Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Chrome Update.exe

windows10-ltsc 2021-x64

Analysis

  • max time kernel
    5s
  • max time network
    6s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    05/01/2025, 13:26

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Chrome Update.exe

  • Size

    119KB

  • MD5

    a39f21db0576a82177ee4c806766d763

  • SHA1

    ee4676f4dedd24003ce1bd972cbce95ef51fa07f

  • SHA256

    825509eb0672d6114194c773b017d5d41d9e67be4fe41f753f9c6bb37b1c32db

  • SHA512

    ea07e5d6f2b8ae0fbf8c1931d844bfbff920b3c9f83d10d38bd76828ed2d8a4b849251a87f5e2ad6bb1e9d9b1e5a75520baf2b70e063f44595e058c433be1133

  • SSDEEP

    3072:IAWfRzlXCwwFwOwWAmm+G/bxqH8QWqzCrAZuuyn1:IAD1SWHe/bgRY

Score
10/10
toxiceyediscoveryrattrojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/sendMessage?chat_id=7053620590

Signatures

  • ToxicEye

    ToxicEye is a trojan written in C#.

    rattrojantoxiceye
  • Toxiceye family
    toxiceye
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe
    "C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:704
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4080
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpA2D7.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpA2D7.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3832
      • C:\Windows\system32\tasklist.exe
        Tasklist /fi "PID eq 704"
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:4468
      • C:\Windows\system32\find.exe
        find ":"
        3⤵
          PID:1236
        • C:\Windows\system32\timeout.exe
          Timeout /T 1 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:4528
        • C:\Users\ToxicEye\rat.exe
          "rat.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3444
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:648

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpA2D7.tmp.bat
      Filesize

      189B

      MD5

      95539f567d1cbd10a1a4ad228af4637f

      SHA1

      1a22b41ea942cb3d60151561c12c12bc1b25ffb4

      SHA256

      16f23467fc6f281a8e41cc6646ecd5a08f74b32c4642ddcab34883590dc11697

      SHA512

      595a96cc47fc2bacae14db1ab0e13a39d24f977cc55e95b6d6dc254e32e9bb5689fb06fe4ae2675fa11e1b4d98aa535c84082a0dc4c0b49fa023187593ec8146

      Download Submit

    • C:\Users\ToxicEye\rat.exe
      Filesize

      119KB

      MD5

      a39f21db0576a82177ee4c806766d763

      SHA1

      ee4676f4dedd24003ce1bd972cbce95ef51fa07f

      SHA256

      825509eb0672d6114194c773b017d5d41d9e67be4fe41f753f9c6bb37b1c32db

      SHA512

      ea07e5d6f2b8ae0fbf8c1931d844bfbff920b3c9f83d10d38bd76828ed2d8a4b849251a87f5e2ad6bb1e9d9b1e5a75520baf2b70e063f44595e058c433be1133

      Download Submit

    • memory/704-0-0x00007FF817903000-0x00007FF817905000-memory.dmp

      Filesize

      8KB

      Download

    • memory/704-1-0x0000021CC83F0000-0x0000021CC8414000-memory.dmp

      Filesize

      144KB

      Download

    • memory/704-2-0x00007FF817900000-0x00007FF8183C2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/704-5-0x00007FF817900000-0x00007FF8183C2000-memory.dmp

      Filesize

      10.8MB

      Download