Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
-
submitted
05/01/2025, 12:58
General
-
Target
Chrome Update.exe
-
Size
119KB
-
MD5
a39f21db0576a82177ee4c806766d763
-
SHA1
ee4676f4dedd24003ce1bd972cbce95ef51fa07f
-
SHA256
825509eb0672d6114194c773b017d5d41d9e67be4fe41f753f9c6bb37b1c32db
-
SHA512
ea07e5d6f2b8ae0fbf8c1931d844bfbff920b3c9f83d10d38bd76828ed2d8a4b849251a87f5e2ad6bb1e9d9b1e5a75520baf2b70e063f44595e058c433be1133
-
SSDEEP
3072:IAWfRzlXCwwFwOwWAmm+G/bxqH8QWqzCrAZuuyn1:IAD1SWHe/bgRY
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/sendMessage?chat_id=7053620590
Extracted
gurcu
https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/sendMessage?chat_id=7053620590
https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/getUpdate
https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/getUpdates?offset=
https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/getUpdates?offset=33210546
https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/getUpdates?offset=33210547
https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/getUpdates?offset=33210548
https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/getUpdates?offset=33210549
https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/getUpdates?offset=33210550
https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/getFile?file_id=BQACAgQAAxkBAAMIZ3qCMF_cjzyyw9uX36HfJgjkWLEAAoQZAAKhZdFTilOkM3y6NaU2B
https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/sendPhoto?chat_id=705362059
Signatures
-
Gurcu family
-
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
-
ToxicEye
ToxicEye is a trojan written in C#.
-
Toxiceye family
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 49 IoCs
-
Suspicious use of SendNotifyMessage 49 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7213.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp7213.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 4000"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind ":"3⤵
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Users\ToxicEye\rat.exe"rat.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
190B
MD55d5f0ce9e518a93748b389f3784eff72
SHA1ca75586dbaae06fde8755e93da8fb0517d1a3755
SHA256656d2baaf6661aba0953df2eceb39cdbdf7a7c147ff4ae203b78c454b3633f32
SHA5129c5e55b758479850d5923edcbd70fda0587d699ac81924024b3265e23350612e7180e6ea54e8e2ae5aa7bd3da78fa991647c2d2475ae5e0a747cf86139d3ab1c
-
Filesize
119KB
MD5a39f21db0576a82177ee4c806766d763
SHA1ee4676f4dedd24003ce1bd972cbce95ef51fa07f
SHA256825509eb0672d6114194c773b017d5d41d9e67be4fe41f753f9c6bb37b1c32db
SHA512ea07e5d6f2b8ae0fbf8c1931d844bfbff920b3c9f83d10d38bd76828ed2d8a4b849251a87f5e2ad6bb1e9d9b1e5a75520baf2b70e063f44595e058c433be1133
-
Filesize
680KB
-
Filesize
472KB
-
Filesize
8KB
-
Filesize
144KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB