Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2024-12-01...ia.exe

windows7-x64

10

2024-12-01...ia.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2024, 17:47 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-12-01_8771bbe1870e3f195a9799d11d221dcc_karagany_mafia.exe

  • Size

    13.3MB

  • MD5

    8771bbe1870e3f195a9799d11d221dcc

  • SHA1

    5ed9ae508451faa8f2c5dd3b9d7922a8ba27a74a

  • SHA256

    d08f945304cbef1bc7e9b380f7321b692fd50fede584fbfc0829c13ae2eaedcc

  • SHA512

    2d75d2ec904cc69bc46d1d096f8ca7accfa264f776f7358825e9921a26e36e2067c7d09b8e5a9a17bfe4785a00b1f7649295def0ae50d82685ca5be0092c505a

  • SSDEEP

    6144:+yXxZTquqxpXAdbbiFyKq3nUOcWfMMMMMMMbt:+yXzN8pXAdbbyyZtZfMMMMMMMb

Score
10/10
tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Tofsee family
    tofsee
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-01_8771bbe1870e3f195a9799d11d221dcc_karagany_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-01_8771bbe1870e3f195a9799d11d221dcc_karagany_mafia.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4396
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zgebouc\
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2688
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gfvryuz.exe" C:\Windows\SysWOW64\zgebouc\
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4764
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" create zgebouc binPath= "C:\Windows\SysWOW64\zgebouc\gfvryuz.exe /d\"C:\Users\Admin\AppData\Local\Temp\2024-12-01_8771bbe1870e3f195a9799d11d221dcc_karagany_mafia.exe\"" type= own start= auto DisplayName= "wifi support"
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:3716
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" description zgebouc "wifi internet conection"
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:4384
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" start zgebouc
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:1488
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:4516
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1180
      2⤵
      • Program crash
      PID:3368
  • C:\Windows\SysWOW64\zgebouc\gfvryuz.exe
    C:\Windows\SysWOW64\zgebouc\gfvryuz.exe /d"C:\Users\Admin\AppData\Local\Temp\2024-12-01_8771bbe1870e3f195a9799d11d221dcc_karagany_mafia.exe"
    1⤵
    • Executes dropped EXE
    PID:1780
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4396 -ip 4396
    1⤵
      PID:4512

    Network

    • flag-us
      DNS
      28.118.140.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      28.118.140.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      136.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      136.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      97.17.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      97.17.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      212.20.149.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      212.20.149.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.31.95.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.31.95.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      92.12.20.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      92.12.20.2.in-addr.arpa
      IN PTR
      Response
      92.12.20.2.in-addr.arpa
      IN PTR
      a2-20-12-92deploystaticakamaitechnologiescom
    • flag-us
      DNS
      92.12.20.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      92.12.20.2.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      98.209.201.84.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      98.209.201.84.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      13.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      13.227.111.52.in-addr.arpa
      IN PTR
      Response
    No results found
    • 8.8.8.8:53
      28.118.140.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      28.118.140.52.in-addr.arpa

    • 8.8.8.8:53
      136.32.126.40.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      136.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      97.17.167.52.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      97.17.167.52.in-addr.arpa

    • 8.8.8.8:53
      212.20.149.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      212.20.149.52.in-addr.arpa

    • 8.8.8.8:53
      18.31.95.13.in-addr.arpa
      dns
      70 B
       144 B
       1
      1

      DNS Request

      18.31.95.13.in-addr.arpa

    • 8.8.8.8:53
      92.12.20.2.in-addr.arpa
      dns
      138 B
       131 B
       2
      1

      DNS Request

      92.12.20.2.in-addr.arpa

      DNS Request

      92.12.20.2.in-addr.arpa

    • 8.8.8.8:53
      98.209.201.84.in-addr.arpa
      dns
      72 B
       132 B
       1
      1

      DNS Request

      98.209.201.84.in-addr.arpa

    • 8.8.8.8:53
      240.221.184.93.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      240.221.184.93.in-addr.arpa

    • 8.8.8.8:53
      13.227.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      13.227.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\gfvryuz.exe
      Filesize

      11.1MB

      MD5

      7ef8dc48eb80780cb7ff2d94f4634995

      SHA1

      5b40e32db3571334acfa234ae118d189d426e7bd

      SHA256

      74f06d89568079c4564228b503fadd678c56f5045557d983df71b5055a1d4972

      SHA512

      3047ee8d792c685788c6486d5e97ac7a17db7c3b8a38317e5a3c8a2de27427d71eda3f64df7b5b437251777155b142b37c8898ffa23b2307a5cd3d011a12145f

      Download Submit

    • memory/4396-1-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/4396-2-0x00000000001C0000-0x00000000001D3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4396-3-0x0000000000400000-0x0000000000415000-memory.dmp

      Filesize

      84KB

      Download

    • memory/4396-7-0x0000000000400000-0x0000000000481000-memory.dmp

      Filesize

      516KB

      Download

    • memory/4396-9-0x0000000000400000-0x0000000000415000-memory.dmp

      Filesize

      84KB

      Download

    • memory/4396-8-0x00000000001C0000-0x00000000001D3000-memory.dmp

      Filesize

      76KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.