Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2023-08-26...JC.exe

windows7-x64

8

2023-08-26...JC.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2023, 17:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2023-08-26_5f88e9dea36c0a29fcee359567ca68a3_mafia_JC.exe

  • Size

    255KB

  • MD5

    5f88e9dea36c0a29fcee359567ca68a3

  • SHA1

    68f8fd802e635799166f1098ba17bd54235a7b0c

  • SHA256

    06a1095054a1ab69bc13662b60f21a725d50286fabecd045f6df744b213a4c4e

  • SHA512

    938b78aa7e453cd2c9352a45bf757825d00797589a568af2b415dbe9899d45cf4ab8ba535783a3d9398868fc6cbedbe11196da5d7d81c883e28bd221d181f452

  • SSDEEP

    6144:o64tXafE0Mqpm+SKAqpByuqPoEbLvRdvf1:o68r0Mqpm+SCB3KbLzN

Score
8/10
persistenceupx

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Loads dropped DLL 3 IoCs
  • Registers COM server for autorun 1 TTPs 4 IoCs
    persistence
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 44 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2023-08-26_5f88e9dea36c0a29fcee359567ca68a3_mafia_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\2023-08-26_5f88e9dea36c0a29fcee359567ca68a3_mafia_JC.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2436
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Roaming\MediaViewer\plugin.dat"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2976
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Users\Admin\AppData\Roaming\MediaViewer\plugin.dat"
        3⤵
        • Loads dropped DLL
        • Registers COM server for autorun
        • Modifies registry class
        PID:3020
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\MediaViewer\plugin.dat
    Filesize

    95KB

    MD5

    bf52cd701b14f23225a64bd76dcf8cdf

    SHA1

    0fe0076f87777d7752f60e8a6f76e9ec5e1aa82a

    SHA256

    eeb1c2ed27eecd4b717dc484a1c292ce7e74dc5510983964573a509a28613a2d

    SHA512

    6b4987625e29671bd4e0d4ab37b47dadd05c983e8c02fd8b2bb02e0d689bce0d0cfd0d128b84a9d15d76151f1b48ebb1052ddddba6366b6f5ccdc1dab06935e2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SogouPinyin.local
    Filesize

    77B

    MD5

    fcc21d925935117d130df4d9a26a5f56

    SHA1

    54541069b09a46091885de0259034d05ac978417

    SHA256

    ebfead48ce9da04104743c987943d6fc31703ea6917dbec7dfc3b3856950b119

    SHA512

    b817d976696898ef45d5fa70feeec69cd18cbac5db05bc380bdfcb5812862a0887cd52dcb5740db61482d68adb47899f40a1d4bd7006e293e29d545ff14ed78f

    Download Submit

  • \Users\Admin\AppData\Roaming\MediaViewer\plugin.dat
    Filesize

    95KB

    MD5

    bf52cd701b14f23225a64bd76dcf8cdf

    SHA1

    0fe0076f87777d7752f60e8a6f76e9ec5e1aa82a

    SHA256

    eeb1c2ed27eecd4b717dc484a1c292ce7e74dc5510983964573a509a28613a2d

    SHA512

    6b4987625e29671bd4e0d4ab37b47dadd05c983e8c02fd8b2bb02e0d689bce0d0cfd0d128b84a9d15d76151f1b48ebb1052ddddba6366b6f5ccdc1dab06935e2

    Download Submit

  • \Users\Admin\AppData\Roaming\MediaViewer\plugin.dat
    Filesize

    95KB

    MD5

    bf52cd701b14f23225a64bd76dcf8cdf

    SHA1

    0fe0076f87777d7752f60e8a6f76e9ec5e1aa82a

    SHA256

    eeb1c2ed27eecd4b717dc484a1c292ce7e74dc5510983964573a509a28613a2d

    SHA512

    6b4987625e29671bd4e0d4ab37b47dadd05c983e8c02fd8b2bb02e0d689bce0d0cfd0d128b84a9d15d76151f1b48ebb1052ddddba6366b6f5ccdc1dab06935e2

    Download Submit

  • \Users\Admin\AppData\Roaming\MediaViewer\plugin.dat
    Filesize

    95KB

    MD5

    bf52cd701b14f23225a64bd76dcf8cdf

    SHA1

    0fe0076f87777d7752f60e8a6f76e9ec5e1aa82a

    SHA256

    eeb1c2ed27eecd4b717dc484a1c292ce7e74dc5510983964573a509a28613a2d

    SHA512

    6b4987625e29671bd4e0d4ab37b47dadd05c983e8c02fd8b2bb02e0d689bce0d0cfd0d128b84a9d15d76151f1b48ebb1052ddddba6366b6f5ccdc1dab06935e2

    Download Submit

  • memory/2760-13-0x0000000003D60000-0x0000000003D61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2760-9-0x0000000001D10000-0x0000000001D11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2760-10-0x000007FEFC2E0000-0x000007FEFC34D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2760-12-0x000007FEFC2E0000-0x000007FEFC34D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2760-14-0x000007FEFC2E0000-0x000007FEFC34D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2760-15-0x000007FEFC2E0000-0x000007FEFC34D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2760-16-0x0000000003D60000-0x0000000003D61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2760-19-0x000007FEFC2E0000-0x000007FEFC34D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2760-25-0x000007FEFC2E0000-0x000007FEFC34D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2760-26-0x000007FEFC2E0000-0x000007FEFC34D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2760-31-0x000007FEFC2E0000-0x000007FEFC34D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2976-5-0x0000000000280000-0x00000000002ED000-memory.dmp

    Filesize

    436KB

    Download

  • memory/3020-7-0x000007FEF71F0000-0x000007FEF725D000-memory.dmp

    Filesize

    436KB

    Download