Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01/02/2025, 03:38
Static task
static1
Behavioral task
behavioral1
Sample
2025-02-01_4b43e57843fa80f40d79329c531257dd_mafia.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2025-02-01_4b43e57843fa80f40d79329c531257dd_mafia.exe
Resource
win10v2004-20241007-en
General
-
Target
2025-02-01_4b43e57843fa80f40d79329c531257dd_mafia.exe
-
Size
11.7MB
-
MD5
4b43e57843fa80f40d79329c531257dd
-
SHA1
2765b8a75a839da5c73b04c48343117e04c4fc83
-
SHA256
c93420c70f0c8ca7fad76927b1778ff0fb81a7842d92142e7c7b758a5ca3b949
-
SHA512
6bc7f735ed9d19c39369c9565b7b2c398fc6e6e24dcf986c7591bcbe755fe9fd380a869af664c41419cead83e63dbf2637beebc855b606594adeac43e4553346
-
SSDEEP
49152:0qE0YKr3fYPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPz:0qtYc3c
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Tofsee family
-
Windows security bypass 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\hjpylgge = "0" svchost.exe -
Creates new service(s) 2 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2612 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\hjpylgge\ImagePath = "C:\\Windows\\SysWOW64\\hjpylgge\\xtllixwk.exe" svchost.exe -
Deletes itself 1 IoCs
pid Process 2704 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2680 xtllixwk.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2680 set thread context of 2704 2680 xtllixwk.exe 42 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2276 sc.exe 2720 sc.exe 2836 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-02-01_4b43e57843fa80f40d79329c531257dd_mafia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xtllixwk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2368 wrote to memory of 2328 2368 2025-02-01_4b43e57843fa80f40d79329c531257dd_mafia.exe 30 PID 2368 wrote to memory of 2328 2368 2025-02-01_4b43e57843fa80f40d79329c531257dd_mafia.exe 30 PID 2368 wrote to memory of 2328 2368 2025-02-01_4b43e57843fa80f40d79329c531257dd_mafia.exe 30 PID 2368 wrote to memory of 2328 2368 2025-02-01_4b43e57843fa80f40d79329c531257dd_mafia.exe 30 PID 2368 wrote to memory of 2860 2368 2025-02-01_4b43e57843fa80f40d79329c531257dd_mafia.exe 32 PID 2368 wrote to memory of 2860 2368 2025-02-01_4b43e57843fa80f40d79329c531257dd_mafia.exe 32 PID 2368 wrote to memory of 2860 2368 2025-02-01_4b43e57843fa80f40d79329c531257dd_mafia.exe 32 PID 2368 wrote to memory of 2860 2368 2025-02-01_4b43e57843fa80f40d79329c531257dd_mafia.exe 32 PID 2368 wrote to memory of 2276 2368 2025-02-01_4b43e57843fa80f40d79329c531257dd_mafia.exe 34 PID 2368 wrote to memory of 2276 2368 2025-02-01_4b43e57843fa80f40d79329c531257dd_mafia.exe 34 PID 2368 wrote to memory of 2276 2368 2025-02-01_4b43e57843fa80f40d79329c531257dd_mafia.exe 34 PID 2368 wrote to memory of 2276 2368 2025-02-01_4b43e57843fa80f40d79329c531257dd_mafia.exe 34 PID 2368 wrote to memory of 2720 2368 2025-02-01_4b43e57843fa80f40d79329c531257dd_mafia.exe 37 PID 2368 wrote to memory of 2720 2368 2025-02-01_4b43e57843fa80f40d79329c531257dd_mafia.exe 37 PID 2368 wrote to memory of 2720 2368 2025-02-01_4b43e57843fa80f40d79329c531257dd_mafia.exe 37 PID 2368 wrote to memory of 2720 2368 2025-02-01_4b43e57843fa80f40d79329c531257dd_mafia.exe 37 PID 2368 wrote to memory of 2836 2368 2025-02-01_4b43e57843fa80f40d79329c531257dd_mafia.exe 39 PID 2368 wrote to memory of 2836 2368 2025-02-01_4b43e57843fa80f40d79329c531257dd_mafia.exe 39 PID 2368 wrote to memory of 2836 2368 2025-02-01_4b43e57843fa80f40d79329c531257dd_mafia.exe 39 PID 2368 wrote to memory of 2836 2368 2025-02-01_4b43e57843fa80f40d79329c531257dd_mafia.exe 39 PID 2680 wrote to memory of 2704 2680 xtllixwk.exe 42 PID 2680 wrote to memory of 2704 2680 xtllixwk.exe 42 PID 2680 wrote to memory of 2704 2680 xtllixwk.exe 42 PID 2680 wrote to memory of 2704 2680 xtllixwk.exe 42 PID 2680 wrote to memory of 2704 2680 xtllixwk.exe 42 PID 2680 wrote to memory of 2704 2680 xtllixwk.exe 42 PID 2368 wrote to memory of 2612 2368 2025-02-01_4b43e57843fa80f40d79329c531257dd_mafia.exe 43 PID 2368 wrote to memory of 2612 2368 2025-02-01_4b43e57843fa80f40d79329c531257dd_mafia.exe 43 PID 2368 wrote to memory of 2612 2368 2025-02-01_4b43e57843fa80f40d79329c531257dd_mafia.exe 43 PID 2368 wrote to memory of 2612 2368 2025-02-01_4b43e57843fa80f40d79329c531257dd_mafia.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-02-01_4b43e57843fa80f40d79329c531257dd_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2025-02-01_4b43e57843fa80f40d79329c531257dd_mafia.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hjpylgge\2⤵
- System Location Discovery: System Language Discovery
PID:2328
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xtllixwk.exe" C:\Windows\SysWOW64\hjpylgge\2⤵
- System Location Discovery: System Language Discovery
PID:2860
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create hjpylgge binPath= "C:\Windows\SysWOW64\hjpylgge\xtllixwk.exe /d\"C:\Users\Admin\AppData\Local\Temp\2025-02-01_4b43e57843fa80f40d79329c531257dd_mafia.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2276
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description hjpylgge "wifi internet conection"2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2720
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start hjpylgge2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2836
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2612
-
-
C:\Windows\SysWOW64\hjpylgge\xtllixwk.exeC:\Windows\SysWOW64\hjpylgge\xtllixwk.exe /d"C:\Users\Admin\AppData\Local\Temp\2025-02-01_4b43e57843fa80f40d79329c531257dd_mafia.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2704
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12.2MB
MD5141bea6130ec5e2c983d8b9c18276e9d
SHA1ff7b3536e7515cbf29b3f5cddf04114c29e2a76d
SHA256ee6bcc7fff3777e6659e577b642bd719361ed2d9589648432e6721cd405bbc1a
SHA512fd75b9ba845ec6549cea8ab27df3f4219940039e7d568447ebeeb280fe0ec70c11210f14542fe83fddd37db80b5d03b4d26e2d8b9bb010113e64ed83646e2ba9