Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
09/01/2024, 18:14
Static task
static1
Behavioral task
behavioral1
Sample
f1bdc796ba64b96cd4aaaf20ff3da0cc.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
f1bdc796ba64b96cd4aaaf20ff3da0cc.exe
Resource
win10v2004-20231222-en
General
-
Target
f1bdc796ba64b96cd4aaaf20ff3da0cc.exe
-
Size
13.1MB
-
MD5
f1bdc796ba64b96cd4aaaf20ff3da0cc
-
SHA1
3853853e87d469821b136c75f4bc16b09a9c5a2b
-
SHA256
46c879741fc6d476d4ff3edcd1b33c43c5b6107958925d706dd83fb0b1035f20
-
SHA512
e6876df269d2c0559484e37b0da780191c45ae3a6b3d48b7dc01002e5a789e696a6fe7b9674e60d90e94bd5214a7ebb2012a3bd39bf381bc79d40aa33b5bf92a
-
SSDEEP
24576:Vl3YWRibbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbn:
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 316 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\htrofery\ImagePath = "C:\\Windows\\SysWOW64\\htrofery\\ehrxepiy.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation f1bdc796ba64b96cd4aaaf20ff3da0cc.exe -
Deletes itself 1 IoCs
pid Process 5100 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 4888 ehrxepiy.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4888 set thread context of 5100 4888 ehrxepiy.exe 107 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1556 sc.exe 4580 sc.exe 4480 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 528 wrote to memory of 2608 528 f1bdc796ba64b96cd4aaaf20ff3da0cc.exe 94 PID 528 wrote to memory of 2608 528 f1bdc796ba64b96cd4aaaf20ff3da0cc.exe 94 PID 528 wrote to memory of 2608 528 f1bdc796ba64b96cd4aaaf20ff3da0cc.exe 94 PID 528 wrote to memory of 4424 528 f1bdc796ba64b96cd4aaaf20ff3da0cc.exe 97 PID 528 wrote to memory of 4424 528 f1bdc796ba64b96cd4aaaf20ff3da0cc.exe 97 PID 528 wrote to memory of 4424 528 f1bdc796ba64b96cd4aaaf20ff3da0cc.exe 97 PID 528 wrote to memory of 1556 528 f1bdc796ba64b96cd4aaaf20ff3da0cc.exe 99 PID 528 wrote to memory of 1556 528 f1bdc796ba64b96cd4aaaf20ff3da0cc.exe 99 PID 528 wrote to memory of 1556 528 f1bdc796ba64b96cd4aaaf20ff3da0cc.exe 99 PID 528 wrote to memory of 4580 528 f1bdc796ba64b96cd4aaaf20ff3da0cc.exe 101 PID 528 wrote to memory of 4580 528 f1bdc796ba64b96cd4aaaf20ff3da0cc.exe 101 PID 528 wrote to memory of 4580 528 f1bdc796ba64b96cd4aaaf20ff3da0cc.exe 101 PID 528 wrote to memory of 4480 528 f1bdc796ba64b96cd4aaaf20ff3da0cc.exe 103 PID 528 wrote to memory of 4480 528 f1bdc796ba64b96cd4aaaf20ff3da0cc.exe 103 PID 528 wrote to memory of 4480 528 f1bdc796ba64b96cd4aaaf20ff3da0cc.exe 103 PID 528 wrote to memory of 316 528 f1bdc796ba64b96cd4aaaf20ff3da0cc.exe 106 PID 528 wrote to memory of 316 528 f1bdc796ba64b96cd4aaaf20ff3da0cc.exe 106 PID 528 wrote to memory of 316 528 f1bdc796ba64b96cd4aaaf20ff3da0cc.exe 106 PID 4888 wrote to memory of 5100 4888 ehrxepiy.exe 107 PID 4888 wrote to memory of 5100 4888 ehrxepiy.exe 107 PID 4888 wrote to memory of 5100 4888 ehrxepiy.exe 107 PID 4888 wrote to memory of 5100 4888 ehrxepiy.exe 107 PID 4888 wrote to memory of 5100 4888 ehrxepiy.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1bdc796ba64b96cd4aaaf20ff3da0cc.exe"C:\Users\Admin\AppData\Local\Temp\f1bdc796ba64b96cd4aaaf20ff3da0cc.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\htrofery\2⤵PID:2608
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ehrxepiy.exe" C:\Windows\SysWOW64\htrofery\2⤵PID:4424
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create htrofery binPath= "C:\Windows\SysWOW64\htrofery\ehrxepiy.exe /d\"C:\Users\Admin\AppData\Local\Temp\f1bdc796ba64b96cd4aaaf20ff3da0cc.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:1556
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description htrofery "wifi internet conection"2⤵
- Launches sc.exe
PID:4580
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start htrofery2⤵
- Launches sc.exe
PID:4480
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:316
-
-
C:\Windows\SysWOW64\htrofery\ehrxepiy.exeC:\Windows\SysWOW64\htrofery\ehrxepiy.exe /d"C:\Users\Admin\AppData\Local\Temp\f1bdc796ba64b96cd4aaaf20ff3da0cc.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:5100
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD52cf38946970ecb0f4ec259d6cbaf7d3d
SHA1a8e7d43a52968a3c70768a07bbfb60eaa0f4d888
SHA256bc491513179fb643e3863b439c9ee1efd742afce6be742aa215be119e7ae8e23
SHA512d68c4f66b56ffa576808c5f77f94ca5e18636cec252fe8a4465d2342a9ae780a3d379e232398a8cecae9a6a0531071a7490d40693f6502b612344ba19a90c9bc
-
Filesize
99KB
MD507506671ae860c321526f3b43f8f44a3
SHA1d9467b184f45cfb99f9b91829f9f4b1f4156f98e
SHA25699c362704a185960aad4a01b42276c746f441bb490e18d36ea8ae0bc24dc83c6
SHA51248023648ba17fa87c00f724d9b22541d839fdf4d6897ac8455ddccb1c855ad97f10af74aec248dfeb091c2152affc43f6826a10aa6c95d319ba33fc7837c3d6a