Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2023-08-26...JC.exe

windows7-x64

8

2023-08-26...JC.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2023, 13:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2023-08-26_7a07f55857e4b8502137a211b158d4ab_mafia_JC.exe

  • Size

    255KB

  • MD5

    7a07f55857e4b8502137a211b158d4ab

  • SHA1

    80ee6656759f0fe251cfa4a81a43024ce4c096ed

  • SHA256

    f0a6eff7660e788816b7363554291cd7f0bcbb27cc636c96d0c67fb2928f7fe2

  • SHA512

    f7b05bba81731b7f0d5aea809346a066d28405068f5dff4a9b940ac50354a5ce8dfeda55857339c8204bed0b626b7b01b2c3d4aab4b27d07eeebe98fad7f9b74

  • SSDEEP

    6144:o64tXafE0Mqpm+SKAqpByuqPoEbLvRdvf8:o68r0Mqpm+SCB3KbLzE

Score
8/10
persistenceupx

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Registers COM server for autorun 1 TTPs 4 IoCs
    persistence
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 62 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of FindShellTrayWindow 42 IoCs
  • Suspicious use of SendNotifyMessage 25 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2023-08-26_7a07f55857e4b8502137a211b158d4ab_mafia_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\2023-08-26_7a07f55857e4b8502137a211b158d4ab_mafia_JC.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4716
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Roaming\MediaViewer\plugin.dat"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2236
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Users\Admin\AppData\Roaming\MediaViewer\plugin.dat"
        3⤵
        • Loads dropped DLL
        • Registers COM server for autorun
        • Modifies registry class
        PID:2416
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Loads dropped DLL
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3168
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1900
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1340
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Loads dropped DLL
    • Enumerates connected drives
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4364
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
      PID:2544
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
        PID:4480
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
          PID:1480
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
            PID:3980
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
              PID:764
            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
              1⤵
                PID:4080
              • C:\Windows\explorer.exe
                explorer.exe
                1⤵
                  PID:440
                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                  1⤵
                    PID:4664
                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                    1⤵
                      PID:3792

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
                      Filesize

                      471B

                      MD5

                      0085711bef17acad9eacf0bbf9bf3906

                      SHA1

                      20041eb81473c406da0ebfd7717231c0852ba344

                      SHA256

                      98c31705ae2dbde79cc8916db28c40c875597004ae24d94ac42433e0989d70a1

                      SHA512

                      3354239703701d843124bc466fd9794dd65ed766e4a1df64f784250292be3f24239a9e7156738d07a1c12316952cc1ee71ae9feba9b8fdbfb545e273ae871a6e

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
                      Filesize

                      412B

                      MD5

                      8d304b248249088be9829c9a1b68b74d

                      SHA1

                      a3545155ea2cf082d0c13f0a869f6dee69caa084

                      SHA256

                      aa3e4db818ea1f36b202424b149eee5c18f9694b1ea511589422983f677c5c63

                      SHA512

                      c58e0df8a392e5784c5a5daa95d63915c799cebd9a563af58be08d4ecaa2d5f2435dcb6755a76737e6b57fcb838866f1a74e53e047417d8ccdd59bbd3972c958

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ZVGOYGA8\microsoft.windows[1].xml
                      Filesize

                      97B

                      MD5

                      c31f790cfd02ef244af845fc39b43ad4

                      SHA1

                      947a1baf207f5bc852b97ed0eca9a029c58b5126

                      SHA256

                      5cf8b4a512238a819ac8e892709eb239e784c6fb6c70fdb8c05bc258962fe489

                      SHA512

                      135037a2d115efdab8b9fd4211289603115ee8ddfd6cda42b831a12984128e24dcb13ff7669b97077787743ef437a64e0bcb84bad7abe569af4403b4052b09f5

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133415485062522434.txt
                      Filesize

                      75KB

                      MD5

                      62d81c2e1e8b21733f95af2a596e4b18

                      SHA1

                      91c005ecc5ae4171f450c43c02d1ba532b4474c6

                      SHA256

                      a5596f83717bf64653b95ffe6ec38f20e40fd928456d5e254a53a440804d80b6

                      SHA512

                      c7f349acf55694ff696750c30a25c265ff07ced95e4d2a88fa2829d047ca3b3007dc824613a8c403c7613085aca4212155afe03f8f237c0d7781fd87e1fb8a7c

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133415485062522434.txt
                      Filesize

                      75KB

                      MD5

                      62d81c2e1e8b21733f95af2a596e4b18

                      SHA1

                      91c005ecc5ae4171f450c43c02d1ba532b4474c6

                      SHA256

                      a5596f83717bf64653b95ffe6ec38f20e40fd928456d5e254a53a440804d80b6

                      SHA512

                      c7f349acf55694ff696750c30a25c265ff07ced95e4d2a88fa2829d047ca3b3007dc824613a8c403c7613085aca4212155afe03f8f237c0d7781fd87e1fb8a7c

