Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
7s -
max time network
8s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
05/01/2025, 13:12
Errors
General
-
Target
Chrome Update.exe
-
Size
119KB
-
MD5
eedc846c4cf322bbcf849a4af793ced5
-
SHA1
77fa1a6feb62bd77d30be181696802e13524da8d
-
SHA256
b3ccfc4ddc7f6abf0fa7606be8495acd20c23f85ab23c2fa8bfe43e84befa126
-
SHA512
6eb5963fa6d4cca6a2de25850cf47064d8ba523223a55048600fce8cadd120487507af50b0fd39c14b20bed3b976bb9510b5699efc7533e540350101c087ba2c
-
SSDEEP
3072:Y/aazycnfYOgWPyZ9dOpbZqHVQWqzCrAZuuQD:HIsWqndOpb4K
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/sendMessage?chat_id=7053620590
Signatures
-
Toxiceye family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Control Panel\International\Geo\Nation Chrome Update.exe Key value queried \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Control Panel\International\Geo\Nation Update.exe -
Executes dropped EXE 1 IoCs
pid Process 2080 Update.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 4192 tasklist.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 1776 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3720 schtasks.exe 2876 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2080 Update.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2080 Update.exe 2080 Update.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4724 Chrome Update.exe Token: SeDebugPrivilege 4192 tasklist.exe Token: SeDebugPrivilege 2080 Update.exe Token: SeDebugPrivilege 2080 Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2080 Update.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4724 wrote to memory of 3720 4724 Chrome Update.exe 84 PID 4724 wrote to memory of 3720 4724 Chrome Update.exe 84 PID 4724 wrote to memory of 2772 4724 Chrome Update.exe 86 PID 4724 wrote to memory of 2772 4724 Chrome Update.exe 86 PID 2772 wrote to memory of 4192 2772 cmd.exe 88 PID 2772 wrote to memory of 4192 2772 cmd.exe 88 PID 2772 wrote to memory of 2828 2772 cmd.exe 89 PID 2772 wrote to memory of 2828 2772 cmd.exe 89 PID 2772 wrote to memory of 1776 2772 cmd.exe 90 PID 2772 wrote to memory of 1776 2772 cmd.exe 90 PID 2772 wrote to memory of 2080 2772 cmd.exe 93 PID 2772 wrote to memory of 2080 2772 cmd.exe 93 PID 2080 wrote to memory of 2876 2080 Update.exe 96 PID 2080 wrote to memory of 2876 2080 Update.exe 96 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Update\Update.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:3720
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5DDF.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp5DDF.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 4724"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4192
-
-
C:\Windows\system32\find.exefind ":"3⤵PID:2828
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:1776
-
-
C:\Users\Update\Update.exe"Update.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Update\Update.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:2876
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
191B
MD506699430c29f0d76fca06c4abfd779f9
SHA10f4bf017e3bd191d933a81e45c347ea0d1fc4d1c
SHA25655a3136160d3d7adf81a62ee9a457eedf4a01715c252d64cd5139213a24b8d2b
SHA512fb001afbd06a4fd166f102d747b4781f19a9b738b50903a5eed8cea386e4014f6bd44c996dcb697ff1fd2d517100191b1b448333edf8032ddd4fea3cb215746d
-
Filesize
119KB
MD5eedc846c4cf322bbcf849a4af793ced5
SHA177fa1a6feb62bd77d30be181696802e13524da8d
SHA256b3ccfc4ddc7f6abf0fa7606be8495acd20c23f85ab23c2fa8bfe43e84befa126
SHA5126eb5963fa6d4cca6a2de25850cf47064d8ba523223a55048600fce8cadd120487507af50b0fd39c14b20bed3b976bb9510b5699efc7533e540350101c087ba2c