Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
185s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 02:59
Behavioral task
behavioral1
Sample
2577b910eeaf33608920f2202a64b07c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2577b910eeaf33608920f2202a64b07c.exe
Resource
win10v2004-20231215-en
General
-
Target
2577b910eeaf33608920f2202a64b07c.exe
-
Size
10.4MB
-
MD5
2577b910eeaf33608920f2202a64b07c
-
SHA1
e3a0dd0c1cab946b2ba8fdb24dca6db350ae6630
-
SHA256
958fed2ae0ab7d68ce87e0694d6dca03c67d318a7d7cda91db4d1ad711b771d4
-
SHA512
824bec1b9ce5b3a4087cf434910ebb40c2b779deb22260b755e49282c9c651322f9c00242e97c39de44d5a6b6e44c51bb59ba3d390750fcae66e1b0f41e87e4c
-
SSDEEP
6144:d5VCb4QuzFYpIozzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzv:D8NKFYp
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2380 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\hiinsiru\ImagePath = "C:\\Windows\\SysWOW64\\hiinsiru\\nsffihxc.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation 2577b910eeaf33608920f2202a64b07c.exe -
Deletes itself 1 IoCs
pid Process 3744 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 4432 nsffihxc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4432 set thread context of 3744 4432 nsffihxc.exe 105 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3496 sc.exe 4204 sc.exe 2984 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 3336 wrote to memory of 3588 3336 2577b910eeaf33608920f2202a64b07c.exe 92 PID 3336 wrote to memory of 3588 3336 2577b910eeaf33608920f2202a64b07c.exe 92 PID 3336 wrote to memory of 3588 3336 2577b910eeaf33608920f2202a64b07c.exe 92 PID 3336 wrote to memory of 3724 3336 2577b910eeaf33608920f2202a64b07c.exe 94 PID 3336 wrote to memory of 3724 3336 2577b910eeaf33608920f2202a64b07c.exe 94 PID 3336 wrote to memory of 3724 3336 2577b910eeaf33608920f2202a64b07c.exe 94 PID 3336 wrote to memory of 3496 3336 2577b910eeaf33608920f2202a64b07c.exe 96 PID 3336 wrote to memory of 3496 3336 2577b910eeaf33608920f2202a64b07c.exe 96 PID 3336 wrote to memory of 3496 3336 2577b910eeaf33608920f2202a64b07c.exe 96 PID 3336 wrote to memory of 4204 3336 2577b910eeaf33608920f2202a64b07c.exe 98 PID 3336 wrote to memory of 4204 3336 2577b910eeaf33608920f2202a64b07c.exe 98 PID 3336 wrote to memory of 4204 3336 2577b910eeaf33608920f2202a64b07c.exe 98 PID 3336 wrote to memory of 2984 3336 2577b910eeaf33608920f2202a64b07c.exe 100 PID 3336 wrote to memory of 2984 3336 2577b910eeaf33608920f2202a64b07c.exe 100 PID 3336 wrote to memory of 2984 3336 2577b910eeaf33608920f2202a64b07c.exe 100 PID 3336 wrote to memory of 2380 3336 2577b910eeaf33608920f2202a64b07c.exe 102 PID 3336 wrote to memory of 2380 3336 2577b910eeaf33608920f2202a64b07c.exe 102 PID 3336 wrote to memory of 2380 3336 2577b910eeaf33608920f2202a64b07c.exe 102 PID 4432 wrote to memory of 3744 4432 nsffihxc.exe 105 PID 4432 wrote to memory of 3744 4432 nsffihxc.exe 105 PID 4432 wrote to memory of 3744 4432 nsffihxc.exe 105 PID 4432 wrote to memory of 3744 4432 nsffihxc.exe 105 PID 4432 wrote to memory of 3744 4432 nsffihxc.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2577b910eeaf33608920f2202a64b07c.exe"C:\Users\Admin\AppData\Local\Temp\2577b910eeaf33608920f2202a64b07c.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hiinsiru\2⤵PID:3588
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nsffihxc.exe" C:\Windows\SysWOW64\hiinsiru\2⤵PID:3724
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create hiinsiru binPath= "C:\Windows\SysWOW64\hiinsiru\nsffihxc.exe /d\"C:\Users\Admin\AppData\Local\Temp\2577b910eeaf33608920f2202a64b07c.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:3496
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description hiinsiru "wifi internet conection"2⤵
- Launches sc.exe
PID:4204
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start hiinsiru2⤵
- Launches sc.exe
PID:2984
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2380
-
-
C:\Windows\SysWOW64\hiinsiru\nsffihxc.exeC:\Windows\SysWOW64\hiinsiru\nsffihxc.exe /d"C:\Users\Admin\AppData\Local\Temp\2577b910eeaf33608920f2202a64b07c.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:3744
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.2MB
MD5b9d18e98dc7bc0d184da4680de44930f
SHA104e22156bf9b2db111ab547c778bb7ed1847c3aa
SHA25608f5abf36b515a7b30dd1e2ee95f8351354cb0cae56c88675c7a8a36b1de873a
SHA5126865d3d8b879efda1e70f2344a960e404d53f03daa27c2f3c1f5a68c862456bcdf8284473d525ab6b6e6babb2dc4e84f21c528972ab964470dd7b44bf73f545e
-
Filesize
4.0MB
MD5a540a6f6257dd515ef94fbdaa11ad994
SHA14a2837df50d5339d89ad1358906f87591d06824f
SHA256478fbb2e9a2aa81316cfb5dcceb2cdd1871095e790cc19587600012298dc0cdb
SHA512de33961d1d34b2eff4371a1bac0cc221c03aceff5e6c2ae4704d659f2510333f3368bc68035dc042a23cc7c3a4f06c359dc10dec3eeae4d1037f2927720b6e64