Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 18:44
Static task
static1
Behavioral task
behavioral1
Sample
2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe
Resource
win10v2004-20241007-en
General
-
Target
2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe
-
Size
13.3MB
-
MD5
6aedcabbe6c76777301c851da07c6c3c
-
SHA1
844aaac0d4383b8df6bf5ebe266ed8b704f76bb2
-
SHA256
df205ed8f7724b3a6a00a9fecca1aeef1077885af5a9be0a85a910920919701e
-
SHA512
0f940b01a7d5695ad414b818cf082de7d37e36d5b715024b1fe8650f45613facfb03ca006efa0962e35fd9f47d524f2af55fc1cb350676db903bff6fe6c221ce
-
SSDEEP
3072:RLBgXOXcdW8tar7vGdq8c7YMl2b8anmMXnb58XuDP9het3Zv1oSW1za2E+w5C2/Y:UOMdRQr7OB0ypmMXnl8XEPM3noSWOC
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Tofsee family
-
Windows security bypass 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\ruyaarsk = "0" svchost.exe -
Creates new service(s) 2 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2616 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ruyaarsk\ImagePath = "C:\\Windows\\SysWOW64\\ruyaarsk\\tnnepypr.exe" svchost.exe -
Deletes itself 1 IoCs
pid Process 2060 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2568 tnnepypr.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2568 set thread context of 2060 2568 tnnepypr.exe 43 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2668 sc.exe 2724 sc.exe 2608 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnepypr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2692 wrote to memory of 2744 2692 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 30 PID 2692 wrote to memory of 2744 2692 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 30 PID 2692 wrote to memory of 2744 2692 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 30 PID 2692 wrote to memory of 2744 2692 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 30 PID 2692 wrote to memory of 2808 2692 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 32 PID 2692 wrote to memory of 2808 2692 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 32 PID 2692 wrote to memory of 2808 2692 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 32 PID 2692 wrote to memory of 2808 2692 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 32 PID 2692 wrote to memory of 2668 2692 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 34 PID 2692 wrote to memory of 2668 2692 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 34 PID 2692 wrote to memory of 2668 2692 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 34 PID 2692 wrote to memory of 2668 2692 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 34 PID 2692 wrote to memory of 2724 2692 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 36 PID 2692 wrote to memory of 2724 2692 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 36 PID 2692 wrote to memory of 2724 2692 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 36 PID 2692 wrote to memory of 2724 2692 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 36 PID 2692 wrote to memory of 2608 2692 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 38 PID 2692 wrote to memory of 2608 2692 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 38 PID 2692 wrote to memory of 2608 2692 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 38 PID 2692 wrote to memory of 2608 2692 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 38 PID 2692 wrote to memory of 2616 2692 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 41 PID 2692 wrote to memory of 2616 2692 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 41 PID 2692 wrote to memory of 2616 2692 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 41 PID 2692 wrote to memory of 2616 2692 2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe 41 PID 2568 wrote to memory of 2060 2568 tnnepypr.exe 43 PID 2568 wrote to memory of 2060 2568 tnnepypr.exe 43 PID 2568 wrote to memory of 2060 2568 tnnepypr.exe 43 PID 2568 wrote to memory of 2060 2568 tnnepypr.exe 43 PID 2568 wrote to memory of 2060 2568 tnnepypr.exe 43 PID 2568 wrote to memory of 2060 2568 tnnepypr.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ruyaarsk\2⤵
- System Location Discovery: System Language Discovery
PID:2744
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\tnnepypr.exe" C:\Windows\SysWOW64\ruyaarsk\2⤵
- System Location Discovery: System Language Discovery
PID:2808
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ruyaarsk binPath= "C:\Windows\SysWOW64\ruyaarsk\tnnepypr.exe /d\"C:\Users\Admin\AppData\Local\Temp\2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2668
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ruyaarsk "wifi internet conection"2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2724
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ruyaarsk2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2608
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2616
-
-
C:\Windows\SysWOW64\ruyaarsk\tnnepypr.exeC:\Windows\SysWOW64\ruyaarsk\tnnepypr.exe /d"C:\Users\Admin\AppData\Local\Temp\2025-01-27_6aedcabbe6c76777301c851da07c6c3c_mafia.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2060
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14.9MB
MD55e78fd16efa82dea2487ab712fc06f7f
SHA1639916304767cc463145752267dabd2bfb9ff5e5
SHA2565b43ffc87c334dcdd9dbddad5ff43e3cab6cd30efbafd2867b4c87b0adabb0e8
SHA51228513c3bfef18a6ff9658f7b09cb2d471db7cf401ff48f46c9f79ba30bbff075e4019d270bb679c9123bebaedd491d6e48dec203d1ddc824f295b183f19c0d2b