Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 18:48
Static task
static1
Behavioral task
behavioral1
Sample
2025-01-27_ea50ccb5030d77cff9aa0307373d5956_mafia.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2025-01-27_ea50ccb5030d77cff9aa0307373d5956_mafia.exe
Resource
win10v2004-20241007-en
General
-
Target
2025-01-27_ea50ccb5030d77cff9aa0307373d5956_mafia.exe
-
Size
13.2MB
-
MD5
ea50ccb5030d77cff9aa0307373d5956
-
SHA1
709184a2c6dab5d26455aa075e75b3e3353f6522
-
SHA256
bf401d6e9c1ac69b17073b0d4fb699870f2d4eacb53ca52e4b3fa0fdba47b5ac
-
SHA512
f31b63e5ea32e430aab05e83bbab5f62ec8f6c1dee4b007f042d458a2f182dad50db6b405a38dc515ceb37d2c97827ddd544851cacd584a4c5903c7be50f9bfd
-
SSDEEP
3072:JLBgXOXcdW8tar7vGdq8c7YMl2b8anmMXnb58XuDP9het3Zv1oSW1za2E+w5C2/Y:MOMdRQr7OB0ypmMXnl8XEPM3noSWOC
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Tofsee family
-
Windows security bypass 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\nrsieppl = "0" svchost.exe -
Creates new service(s) 2 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2756 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\nrsieppl\ImagePath = "C:\\Windows\\SysWOW64\\nrsieppl\\awoolazn.exe" svchost.exe -
Deletes itself 1 IoCs
pid Process 2872 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2892 awoolazn.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2892 set thread context of 2872 2892 awoolazn.exe 43 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2788 sc.exe 2748 sc.exe 2840 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language awoolazn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-01-27_ea50ccb5030d77cff9aa0307373d5956_mafia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2156 wrote to memory of 1528 2156 2025-01-27_ea50ccb5030d77cff9aa0307373d5956_mafia.exe 30 PID 2156 wrote to memory of 1528 2156 2025-01-27_ea50ccb5030d77cff9aa0307373d5956_mafia.exe 30 PID 2156 wrote to memory of 1528 2156 2025-01-27_ea50ccb5030d77cff9aa0307373d5956_mafia.exe 30 PID 2156 wrote to memory of 1528 2156 2025-01-27_ea50ccb5030d77cff9aa0307373d5956_mafia.exe 30 PID 2156 wrote to memory of 3052 2156 2025-01-27_ea50ccb5030d77cff9aa0307373d5956_mafia.exe 32 PID 2156 wrote to memory of 3052 2156 2025-01-27_ea50ccb5030d77cff9aa0307373d5956_mafia.exe 32 PID 2156 wrote to memory of 3052 2156 2025-01-27_ea50ccb5030d77cff9aa0307373d5956_mafia.exe 32 PID 2156 wrote to memory of 3052 2156 2025-01-27_ea50ccb5030d77cff9aa0307373d5956_mafia.exe 32 PID 2156 wrote to memory of 2788 2156 2025-01-27_ea50ccb5030d77cff9aa0307373d5956_mafia.exe 34 PID 2156 wrote to memory of 2788 2156 2025-01-27_ea50ccb5030d77cff9aa0307373d5956_mafia.exe 34 PID 2156 wrote to memory of 2788 2156 2025-01-27_ea50ccb5030d77cff9aa0307373d5956_mafia.exe 34 PID 2156 wrote to memory of 2788 2156 2025-01-27_ea50ccb5030d77cff9aa0307373d5956_mafia.exe 34 PID 2156 wrote to memory of 2748 2156 2025-01-27_ea50ccb5030d77cff9aa0307373d5956_mafia.exe 36 PID 2156 wrote to memory of 2748 2156 2025-01-27_ea50ccb5030d77cff9aa0307373d5956_mafia.exe 36 PID 2156 wrote to memory of 2748 2156 2025-01-27_ea50ccb5030d77cff9aa0307373d5956_mafia.exe 36 PID 2156 wrote to memory of 2748 2156 2025-01-27_ea50ccb5030d77cff9aa0307373d5956_mafia.exe 36 PID 2156 wrote to memory of 2840 2156 2025-01-27_ea50ccb5030d77cff9aa0307373d5956_mafia.exe 38 PID 2156 wrote to memory of 2840 2156 2025-01-27_ea50ccb5030d77cff9aa0307373d5956_mafia.exe 38 PID 2156 wrote to memory of 2840 2156 2025-01-27_ea50ccb5030d77cff9aa0307373d5956_mafia.exe 38 PID 2156 wrote to memory of 2840 2156 2025-01-27_ea50ccb5030d77cff9aa0307373d5956_mafia.exe 38 PID 2156 wrote to memory of 2756 2156 2025-01-27_ea50ccb5030d77cff9aa0307373d5956_mafia.exe 41 PID 2156 wrote to memory of 2756 2156 2025-01-27_ea50ccb5030d77cff9aa0307373d5956_mafia.exe 41 PID 2156 wrote to memory of 2756 2156 2025-01-27_ea50ccb5030d77cff9aa0307373d5956_mafia.exe 41 PID 2156 wrote to memory of 2756 2156 2025-01-27_ea50ccb5030d77cff9aa0307373d5956_mafia.exe 41 PID 2892 wrote to memory of 2872 2892 awoolazn.exe 43 PID 2892 wrote to memory of 2872 2892 awoolazn.exe 43 PID 2892 wrote to memory of 2872 2892 awoolazn.exe 43 PID 2892 wrote to memory of 2872 2892 awoolazn.exe 43 PID 2892 wrote to memory of 2872 2892 awoolazn.exe 43 PID 2892 wrote to memory of 2872 2892 awoolazn.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-01-27_ea50ccb5030d77cff9aa0307373d5956_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2025-01-27_ea50ccb5030d77cff9aa0307373d5956_mafia.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nrsieppl\2⤵
- System Location Discovery: System Language Discovery
PID:1528
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\awoolazn.exe" C:\Windows\SysWOW64\nrsieppl\2⤵
- System Location Discovery: System Language Discovery
PID:3052
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create nrsieppl binPath= "C:\Windows\SysWOW64\nrsieppl\awoolazn.exe /d\"C:\Users\Admin\AppData\Local\Temp\2025-01-27_ea50ccb5030d77cff9aa0307373d5956_mafia.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2788
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description nrsieppl "wifi internet conection"2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2748
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start nrsieppl2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2840
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2756
-
-
C:\Windows\SysWOW64\nrsieppl\awoolazn.exeC:\Windows\SysWOW64\nrsieppl\awoolazn.exe /d"C:\Users\Admin\AppData\Local\Temp\2025-01-27_ea50ccb5030d77cff9aa0307373d5956_mafia.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2872
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13.6MB
MD525eb8ef958ab131de9e2b2870f8ec558
SHA17a8d95ff068172bc9841449ae341ca987ad766b0
SHA2567957930e25da13042f5d48070555184786fc609e833f075e3cb415fa539ec71f
SHA512cc5ac2f822983fa24930ccf8b89f56d67f55655c6f17262b0916175bb75071db42b26be2b70d192aed929eae10fd77d34f596a4a8fb29ef201d6c7ede35b2c57