Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

bc0db50e39...0a.exe

windows7-x64

10

bc0db50e39...0a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    09/03/2024, 14:35 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc0db50e394ee39b57a709b77f5e280a.exe

  • Size

    13.3MB

  • MD5

    bc0db50e394ee39b57a709b77f5e280a

  • SHA1

    784fc1303bafbce76bf0b02da9d814605a84e79f

  • SHA256

    216c4de57aae07cd4a677efd02183dc2709a6e096575d9b6fee861fd4217203f

  • SHA512

    764d067f4d1e8906b1a4f5337cd665514e0f61afb24c18c4b1593503744dd34fb6029d1182a15ed85ca906ed9da06d6dc5c1cef59eb861d4f2790c5073e43dd3

  • SSDEEP

    49152:fj5555555555555555555555555555555555555555555555555555555555555Z:

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc0db50e394ee39b57a709b77f5e280a.exe
    "C:\Users\Admin\AppData\Local\Temp\bc0db50e394ee39b57a709b77f5e280a.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\sawphenj\
      2⤵
        PID:2084
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\cpdgiigt.exe" C:\Windows\SysWOW64\sawphenj\
        2⤵
          PID:2872
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create sawphenj binPath= "C:\Windows\SysWOW64\sawphenj\cpdgiigt.exe /d\"C:\Users\Admin\AppData\Local\Temp\bc0db50e394ee39b57a709b77f5e280a.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:3024
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description sawphenj "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2548
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start sawphenj
          2⤵
          • Launches sc.exe
          PID:2612
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2448
      • C:\Windows\SysWOW64\sawphenj\cpdgiigt.exe
        C:\Windows\SysWOW64\sawphenj\cpdgiigt.exe /d"C:\Users\Admin\AppData\Local\Temp\bc0db50e394ee39b57a709b77f5e280a.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2596
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:1620

      Network

      • flag-us
        DNS
        microsoft.com
        svchost.exe
        Remote address:
        8.8.8.8:53
        Request
        microsoft.com
        IN A
        Response
        microsoft.com
        IN A
        20.112.250.133
        microsoft.com
        IN A
        20.231.239.246
        microsoft.com
        IN A
        20.76.201.171
        microsoft.com
        IN A
        20.70.246.20
        microsoft.com
        IN A
        20.236.44.162
      • flag-us
        DNS
        microsoft.com
        svchost.exe
        Remote address:
        8.8.8.8:53
        Request
        microsoft.com
        IN MX
        Response
        microsoft.com
        IN MX
        microsoft-commail protectionoutlook�
      • flag-us
        DNS
        microsoft-com.mail.protection.outlook.com
        svchost.exe
        Remote address:
        8.8.8.8:53
        Request
        microsoft-com.mail.protection.outlook.com
        IN A
        Response
        microsoft-com.mail.protection.outlook.com
        IN A
        52.101.42.0
        microsoft-com.mail.protection.outlook.com
        IN A
        52.101.40.26
        microsoft-com.mail.protection.outlook.com
        IN A
        52.101.11.0
        microsoft-com.mail.protection.outlook.com
        IN A
        104.47.53.36
        microsoft-com.mail.protection.outlook.com
        IN A
        104.47.54.36
      • flag-us
        DNS
        yahoo.com
        svchost.exe
        Remote address:
        8.8.8.8:53
        Request
        yahoo.com
        IN MX
        Response
        yahoo.com
        IN MX
        mta7am0yahoodnsnet
        yahoo.com
        IN MX
        mta6�.
        yahoo.com
        IN MX
        mta5�.
      • flag-us
        DNS
        mta7.am0.yahoodns.net
        svchost.exe
        Remote address:
        8.8.8.8:53
        Request
        mta7.am0.yahoodns.net
        IN A
        Response
        mta7.am0.yahoodns.net
        IN A
        98.136.96.74
        mta7.am0.yahoodns.net
        IN A
        67.195.228.106
        mta7.am0.yahoodns.net
        IN A
        98.136.96.77
        mta7.am0.yahoodns.net
        IN A
        98.136.96.75
        mta7.am0.yahoodns.net
        IN A
        67.195.204.79
        mta7.am0.yahoodns.net
        IN A
        98.136.96.76
        mta7.am0.yahoodns.net
        IN A
        67.195.204.77
        mta7.am0.yahoodns.net
        IN A
        67.195.228.110
      • flag-us
        DNS
        google.com
        svchost.exe
        Remote address:
        8.8.8.8:53
        Request
        google.com
        IN MX
        Response
        google.com
        IN MX
        smtp�
      • flag-us
        DNS
        smtp.google.com
        svchost.exe
        Remote address:
        8.8.8.8:53
        Request
        smtp.google.com
        IN A
        Response
        smtp.google.com
        IN A
        74.125.193.27
        smtp.google.com
        IN A
        172.253.116.26
        smtp.google.com
        IN A
        172.253.116.27
        smtp.google.com
        IN A
        209.85.202.27
        smtp.google.com
        IN A
        209.85.202.26
      • flag-us
        DNS
        mail.ru
        svchost.exe
        Remote address:
        8.8.8.8:53
        Request
        mail.ru
        IN MX
        Response
        mail.ru
        IN MX
        mxs�
      • flag-us
        DNS
        mxs.mail.ru
        svchost.exe
        Remote address:
        8.8.8.8:53
        Request
        mxs.mail.ru
        IN A
        Response
        mxs.mail.ru
        IN A
        94.100.180.31
        mxs.mail.ru
        IN A
        217.69.139.150
      • 20.112.250.133:80
        microsoft.com
        svchost.exe
        190 B
         92 B
         4
        2
      • 52.101.42.0:25
        microsoft-com.mail.protection.outlook.com
        svchost.exe
        152 B
         3
      • 43.231.4.7:443
        svchost.exe
        152 B
         3
      • 98.136.96.74:25
        mta7.am0.yahoodns.net
        svchost.exe
        152 B
         3
      • 74.125.193.27:25
        smtp.google.com
        svchost.exe
        152 B
         3
      • 43.231.4.7:443
        svchost.exe
        152 B
         3
      • 94.100.180.31:25
        mxs.mail.ru
        svchost.exe
        152 B
         3
      • 43.231.4.7:443
        svchost.exe
        152 B
         3
      • 8.8.8.8:53
        microsoft.com
        dns
        svchost.exe
        59 B
         139 B
         1
        1

