b5bf7f78263d5725082a8c76bb782b3c63

  • SHA512

    9dca7bbfbcc6178eecc0221afae418b5012d27b4023e754d0db54811d57074b21583f400408fe06790869585eee163ece122dfd064050287ce7d3561c151e37f

  • SSDEEP

    12288:F1vfanyphPu2xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFz:zvfEyph

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a1cdfab5a4af43636fe8141ba9bb2215.exe
    "C:\Users\Admin\AppData\Local\Temp\a1cdfab5a4af43636fe8141ba9bb2215.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:688
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zlwpfhru\
      2⤵
        PID:2348
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xgafxwrn.exe" C:\Windows\SysWOW64\zlwpfhru\
        2⤵
          PID:2060
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create zlwpfhru binPath= "C:\Windows\SysWOW64\zlwpfhru\xgafxwrn.exe /d\"C:\Users\Admin\AppData\Local\Temp\a1cdfab5a4af43636fe8141ba9bb2215.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:4860
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description zlwpfhru "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:4548
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start zlwpfhru
          2⤵
          • Launches sc.exe
          PID:4964
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:3052
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 1036
          2⤵
          • Program crash
          PID:2404
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 688 -ip 688
        1⤵
          PID:1872
        • C:\Windows\SysWOW64\zlwpfhru\xgafxwrn.exe
          C:\Windows\SysWOW64\zlwpfhru\xgafxwrn.exe /d"C:\Users\Admin\AppData\Local\Temp\a1cdfab5a4af43636fe8141ba9bb2215.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:3184
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe
            2⤵
            • Sets service image path in registry
            • Deletes itself
            PID:5000
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 516
            2⤵
            • Program crash
            PID:4492
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3184 -ip 3184
          1⤵
            PID:2452

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\xgafxwrn.exe
            Filesize

            13.0MB

            MD5

            b6360eacb54417b4f1a31c929b72e7a6

            SHA1

            b328a6d3335f78381943f34ea5fd9026045c4542

            SHA256

            9b447a43b31755e2af5ff2369fb018ca782ebcfcb5132db662b781dde15e13bf

            SHA512

            9fd601e089d4d9ead081d26dbafb424bfde41c3f94886b29fffa7a0c4b72e00a8fdc12850255af232fcc115a177bc24980bd67ae3cbdc06bb69a68e8de4702cf

            Download Submit

          • C:\Windows\SysWOW64\zlwpfhru\xgafxwrn.exe
            Filesize

            8.2MB

            MD5

            6411987b6006bcbb10426d9646457a84

            SHA1

            3cfd44882ed2321aa4928a77e65a3683832b1e25

            SHA256

            69cb3af247f724c8bf2e924fb817625eaf3e15d7f884a825d3b7b8216f94fdf1

            SHA512

            a8283b903b25f71a70df67e1e0e3aac9defd4db890910239559f2a120ae202893c9efee6bb6d0933fec34c0ed524194dffb0c710fdfa2379ec8567622d3bbda7

            Download Submit

          • memory/688-1-0x0000000003460000-0x0000000003560000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/688-2-0x00000000001C0000-0x00000000001D3000-memory.dmp

            Filesize

            76KB

            Download

          • memory/688-4-0x0000000000400000-0x0000000003379000-memory.dmp

            Filesize

            47.5MB

            Download

          • memory/688-5-0x0000000000400000-0x0000000003379000-memory.dmp

            Filesize

            47.5MB

            Download

          • memory/688-7-0x0000000000400000-0x0000000003379000-memory.dmp

            Filesize

            47.5MB

            Download

          • memory/688-8-0x00000000001C0000-0x00000000001D3000-memory.dmp

            Filesize

            76KB

            Download

          • memory/3184-11-0x0000000003760000-0x0000000003860000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/3184-20-0x0000000000400000-0x0000000003379000-memory.dmp

            Filesize

            47.5MB

            Download

          • memory/3184-26-0x0000000000400000-0x0000000003379000-memory.dmp

            Filesize

            47.5MB

            Download

          • memory/5000-21-0x0000000000E00000-0x0000000000E15000-memory.dmp

            Filesize

            84KB

            Download

          • memory/5000-24-0x0000000000E00000-0x0000000000E15000-memory.dmp

            Filesize

            84KB

            Download

          • memory/5000-25-0x0000000000E00000-0x0000000000E15000-memory.dmp

            Filesize

            84KB

            Download

          • memory/5000-27-0x0000000000E00000-0x0000000000E15000-memory.dmp

            Filesize

            84KB

            Download

          • memory/5000-28-0x0000000000E00000-0x0000000000E15000-memory.dmp

            Filesize

            84KB

            Download