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ZVGOYGA8\microsoft.windows[1].xml
                      Filesize

                      97B

                      MD5

                      c31f790cfd02ef244af845fc39b43ad4

                      SHA1

                      947a1baf207f5bc852b97ed0eca9a029c58b5126

                      SHA256

                      5cf8b4a512238a819ac8e892709eb239e784c6fb6c70fdb8c05bc258962fe489

                      SHA512

                      135037a2d115efdab8b9fd4211289603115ee8ddfd6cda42b831a12984128e24dcb13ff7669b97077787743ef437a64e0bcb84bad7abe569af4403b4052b09f5

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\MediaViewer\plugin.dat
                      Filesize

                      95KB

                      MD5

                      1a63403648213df70dfe797edfe3c845

                      SHA1

                      ca7a5c3aeb326ba81429a635788a7de58e22a697

                      SHA256

                      775d33a48b5b1ec7dc27e9cef9ecaf84eeb638c10aed4757ebfa8b9687ab5e26

                      SHA512

                      0c0335238c78f5a4cce6a9fde7e5e4c6b765083133653f1cb9ec6353845a2fb63585abf7e512eba50bac50b0fb7bf00027e3bcf8cbfa50dff5b2de7a9fe33e65

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\MediaViewer\plugin.dat
                      Filesize

                      95KB

                      MD5

                      1a63403648213df70dfe797edfe3c845

                      SHA1

                      ca7a5c3aeb326ba81429a635788a7de58e22a697

                      SHA256

                      775d33a48b5b1ec7dc27e9cef9ecaf84eeb638c10aed4757ebfa8b9687ab5e26

                      SHA512

                      0c0335238c78f5a4cce6a9fde7e5e4c6b765083133653f1cb9ec6353845a2fb63585abf7e512eba50bac50b0fb7bf00027e3bcf8cbfa50dff5b2de7a9fe33e65

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\MediaViewer\plugin.dat
                      Filesize

                      95KB

                      MD5

                      1a63403648213df70dfe797edfe3c845

                      SHA1

                      ca7a5c3aeb326ba81429a635788a7de58e22a697

                      SHA256

                      775d33a48b5b1ec7dc27e9cef9ecaf84eeb638c10aed4757ebfa8b9687ab5e26

                      SHA512

                      0c0335238c78f5a4cce6a9fde7e5e4c6b765083133653f1cb9ec6353845a2fb63585abf7e512eba50bac50b0fb7bf00027e3bcf8cbfa50dff5b2de7a9fe33e65

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\MediaViewer\plugin.dat
                      Filesize

                      95KB

                      MD5

                      1a63403648213df70dfe797edfe3c845

                      SHA1

                      ca7a5c3aeb326ba81429a635788a7de58e22a697

                      SHA256

                      775d33a48b5b1ec7dc27e9cef9ecaf84eeb638c10aed4757ebfa8b9687ab5e26

                      SHA512

                      0c0335238c78f5a4cce6a9fde7e5e4c6b765083133653f1cb9ec6353845a2fb63585abf7e512eba50bac50b0fb7bf00027e3bcf8cbfa50dff5b2de7a9fe33e65

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\MediaViewer\plugin.dat
                      Filesize

                      95KB

                      MD5

                      1a63403648213df70dfe797edfe3c845

                      SHA1

                      ca7a5c3aeb326ba81429a635788a7de58e22a697

                      SHA256

                      775d33a48b5b1ec7dc27e9cef9ecaf84eeb638c10aed4757ebfa8b9687ab5e26

                      SHA512

                      0c0335238c78f5a4cce6a9fde7e5e4c6b765083133653f1cb9ec6353845a2fb63585abf7e512eba50bac50b0fb7bf00027e3bcf8cbfa50dff5b2de7a9fe33e65

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\MediaViewer\plugin.dat
                      Filesize

                      95KB

                      MD5

                      1a63403648213df70dfe797edfe3c845

                      SHA1

                      ca7a5c3aeb326ba81429a635788a7de58e22a697

                      SHA256

                      775d33a48b5b1ec7dc27e9cef9ecaf84eeb638c10aed4757ebfa8b9687ab5e26

                      SHA512

                      0c0335238c78f5a4cce6a9fde7e5e4c6b765083133653f1cb9ec6353845a2fb63585abf7e512eba50bac50b0fb7bf00027e3bcf8cbfa50dff5b2de7a9fe33e65

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\MediaViewer\plugin.dat
                      Filesize

