Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28/02/2024, 12:03

General

  • Target

    abd5bc4c0ae51f1cbff6215bd4c7db1b.exe

  • Size

    11.5MB

  • MD5

    abd5bc4c0ae51f1cbff6215bd4c7db1b

  • SHA1

    78f1c2d2696d42c971f7aac2a5a9e4054ff156c3

  • SHA256

    1034116ab8df2f195badd17f38b4628e3ba7251dcd2e62d7dd34bc2c2791eb82

  • SHA512

    7fbfbeb41c05b7c688b2ca4f9eda3bc6f5a6021f4024c67a647b88c3bbdfec258a3d81540ef951f938689b4aa10e75c697a4533014cd34ddf2426aa7a9949b40

  • SSDEEP

    196608:nrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrL:

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs 1 IoCs
  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\abd5bc4c0ae51f1cbff6215bd4c7db1b.exe
    "C:\Users\Admin\AppData\Local\Temp\abd5bc4c0ae51f1cbff6215bd4c7db1b.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1884
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ojoxetab\
      2⤵
        PID:2488
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jnyqubci.exe" C:\Windows\SysWOW64\ojoxetab\
        2⤵
          PID:2592
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create ojoxetab binPath= "C:\Windows\SysWOW64\ojoxetab\jnyqubci.exe /d\"C:\Users\Admin\AppData\Local\Temp\abd5bc4c0ae51f1cbff6215bd4c7db1b.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2828
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description ojoxetab "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2660
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start ojoxetab
          2⤵
          • Launches sc.exe
          PID:2664
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2784
      • C:\Windows\SysWOW64\ojoxetab\jnyqubci.exe
        C:\Windows\SysWOW64\ojoxetab\jnyqubci.exe /d"C:\Users\Admin\AppData\Local\Temp\abd5bc4c0ae51f1cbff6215bd4c7db1b.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2656
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:1640

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\jnyqubci.exe

        Filesize

        11.7MB

        MD5

        f3fc0a822371873b1847e68c66be4e7c

        SHA1

        c4be43cd747276600372acf2aaac4b1d4180b060

        SHA256

        c9f0871d30460e1ec3630fc9fb8c6ed786f08c7a768cef6c5c92b61aa13dcff4

        SHA512

        638151e69aef63a0c5a9b638154a4e06cb0a358ac10109fa6049827655ff19b29346be0d975d6345849426ac252ae356389a3735587ab95ad61b0880fc96c6b2

      • C:\Windows\SysWOW64\ojoxetab\jnyqubci.exe

        Filesize

        960KB

        MD5

        746623b839c07ea4e1ed985a72727c7c

        SHA1

        6bbb6048330f0b1f71a39f1ae4c50cda9e3434ed

        SHA256

        01c2638d4a70b56763d3a76dcad7c3013fa2d7cacc8cf8f005a0798c294fb436

        SHA512

        dc4d795003b6d73e97170a4e75d8fd84e4a6005c0b54d17bf9dc0d19fa4f99abba82569f4bd277acc6cb9e2c2ee5419bc30c70f7516f50819cec54d75547a63e

      • memory/1640-14-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/1640-20-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/1640-22-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/1640-21-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/1640-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/1640-11-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/1884-1-0x0000000000D30000-0x0000000000E30000-memory.dmp

        Filesize

        1024KB

      • memory/1884-8-0x0000000000220000-0x0000000000233000-memory.dmp

        Filesize

        76KB

      • memory/1884-4-0x0000000000400000-0x00000000008EB000-memory.dmp

        Filesize

        4.9MB

      • memory/1884-7-0x0000000000400000-0x00000000008EB000-memory.dmp

        Filesize

        4.9MB

      • memory/1884-2-0x0000000000220000-0x0000000000233000-memory.dmp

        Filesize

        76KB

      • memory/2656-10-0x00000000009D0000-0x0000000000AD0000-memory.dmp

        Filesize

        1024KB

      • memory/2656-16-0x0000000000400000-0x00000000008EB000-memory.dmp

        Filesize

        4.9MB

      • memory/2656-18-0x0000000000400000-0x00000000008EB000-memory.dmp

        Filesize

        4.9MB