Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
14/11/2023, 19:00
Static task
static1
Behavioral task
behavioral1
Sample
ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe
Resource
win10v2004-20231023-en
General
-
Target
ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe
-
Size
13.2MB
-
MD5
3328e6fe99f8cfe5b8acbaab0cb50fd0
-
SHA1
fcd53cf0cf6b7dc3fb623908525082500cdddc17
-
SHA256
ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e
-
SHA512
2cb03e94d20b5a3d0c6c81d51ec8b00988b65b2c372b21ae561ab0df3331e2bbc9973bece7c527aad4b61c08b1f33b0954e0cce92fd9bbff74c6c98f574d15c6
-
SSDEEP
3072:38NYa2qJjULtTNupQyEC6pxhhfm5OcVi:3sRItTNKr2f45
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 5032 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\jinhyifx\ImagePath = "C:\\Windows\\SysWOW64\\jinhyifx\\kiplktri.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe -
Deletes itself 1 IoCs
pid Process 1340 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 3384 kiplktri.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3384 set thread context of 1340 3384 kiplktri.exe 103 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1748 sc.exe 1764 sc.exe 1324 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 4424 wrote to memory of 2024 4424 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe 87 PID 4424 wrote to memory of 2024 4424 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe 87 PID 4424 wrote to memory of 2024 4424 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe 87 PID 4424 wrote to memory of 3144 4424 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe 89 PID 4424 wrote to memory of 3144 4424 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe 89 PID 4424 wrote to memory of 3144 4424 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe 89 PID 4424 wrote to memory of 1748 4424 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe 92 PID 4424 wrote to memory of 1748 4424 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe 92 PID 4424 wrote to memory of 1748 4424 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe 92 PID 4424 wrote to memory of 1764 4424 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe 96 PID 4424 wrote to memory of 1764 4424 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe 96 PID 4424 wrote to memory of 1764 4424 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe 96 PID 4424 wrote to memory of 1324 4424 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe 98 PID 4424 wrote to memory of 1324 4424 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe 98 PID 4424 wrote to memory of 1324 4424 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe 98 PID 4424 wrote to memory of 5032 4424 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe 100 PID 4424 wrote to memory of 5032 4424 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe 100 PID 4424 wrote to memory of 5032 4424 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe 100 PID 3384 wrote to memory of 1340 3384 kiplktri.exe 103 PID 3384 wrote to memory of 1340 3384 kiplktri.exe 103 PID 3384 wrote to memory of 1340 3384 kiplktri.exe 103 PID 3384 wrote to memory of 1340 3384 kiplktri.exe 103 PID 3384 wrote to memory of 1340 3384 kiplktri.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe"C:\Users\Admin\AppData\Local\Temp\ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jinhyifx\2⤵PID:2024
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\kiplktri.exe" C:\Windows\SysWOW64\jinhyifx\2⤵PID:3144
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create jinhyifx binPath= "C:\Windows\SysWOW64\jinhyifx\kiplktri.exe /d\"C:\Users\Admin\AppData\Local\Temp\ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:1748
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description jinhyifx "wifi internet conection"2⤵
- Launches sc.exe
PID:1764
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start jinhyifx2⤵
- Launches sc.exe
PID:1324
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:5032
-
-
C:\Windows\SysWOW64\jinhyifx\kiplktri.exeC:\Windows\SysWOW64\jinhyifx\kiplktri.exe /d"C:\Users\Admin\AppData\Local\Temp\ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:1340
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12.9MB
MD5aece90724fab86c45b92621dce54418b
SHA174b5a86f0456bd2f5e3776ef574e7853d1d2d89e
SHA256bedd4e11ed01636520db6d524ce574ca5ce38763b90c14220543b61198c73194
SHA5129e69b96eda1c151c075255133a70a04f37e112b06d8e172caf5fba56617a14f14e0bfbfa98d287de8af46594416d000e74e45926c67a549f6aec17deb4913c2d
-
Filesize
12.9MB
MD5aece90724fab86c45b92621dce54418b
SHA174b5a86f0456bd2f5e3776ef574e7853d1d2d89e
SHA256bedd4e11ed01636520db6d524ce574ca5ce38763b90c14220543b61198c73194
SHA5129e69b96eda1c151c075255133a70a04f37e112b06d8e172caf5fba56617a14f14e0bfbfa98d287de8af46594416d000e74e45926c67a549f6aec17deb4913c2d