Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    7s
  • max time network
    8s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    05/01/2025, 13:12

Errors

Reason
Machine shutdown

General

  • Target

    Chrome Update.exe

  • Size

    119KB

  • MD5

    eedc846c4cf322bbcf849a4af793ced5

  • SHA1

    77fa1a6feb62bd77d30be181696802e13524da8d

  • SHA256

    b3ccfc4ddc7f6abf0fa7606be8495acd20c23f85ab23c2fa8bfe43e84befa126

  • SHA512

    6eb5963fa6d4cca6a2de25850cf47064d8ba523223a55048600fce8cadd120487507af50b0fd39c14b20bed3b976bb9510b5699efc7533e540350101c087ba2c

  • SSDEEP

    3072:Y/aazycnfYOgWPyZ9dOpbZqHVQWqzCrAZuuQD:HIsWqndOpb4K

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/sendMessage?chat_id=7053620590

Signatures

  • ToxicEye

    ToxicEye is a trojan written in C#.

  • Toxiceye family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe
    "C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4724
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Update\Update.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3720
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5DDF.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp5DDF.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2772
      • C:\Windows\system32\tasklist.exe
        Tasklist /fi "PID eq 4724"
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:4192
      • C:\Windows\system32\find.exe
        find ":"
        3⤵
          PID:2828
        • C:\Windows\system32\timeout.exe
          Timeout /T 1 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:1776
        • C:\Users\Update\Update.exe
          "Update.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2080
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Update\Update.exe"
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2876

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp5DDF.tmp.bat

      Filesize

      191B

      MD5

      06699430c29f0d76fca06c4abfd779f9

      SHA1

      0f4bf017e3bd191d933a81e45c347ea0d1fc4d1c

      SHA256

      55a3136160d3d7adf81a62ee9a457eedf4a01715c252d64cd5139213a24b8d2b

      SHA512

      fb001afbd06a4fd166f102d747b4781f19a9b738b50903a5eed8cea386e4014f6bd44c996dcb697ff1fd2d517100191b1b448333edf8032ddd4fea3cb215746d

    • C:\Users\Update\Update.exe

      Filesize

      119KB

      MD5

      eedc846c4cf322bbcf849a4af793ced5

      SHA1

      77fa1a6feb62bd77d30be181696802e13524da8d

      SHA256

      b3ccfc4ddc7f6abf0fa7606be8495acd20c23f85ab23c2fa8bfe43e84befa126

      SHA512

      6eb5963fa6d4cca6a2de25850cf47064d8ba523223a55048600fce8cadd120487507af50b0fd39c14b20bed3b976bb9510b5699efc7533e540350101c087ba2c

    • memory/4724-0-0x00007FFCA4673000-0x00007FFCA4675000-memory.dmp

      Filesize

      8KB

    • memory/4724-1-0x00000206A8DF0000-0x00000206A8E14000-memory.dmp

      Filesize

      144KB

    • memory/4724-2-0x00007FFCA4670000-0x00007FFCA5132000-memory.dmp

      Filesize

      10.8MB

    • memory/4724-5-0x00007FFCA4670000-0x00007FFCA5132000-memory.dmp

      Filesize

      10.8MB