Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
18/03/2024, 15:08
Static task
static1
Behavioral task
behavioral1
Sample
d3d0c67da718de678206c8e774c6d30c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d3d0c67da718de678206c8e774c6d30c.exe
Resource
win10v2004-20240226-en
General
-
Target
d3d0c67da718de678206c8e774c6d30c.exe
-
Size
14.6MB
-
MD5
d3d0c67da718de678206c8e774c6d30c
-
SHA1
b2b4039df080b6ad64d6a886ac4b29c76fcd1a37
-
SHA256
916ed7d444a4233ca18d621514bc9a419608860fa3d13d1aef060d9e034bceb1
-
SHA512
2647deb5b80f83d8d8f6a7f47e393fea4e57299703ba7458aba84317a5694eb5e70ea038342bdd60de5370b6fabb8685582c3e2115ca5fb1c4867af2b97b3974
-
SSDEEP
49152:r66666666666666666666666666666666666666666666666666666666666666/:
Malware Config
Extracted
tofsee
43.231.4.6
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4320 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\zqfefpvp\ImagePath = "C:\\Windows\\SysWOW64\\zqfefpvp\\fzbexww.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation d3d0c67da718de678206c8e774c6d30c.exe -
Deletes itself 1 IoCs
pid Process 2512 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 5064 fzbexww.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5064 set thread context of 2512 5064 fzbexww.exe 121 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2100 sc.exe 1552 sc.exe 1784 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4576 2680 WerFault.exe 96 4940 5064 WerFault.exe 114 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2680 wrote to memory of 3460 2680 d3d0c67da718de678206c8e774c6d30c.exe 98 PID 2680 wrote to memory of 3460 2680 d3d0c67da718de678206c8e774c6d30c.exe 98 PID 2680 wrote to memory of 3460 2680 d3d0c67da718de678206c8e774c6d30c.exe 98 PID 2680 wrote to memory of 4576 2680 d3d0c67da718de678206c8e774c6d30c.exe 102 PID 2680 wrote to memory of 4576 2680 d3d0c67da718de678206c8e774c6d30c.exe 102 PID 2680 wrote to memory of 4576 2680 d3d0c67da718de678206c8e774c6d30c.exe 102 PID 2680 wrote to memory of 2100 2680 d3d0c67da718de678206c8e774c6d30c.exe 104 PID 2680 wrote to memory of 2100 2680 d3d0c67da718de678206c8e774c6d30c.exe 104 PID 2680 wrote to memory of 2100 2680 d3d0c67da718de678206c8e774c6d30c.exe 104 PID 2680 wrote to memory of 1552 2680 d3d0c67da718de678206c8e774c6d30c.exe 107 PID 2680 wrote to memory of 1552 2680 d3d0c67da718de678206c8e774c6d30c.exe 107 PID 2680 wrote to memory of 1552 2680 d3d0c67da718de678206c8e774c6d30c.exe 107 PID 2680 wrote to memory of 1784 2680 d3d0c67da718de678206c8e774c6d30c.exe 109 PID 2680 wrote to memory of 1784 2680 d3d0c67da718de678206c8e774c6d30c.exe 109 PID 2680 wrote to memory of 1784 2680 d3d0c67da718de678206c8e774c6d30c.exe 109 PID 2680 wrote to memory of 4320 2680 d3d0c67da718de678206c8e774c6d30c.exe 111 PID 2680 wrote to memory of 4320 2680 d3d0c67da718de678206c8e774c6d30c.exe 111 PID 2680 wrote to memory of 4320 2680 d3d0c67da718de678206c8e774c6d30c.exe 111 PID 5064 wrote to memory of 2512 5064 fzbexww.exe 121 PID 5064 wrote to memory of 2512 5064 fzbexww.exe 121 PID 5064 wrote to memory of 2512 5064 fzbexww.exe 121 PID 5064 wrote to memory of 2512 5064 fzbexww.exe 121 PID 5064 wrote to memory of 2512 5064 fzbexww.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3d0c67da718de678206c8e774c6d30c.exe"C:\Users\Admin\AppData\Local\Temp\d3d0c67da718de678206c8e774c6d30c.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zqfefpvp\2⤵PID:3460
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\fzbexww.exe" C:\Windows\SysWOW64\zqfefpvp\2⤵PID:4576
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create zqfefpvp binPath= "C:\Windows\SysWOW64\zqfefpvp\fzbexww.exe /d\"C:\Users\Admin\AppData\Local\Temp\d3d0c67da718de678206c8e774c6d30c.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2100
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description zqfefpvp "wifi internet conection"2⤵
- Launches sc.exe
PID:1552
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start zqfefpvp2⤵
- Launches sc.exe
PID:1784
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:4320
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 7442⤵
- Program crash
PID:4576
-
-
C:\Windows\SysWOW64\zqfefpvp\fzbexww.exeC:\Windows\SysWOW64\zqfefpvp\fzbexww.exe /d"C:\Users\Admin\AppData\Local\Temp\d3d0c67da718de678206c8e774c6d30c.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:2512
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 5202⤵
- Program crash
PID:4940
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2680 -ip 26801⤵PID:700
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5064 -ip 50641⤵PID:2664
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1312 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:81⤵PID:2996
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14.8MB
MD5d93eb6eefae0588cf412f9151281e1b3
SHA1bda93aeeaed50e7b87ad7f25d212213bddc857f7
SHA256d2cd47fceb85115a43998c3ebee3382847ab66cd09f389180c76dd803671b78c
SHA512e8481de60dda25757ac488fa26a68fae9c4b176c2c2ba8e0654bd56d0c63777fa7c0b18c0ca57e13780ce548959b6f303aeaec94fb8b3a5feb5826318defa8db