Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/03/2024, 01:05
Static task
static1
Behavioral task
behavioral1
Sample
b6202f30b837ad0025da86ecf9f5f1c9.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b6202f30b837ad0025da86ecf9f5f1c9.exe
Resource
win10v2004-20240226-en
General
-
Target
b6202f30b837ad0025da86ecf9f5f1c9.exe
-
Size
12.6MB
-
MD5
b6202f30b837ad0025da86ecf9f5f1c9
-
SHA1
ac922759c8dde66341dd92f557c828b894aa0cfb
-
SHA256
b6768d16dbabafc1d9d07cdd065c875522cce0b6ee493187ba984e3e87b0aece
-
SHA512
ddf185d38b0ad7b7c8a69c27830c388ef3d20a3430cea4aecdeeae857b5d9209be4fda62d06b91b2018cd1d9f52f521fc95c5f9989ba4c54bd6f21bc4ebac527
-
SSDEEP
12288:ZRXQK44fy6111111111111111111111111111111111111111111111111111111:ZRx2
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\ahwlndfr = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2804 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ahwlndfr\ImagePath = "C:\\Windows\\SysWOW64\\ahwlndfr\\rielcbfj.exe" svchost.exe -
Deletes itself 1 IoCs
pid Process 512 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 1624 rielcbfj.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1624 set thread context of 512 1624 rielcbfj.exe 43 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1304 sc.exe 2548 sc.exe 2664 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2972 wrote to memory of 2508 2972 b6202f30b837ad0025da86ecf9f5f1c9.exe 28 PID 2972 wrote to memory of 2508 2972 b6202f30b837ad0025da86ecf9f5f1c9.exe 28 PID 2972 wrote to memory of 2508 2972 b6202f30b837ad0025da86ecf9f5f1c9.exe 28 PID 2972 wrote to memory of 2508 2972 b6202f30b837ad0025da86ecf9f5f1c9.exe 28 PID 2972 wrote to memory of 2720 2972 b6202f30b837ad0025da86ecf9f5f1c9.exe 30 PID 2972 wrote to memory of 2720 2972 b6202f30b837ad0025da86ecf9f5f1c9.exe 30 PID 2972 wrote to memory of 2720 2972 b6202f30b837ad0025da86ecf9f5f1c9.exe 30 PID 2972 wrote to memory of 2720 2972 b6202f30b837ad0025da86ecf9f5f1c9.exe 30 PID 2972 wrote to memory of 1304 2972 b6202f30b837ad0025da86ecf9f5f1c9.exe 32 PID 2972 wrote to memory of 1304 2972 b6202f30b837ad0025da86ecf9f5f1c9.exe 32 PID 2972 wrote to memory of 1304 2972 b6202f30b837ad0025da86ecf9f5f1c9.exe 32 PID 2972 wrote to memory of 1304 2972 b6202f30b837ad0025da86ecf9f5f1c9.exe 32 PID 2972 wrote to memory of 2548 2972 b6202f30b837ad0025da86ecf9f5f1c9.exe 34 PID 2972 wrote to memory of 2548 2972 b6202f30b837ad0025da86ecf9f5f1c9.exe 34 PID 2972 wrote to memory of 2548 2972 b6202f30b837ad0025da86ecf9f5f1c9.exe 34 PID 2972 wrote to memory of 2548 2972 b6202f30b837ad0025da86ecf9f5f1c9.exe 34 PID 2972 wrote to memory of 2664 2972 b6202f30b837ad0025da86ecf9f5f1c9.exe 36 PID 2972 wrote to memory of 2664 2972 b6202f30b837ad0025da86ecf9f5f1c9.exe 36 PID 2972 wrote to memory of 2664 2972 b6202f30b837ad0025da86ecf9f5f1c9.exe 36 PID 2972 wrote to memory of 2664 2972 b6202f30b837ad0025da86ecf9f5f1c9.exe 36 PID 2972 wrote to memory of 2804 2972 b6202f30b837ad0025da86ecf9f5f1c9.exe 38 PID 2972 wrote to memory of 2804 2972 b6202f30b837ad0025da86ecf9f5f1c9.exe 38 PID 2972 wrote to memory of 2804 2972 b6202f30b837ad0025da86ecf9f5f1c9.exe 38 PID 2972 wrote to memory of 2804 2972 b6202f30b837ad0025da86ecf9f5f1c9.exe 38 PID 1624 wrote to memory of 512 1624 rielcbfj.exe 43 PID 1624 wrote to memory of 512 1624 rielcbfj.exe 43 PID 1624 wrote to memory of 512 1624 rielcbfj.exe 43 PID 1624 wrote to memory of 512 1624 rielcbfj.exe 43 PID 1624 wrote to memory of 512 1624 rielcbfj.exe 43 PID 1624 wrote to memory of 512 1624 rielcbfj.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6202f30b837ad0025da86ecf9f5f1c9.exe"C:\Users\Admin\AppData\Local\Temp\b6202f30b837ad0025da86ecf9f5f1c9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ahwlndfr\2⤵PID:2508
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rielcbfj.exe" C:\Windows\SysWOW64\ahwlndfr\2⤵PID:2720
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ahwlndfr binPath= "C:\Windows\SysWOW64\ahwlndfr\rielcbfj.exe /d\"C:\Users\Admin\AppData\Local\Temp\b6202f30b837ad0025da86ecf9f5f1c9.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:1304
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ahwlndfr "wifi internet conection"2⤵
- Launches sc.exe
PID:2548
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ahwlndfr2⤵
- Launches sc.exe
PID:2664
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2804
-
-
C:\Windows\SysWOW64\ahwlndfr\rielcbfj.exeC:\Windows\SysWOW64\ahwlndfr\rielcbfj.exe /d"C:\Users\Admin\AppData\Local\Temp\b6202f30b837ad0025da86ecf9f5f1c9.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:512
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD5cc4ad4e090e49892609c9f05e0c21c36
SHA1481a46393ed5c8e4c2e2633add328f962f07d2c8
SHA256d4e363255fb30fe319515fb5fe40d46a2ea3d786c44a0b4da35ec65ff6a9e47c
SHA5128e2d5f1d71f70edbf02f858d3ee0b79d86f93342550429630fb3993433bc4811622ababab612aee8ab308611358c2421cb833bf99f352913e1b7514ac3cbab80
-
Filesize
3.3MB
MD5d3044a59ce94fc11370394835fa8905a
SHA1652359d33c4bf1323d0ed20d63d6aa04ca506cbc
SHA256555a080dbd3cae755eff959095ec6a961251ae8ad45e07317e12554a05fa49ea
SHA51217e6dce8b66d94f7311bae985e81498de43d5f0b9ab0e56d1355c54d3b73cae44fb111c8db7617e2178d96e014409064ecac85c5a48e6638c0365a71b6fd3196