Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
14/11/2023, 19:03
Static task
static1
Behavioral task
behavioral1
Sample
281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913.exe
Resource
win10v2004-20231020-en
General
-
Target
281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913.exe
-
Size
13.1MB
-
MD5
873c0a981c80da05593897c6aec0e842
-
SHA1
3fb083e944c36cc3a938e64d9c10ace3065d444a
-
SHA256
281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913
-
SHA512
27c119c25dbe7cca2da3043eff931bfc0d9ad5b34cd7489000181cf3d8aa6814b83ef1185f6e7f692e9e87cca17d9b5c5d89ab0402e9264840fa80f5da21800d
-
SSDEEP
393216:tkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk7:tkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk7
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2840 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\rlzhnbug\ImagePath = "C:\\Windows\\SysWOW64\\rlzhnbug\\nzauplmj.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation 281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913.exe -
Deletes itself 1 IoCs
pid Process 2784 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 764 nzauplmj.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 764 set thread context of 2784 764 nzauplmj.exe 105 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1336 sc.exe 4664 sc.exe 1292 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 3080 wrote to memory of 1808 3080 281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913.exe 89 PID 3080 wrote to memory of 1808 3080 281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913.exe 89 PID 3080 wrote to memory of 1808 3080 281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913.exe 89 PID 3080 wrote to memory of 980 3080 281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913.exe 92 PID 3080 wrote to memory of 980 3080 281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913.exe 92 PID 3080 wrote to memory of 980 3080 281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913.exe 92 PID 3080 wrote to memory of 1292 3080 281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913.exe 95 PID 3080 wrote to memory of 1292 3080 281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913.exe 95 PID 3080 wrote to memory of 1292 3080 281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913.exe 95 PID 3080 wrote to memory of 1336 3080 281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913.exe 97 PID 3080 wrote to memory of 1336 3080 281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913.exe 97 PID 3080 wrote to memory of 1336 3080 281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913.exe 97 PID 3080 wrote to memory of 4664 3080 281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913.exe 99 PID 3080 wrote to memory of 4664 3080 281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913.exe 99 PID 3080 wrote to memory of 4664 3080 281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913.exe 99 PID 3080 wrote to memory of 2840 3080 281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913.exe 101 PID 3080 wrote to memory of 2840 3080 281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913.exe 101 PID 3080 wrote to memory of 2840 3080 281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913.exe 101 PID 764 wrote to memory of 2784 764 nzauplmj.exe 105 PID 764 wrote to memory of 2784 764 nzauplmj.exe 105 PID 764 wrote to memory of 2784 764 nzauplmj.exe 105 PID 764 wrote to memory of 2784 764 nzauplmj.exe 105 PID 764 wrote to memory of 2784 764 nzauplmj.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913.exe"C:\Users\Admin\AppData\Local\Temp\281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rlzhnbug\2⤵PID:1808
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nzauplmj.exe" C:\Windows\SysWOW64\rlzhnbug\2⤵PID:980
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create rlzhnbug binPath= "C:\Windows\SysWOW64\rlzhnbug\nzauplmj.exe /d\"C:\Users\Admin\AppData\Local\Temp\281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:1292
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description rlzhnbug "wifi internet conection"2⤵
- Launches sc.exe
PID:1336
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start rlzhnbug2⤵
- Launches sc.exe
PID:4664
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2840
-
-
C:\Windows\SysWOW64\rlzhnbug\nzauplmj.exeC:\Windows\SysWOW64\rlzhnbug\nzauplmj.exe /d"C:\Users\Admin\AppData\Local\Temp\281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:2784
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12.0MB
MD5e53c5065714275906dbd62cd4a071d0f
SHA17e5eace3ba31dd0358758fdb7995f0dce02b5b45
SHA25690b1664f8c5c837bf888ff2b82d15cf104e8bb3ce11b2c7c9238352907b1945f
SHA5120a1b3afc08e7a5a928559d61ab089f206b4753f25353e1bf1b4f17ff43c4df5842c45e4833ef06973f81b3f7c0ed1c46000844b62e32a8852e77649a6d4e207b
-
Filesize
12.0MB
MD5e53c5065714275906dbd62cd4a071d0f
SHA17e5eace3ba31dd0358758fdb7995f0dce02b5b45
SHA25690b1664f8c5c837bf888ff2b82d15cf104e8bb3ce11b2c7c9238352907b1945f
SHA5120a1b3afc08e7a5a928559d61ab089f206b4753f25353e1bf1b4f17ff43c4df5842c45e4833ef06973f81b3f7c0ed1c46000844b62e32a8852e77649a6d4e207b