Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15/03/2024, 19:15

General

  • Target

    cc35570f8a6ca5eaa3b157d5129cf642.exe

  • Size

    12.0MB

  • MD5

    cc35570f8a6ca5eaa3b157d5129cf642

  • SHA1

    183c1a4dd86f9e96aba6020770de442ba1cab90f

  • SHA256

    961f5faa6835275d729394a3136e2a932540297fa9ccf7ced9f0bec24b191f39

  • SHA512

    638b4c36533d05b96b19f046899fcdc471efc58cd0893def3daa3d83d5c219fb8de67fd436cba3e22586b70a70e35ef7241cb042175c6f9555be52f2112bce58

  • SSDEEP

    24576:9lxdvCcpOKCtBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBD:9lzOR

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs 1 IoCs
  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cc35570f8a6ca5eaa3b157d5129cf642.exe
    "C:\Users\Admin\AppData\Local\Temp\cc35570f8a6ca5eaa3b157d5129cf642.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xnvewyno\
      2⤵
        PID:2900
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gkrvxaqc.exe" C:\Windows\SysWOW64\xnvewyno\
        2⤵
          PID:3012
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create xnvewyno binPath= "C:\Windows\SysWOW64\xnvewyno\gkrvxaqc.exe /d\"C:\Users\Admin\AppData\Local\Temp\cc35570f8a6ca5eaa3b157d5129cf642.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2644
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description xnvewyno "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2660
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start xnvewyno
          2⤵
          • Launches sc.exe
          PID:2392
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2704
      • C:\Windows\SysWOW64\xnvewyno\gkrvxaqc.exe
        C:\Windows\SysWOW64\xnvewyno\gkrvxaqc.exe /d"C:\Users\Admin\AppData\Local\Temp\cc35570f8a6ca5eaa3b157d5129cf642.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2548
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:2428

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\gkrvxaqc.exe

        Filesize

        12.1MB

        MD5

        4555d932ab22ae5ff7caeb2a1cf79e18

        SHA1

        7088d7fc047e57e6f6ab6e22ab81a6d94eb49e6a

        SHA256

        6384c6ef34b55e93b40fc036441af73e6130429dee62138cc2f556bc4ca664f5

        SHA512

        600864323db393262f162e38d2f371a121234ae0360c74c32a60053c718b0c82b176f7ea53eab506d19e61a10a0f0a7c4387a66cf94886e375ab28caf7171e7c

      • C:\Windows\SysWOW64\xnvewyno\gkrvxaqc.exe

        Filesize

        1.6MB

        MD5

        db8c452cded2a0a0ce979a2ffb6edb9b

        SHA1

        174f8269cc6bd95b38d3968a7dea5aee4f706530

        SHA256

        42e4c523e4a816db8199b5b9b1bc7725ca7c55a95d6870a8dc8446568c4d36c4

        SHA512

        e77b071fc604384a723de663275234cad6db3df090ce97e89e482aadca16be27af2d5c756adc3911c4ea4ff3e4d0bf31ba50fff02f54dc0e44d6c96ceb72ae3c

      • memory/2156-1-0x00000000002D0000-0x00000000003D0000-memory.dmp

        Filesize

        1024KB

      • memory/2156-2-0x00000000001B0000-0x00000000001C3000-memory.dmp

        Filesize

        76KB

      • memory/2156-3-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

      • memory/2156-8-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

      • memory/2156-9-0x00000000001B0000-0x00000000001C3000-memory.dmp

        Filesize

        76KB

      • memory/2428-15-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2428-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/2428-12-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2428-19-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2428-20-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2428-21-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2428-22-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2548-11-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

      • memory/2548-16-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

      • memory/2548-10-0x0000000000590000-0x0000000000690000-memory.dmp

        Filesize

        1024KB