                      95KB

                      MD5

                      1a63403648213df70dfe797edfe3c845

                      SHA1

                      ca7a5c3aeb326ba81429a635788a7de58e22a697

                      SHA256

                      775d33a48b5b1ec7dc27e9cef9ecaf84eeb638c10aed4757ebfa8b9687ab5e26

                      SHA512

                      0c0335238c78f5a4cce6a9fde7e5e4c6b765083133653f1cb9ec6353845a2fb63585abf7e512eba50bac50b0fb7bf00027e3bcf8cbfa50dff5b2de7a9fe33e65

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\MediaViewer\plugin.dat
                      Filesize

                      95KB

                      MD5

                      1a63403648213df70dfe797edfe3c845

                      SHA1

                      ca7a5c3aeb326ba81429a635788a7de58e22a697

                      SHA256

                      775d33a48b5b1ec7dc27e9cef9ecaf84eeb638c10aed4757ebfa8b9687ab5e26

                      SHA512

                      0c0335238c78f5a4cce6a9fde7e5e4c6b765083133653f1cb9ec6353845a2fb63585abf7e512eba50bac50b0fb7bf00027e3bcf8cbfa50dff5b2de7a9fe33e65

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\SogouPinyin.local
                      Filesize

                      77B

                      MD5

                      c3e398b5efabbbdd562b507e6234305a

                      SHA1

                      4fad5488061c0df415cee5c9d758a737b3f7a2ac

                      SHA256

                      dbf0a19c72b8d83e42b98c4a555875caa0af89ceceb0ea6710b83f48c525109b

                      SHA512

                      d13b8e8fb3d86a342b50ae18e9a4b46c52f4df3698a97e7fd21085da95009b0f60649c47836cbd5ed0e849dddf7ee400ca3019f9ea4ccc325a0a38e4c357882b

                      Download Submit

                    • memory/440-97-0x0000000004410000-0x0000000004411000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/440-94-0x00007FFEFD480000-0x00007FFEFD481000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/440-95-0x00007FFF74380000-0x00007FFF743ED000-memory.dmp

                      Filesize

                      436KB

                      Download

                    • memory/764-92-0x00007FFF72B10000-0x00007FFF72B7D000-memory.dmp

                      Filesize

                      436KB

                      Download

                    • memory/764-89-0x00007FFEFD480000-0x00007FFEFD481000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/764-90-0x00007FFF72B10000-0x00007FFF72B7D000-memory.dmp

                      Filesize

                      436KB

                      Download

                    • memory/2236-5-0x0000000002780000-0x00000000027ED000-memory.dmp

                      Filesize

                      436KB

                      Download

                    • memory/2416-7-0x00007FFF70AE0000-0x00007FFF70B4D000-memory.dmp

                      Filesize

                      436KB

                      Download

                    • memory/3168-27-0x00007FFF72D70000-0x00007FFF72DDD000-memory.dmp

                      Filesize

                      436KB

                      Download

                    • memory/3168-25-0x0000000004930000-0x0000000004931000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3168-19-0x00007FFF72D70000-0x00007FFF72DDD000-memory.dmp

                      Filesize

                      436KB

                      Download

                    • memory/3168-18-0x00007FFEFD480000-0x00007FFEFD481000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3792-108-0x000001465F1D0000-0x000001465F1F0000-memory.dmp

                      Filesize

                      128KB

                      Download

                    • memory/3792-110-0x000001465F7E0000-0x000001465F800000-memory.dmp

                      Filesize

                      128KB

                      Download

                    • memory/3792-105-0x000001465F420000-0x000001465F440000-memory.dmp

                      Filesize

                      128KB

                      Download

                    • memory/3980-77-0x00000189B9F80000-0x00000189B9FA0000-memory.dmp

                      Filesize

                      128KB

                      Download

                    • memory/3980-72-0x00000189B9B70000-0x00000189B9B90000-memory.dmp

                      Filesize

                      128KB

                      Download

                    • memory/3980-74-0x00000189B9B30000-0x00000189B9B50000-memory.dmp

                      Filesize

                      128KB

                      Download

                    • memory/4364-55-0x00007FFEFD480000-0x00007FFEFD481000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4364-54-0x00007FFF72850000-0x00007FFF728BD000-memory.dmp

                      Filesize

                      436KB

                      Download

                    • memory/4364-59-0x00007FFF72850000-0x00007FFF728BD000-memory.dmp

                      Filesize

                      436KB

                      Download

                    • memory/4480-62-0x00007FFF72730000-0x00007FFF7279D000-memory.dmp

                      Filesize

                      436KB

                      Download

                    • memory/4480-61-0x00007FFEFD480000-0x00007FFEFD481000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4480-65-0x00000000042C0000-0x00000000042C1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4480-86-0x00007FFF72730000-0x00007FFF7279D000-memory.dmp

                      Filesize

                      436KB

                      Download