        DNS Request

        microsoft.com

        DNS Response

        20.112.250.133
        20.231.239.246
        20.76.201.171
        20.70.246.20
        20.236.44.162

      • 8.8.8.8:53
        microsoft.com
        dns
        svchost.exe
        59 B
         113 B
         1
        1

        DNS Request

        microsoft.com

      • 8.8.8.8:53
        microsoft-com.mail.protection.outlook.com
        dns
        svchost.exe
        87 B
         167 B
         1
        1

        DNS Request

        microsoft-com.mail.protection.outlook.com

        DNS Response

        52.101.42.0
        52.101.40.26
        52.101.11.0
        104.47.53.36
        104.47.54.36

      • 8.8.8.8:53
        yahoo.com
        dns
        svchost.exe
        55 B
         134 B
         1
        1

        DNS Request

        yahoo.com

      • 8.8.8.8:53
        mta7.am0.yahoodns.net
        dns
        svchost.exe
        67 B
         195 B
         1
        1

        DNS Request

        mta7.am0.yahoodns.net

        DNS Response

        98.136.96.74
        67.195.228.106
        98.136.96.77
        98.136.96.75
        67.195.204.79
        98.136.96.76
        67.195.204.77
        67.195.228.110

      • 8.8.8.8:53
        google.com
        dns
        svchost.exe
        56 B
         77 B
         1
        1

        DNS Request

        google.com

      • 8.8.8.8:53
        smtp.google.com
        dns
        svchost.exe
        61 B
         141 B
         1
        1

        DNS Request

        smtp.google.com

        DNS Response

        74.125.193.27
        172.253.116.26
        172.253.116.27
        209.85.202.27
        209.85.202.26

      • 8.8.8.8:53
        mail.ru
        dns
        svchost.exe
        53 B
         73 B
         1
        1

        DNS Request

        mail.ru

      • 8.8.8.8:53
        mxs.mail.ru
        dns
        svchost.exe
        57 B
         89 B
         1
        1

        DNS Request

        mxs.mail.ru

        DNS Response

        94.100.180.31
        217.69.139.150

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\cpdgiigt.exe
        Filesize

        14.9MB

        MD5

        07dfaffdce44c5210ac309a1200e293f

        SHA1

        2400290dfe559ce35e5a71d7538ad8092b3a74bc

        SHA256

        e2c4337fb1f59e904f9ba1c7f8a51a795d83c6af88c7d4b58282926973893699

        SHA512

        924111d0c4bc180adc525c88b669f5f4e55ef6c92c4643109610ddafc81b9017b9358dcc79e80b3a92e4e3dbf556cfaffe4f0b58b00e9fb11b706983b2448a66

        Download Submit

      • memory/1620-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1620-17-0x00000000000D0000-0x00000000000E5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/1620-21-0x00000000000D0000-0x00000000000E5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/1620-20-0x00000000000D0000-0x00000000000E5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/1620-19-0x00000000000D0000-0x00000000000E5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/1620-10-0x00000000000D0000-0x00000000000E5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/1620-13-0x00000000000D0000-0x00000000000E5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2272-0-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2272-1-0x0000000000220000-0x0000000000221000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2272-18-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2272-2-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2272-3-0x0000000000230000-0x0000000000231000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2596-15-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2596-8-0x0000000000220000-0x0000000000221000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2596-7-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.