Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2023, 19:13
Static task
static1
Behavioral task
behavioral1
Sample
0162043ff06fc0b7df59995580637c08.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
0162043ff06fc0b7df59995580637c08.exe
Resource
win10v2004-20231215-en
General
-
Target
0162043ff06fc0b7df59995580637c08.exe
-
Size
10.1MB
-
MD5
0162043ff06fc0b7df59995580637c08
-
SHA1
dbc586ca0e60b45b96824f4daa8d0ec4d3d41bdd
-
SHA256
68144fe9a725e15493eb9156fc66f401701aff5daec246cb7489eca9993fa751
-
SHA512
76bdd28851dd82ff301f77e98a1cd03cc6950dfdd04396293fb4d1181c74febdead5574b2a5d20148908a9a13850be83b279c1a5248be633bf30b62aa953c121
-
SSDEEP
196608:YV8YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY4:
Malware Config
Extracted
tofsee
43.231.4.6
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 4416 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nszekpmk\ImagePath = "C:\\Windows\\SysWOW64\\nszekpmk\\xrtwpoo.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation 0162043ff06fc0b7df59995580637c08.exe -
Deletes itself 1 IoCs
pid Process 2688 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 4540 xrtwpoo.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4540 set thread context of 2688 4540 xrtwpoo.exe 105 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3620 sc.exe 1916 sc.exe 3884 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 748 2164 WerFault.exe 86 2612 4540 WerFault.exe 100 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2164 wrote to memory of 4868 2164 0162043ff06fc0b7df59995580637c08.exe 90 PID 2164 wrote to memory of 4868 2164 0162043ff06fc0b7df59995580637c08.exe 90 PID 2164 wrote to memory of 4868 2164 0162043ff06fc0b7df59995580637c08.exe 90 PID 2164 wrote to memory of 4716 2164 0162043ff06fc0b7df59995580637c08.exe 92 PID 2164 wrote to memory of 4716 2164 0162043ff06fc0b7df59995580637c08.exe 92 PID 2164 wrote to memory of 4716 2164 0162043ff06fc0b7df59995580637c08.exe 92 PID 2164 wrote to memory of 3620 2164 0162043ff06fc0b7df59995580637c08.exe 95 PID 2164 wrote to memory of 3620 2164 0162043ff06fc0b7df59995580637c08.exe 95 PID 2164 wrote to memory of 3620 2164 0162043ff06fc0b7df59995580637c08.exe 95 PID 2164 wrote to memory of 1916 2164 0162043ff06fc0b7df59995580637c08.exe 96 PID 2164 wrote to memory of 1916 2164 0162043ff06fc0b7df59995580637c08.exe 96 PID 2164 wrote to memory of 1916 2164 0162043ff06fc0b7df59995580637c08.exe 96 PID 2164 wrote to memory of 3884 2164 0162043ff06fc0b7df59995580637c08.exe 98 PID 2164 wrote to memory of 3884 2164 0162043ff06fc0b7df59995580637c08.exe 98 PID 2164 wrote to memory of 3884 2164 0162043ff06fc0b7df59995580637c08.exe 98 PID 2164 wrote to memory of 4416 2164 0162043ff06fc0b7df59995580637c08.exe 102 PID 2164 wrote to memory of 4416 2164 0162043ff06fc0b7df59995580637c08.exe 102 PID 2164 wrote to memory of 4416 2164 0162043ff06fc0b7df59995580637c08.exe 102 PID 4540 wrote to memory of 2688 4540 xrtwpoo.exe 105 PID 4540 wrote to memory of 2688 4540 xrtwpoo.exe 105 PID 4540 wrote to memory of 2688 4540 xrtwpoo.exe 105 PID 4540 wrote to memory of 2688 4540 xrtwpoo.exe 105 PID 4540 wrote to memory of 2688 4540 xrtwpoo.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\0162043ff06fc0b7df59995580637c08.exe"C:\Users\Admin\AppData\Local\Temp\0162043ff06fc0b7df59995580637c08.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nszekpmk\2⤵PID:4868
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xrtwpoo.exe" C:\Windows\SysWOW64\nszekpmk\2⤵PID:4716
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create nszekpmk binPath= "C:\Windows\SysWOW64\nszekpmk\xrtwpoo.exe /d\"C:\Users\Admin\AppData\Local\Temp\0162043ff06fc0b7df59995580637c08.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:3620
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description nszekpmk "wifi internet conection"2⤵
- Launches sc.exe
PID:1916
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start nszekpmk2⤵
- Launches sc.exe
PID:3884
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:4416
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 11642⤵
- Program crash
PID:748
-
-
C:\Windows\SysWOW64\nszekpmk\xrtwpoo.exeC:\Windows\SysWOW64\nszekpmk\xrtwpoo.exe /d"C:\Users\Admin\AppData\Local\Temp\0162043ff06fc0b7df59995580637c08.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:2688
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 5562⤵
- Program crash
PID:2612
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2164 -ip 21641⤵PID:4644
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4540 -ip 45401⤵PID:4772
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.1MB
MD5e4263d4b11d27626ae666d8faa3ee018
SHA175b8f8eae78b4b6d0f860444cfffa7eb9b6b74b5
SHA25689bbe318dbe34253046f55752d806eca06dab14c26362e62b223234ca04c5f37
SHA512affffbb21ce5026ea88f6b7d4b732b9f7a08731917dd57bea89d655a00ec66d0a141c8eed7ad8257db5f5a5561104fb9a76f3b869e9e7c66d1397917310a7249
-
Filesize
10.7MB
MD52866ab644ada607fb12947f7807843c3
SHA141cc9d1dfe60b330d3a7b043442af4881922d2bf
SHA256911957122f2dd571e29e5ee3ebb7e70b85ecd1a7b16fbbac2bee2f55d5157df6
SHA512abb19685e7994b8805a6ee98f1f5875815dd5638695517cadbde78eb93222d334981e8f7ca6251c29ff5aac4d80ee99b5c5fdcbfff91fdf425d0970e1ec3a08e