Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 18:39
Static task
static1
Behavioral task
behavioral1
Sample
2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe
Resource
win10v2004-20241007-en
General
-
Target
2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe
-
Size
13.3MB
-
MD5
6aedcabbe6c76777301c851da07c6c3c
-
SHA1
844aaac0d4383b8df6bf5ebe266ed8b704f76bb2
-
SHA256
df205ed8f7724b3a6a00a9fecca1aeef1077885af5a9be0a85a910920919701e
-
SHA512
0f940b01a7d5695ad414b818cf082de7d37e36d5b715024b1fe8650f45613facfb03ca006efa0962e35fd9f47d524f2af55fc1cb350676db903bff6fe6c221ce
-
SSDEEP
3072:RLBgXOXcdW8tar7vGdq8c7YMl2b8anmMXnb58XuDP9het3Zv1oSW1za2E+w5C2/Y:UOMdRQr7OB0ypmMXnl8XEPM3noSWOC
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Tofsee family
-
Windows security bypass 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\akxujbeo = "0" svchost.exe -
Creates new service(s) 2 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2880 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\akxujbeo\ImagePath = "C:\\Windows\\SysWOW64\\akxujbeo\\rielcbfj.exe" svchost.exe -
Deletes itself 1 IoCs
pid Process 2708 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2820 rielcbfj.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2820 set thread context of 2708 2820 rielcbfj.exe 42 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2924 sc.exe 2472 sc.exe 1528 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rielcbfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2140 wrote to memory of 2204 2140 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 29 PID 2140 wrote to memory of 2204 2140 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 29 PID 2140 wrote to memory of 2204 2140 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 29 PID 2140 wrote to memory of 2204 2140 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 29 PID 2140 wrote to memory of 2856 2140 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 31 PID 2140 wrote to memory of 2856 2140 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 31 PID 2140 wrote to memory of 2856 2140 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 31 PID 2140 wrote to memory of 2856 2140 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 31 PID 2140 wrote to memory of 2924 2140 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 33 PID 2140 wrote to memory of 2924 2140 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 33 PID 2140 wrote to memory of 2924 2140 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 33 PID 2140 wrote to memory of 2924 2140 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 33 PID 2140 wrote to memory of 2472 2140 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 35 PID 2140 wrote to memory of 2472 2140 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 35 PID 2140 wrote to memory of 2472 2140 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 35 PID 2140 wrote to memory of 2472 2140 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 35 PID 2140 wrote to memory of 1528 2140 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 37 PID 2140 wrote to memory of 1528 2140 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 37 PID 2140 wrote to memory of 1528 2140 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 37 PID 2140 wrote to memory of 1528 2140 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 37 PID 2140 wrote to memory of 2880 2140 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 40 PID 2140 wrote to memory of 2880 2140 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 40 PID 2140 wrote to memory of 2880 2140 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 40 PID 2140 wrote to memory of 2880 2140 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 40 PID 2820 wrote to memory of 2708 2820 rielcbfj.exe 42 PID 2820 wrote to memory of 2708 2820 rielcbfj.exe 42 PID 2820 wrote to memory of 2708 2820 rielcbfj.exe 42 PID 2820 wrote to memory of 2708 2820 rielcbfj.exe 42 PID 2820 wrote to memory of 2708 2820 rielcbfj.exe 42 PID 2820 wrote to memory of 2708 2820 rielcbfj.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\akxujbeo\2⤵
- System Location Discovery: System Language Discovery
PID:2204
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rielcbfj.exe" C:\Windows\SysWOW64\akxujbeo\2⤵
- System Location Discovery: System Language Discovery
PID:2856
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create akxujbeo binPath= "C:\Windows\SysWOW64\akxujbeo\rielcbfj.exe /d\"C:\Users\Admin\AppData\Local\Temp\2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2924
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description akxujbeo "wifi internet conection"2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2472
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start akxujbeo2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1528
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2880
-
-
C:\Windows\SysWOW64\akxujbeo\rielcbfj.exeC:\Windows\SysWOW64\akxujbeo\rielcbfj.exe /d"C:\Users\Admin\AppData\Local\Temp\2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2708
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11.9MB
MD505fe1b2524b1908a7ff6cc0c5681fe1f
SHA187193f305b563ebbff65614073b8bb41d0984823
SHA256a9e951d88e8b02ac4e1b6fb492fdba48d88aad0cc839c7ae78c28d8758d7e61c
SHA512d9aaf0ed0626c238930a0a37a06fab577caf1c011897d2b9c6bd0414034850deca09b23baab2f37bfb6afda921b3e56e7687f0362d4a6466c85df44308c37135