Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
161s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
09/01/2024, 06:49
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-08_e008f6de1c33acafea60d513c90cc527_mafia.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-01-08_e008f6de1c33acafea60d513c90cc527_mafia.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-01-08_e008f6de1c33acafea60d513c90cc527_mafia.exe
-
Size
486KB
-
MD5
e008f6de1c33acafea60d513c90cc527
-
SHA1
08cee0c7e1103cc7a69d857b76e1bd37b6e2454f
-
SHA256
2b4b67331f91dfe4516336b5ca5868cb774e359d4647abad88131eb9c30fa0b3
-
SHA512
eed6b8c5950379bfb554033502bd92ec384d10822b7b1e493a1bab133e7a21218de068267f7b1f4f0b8d4c6e90642a1e12331ac37560e897e6a8513a7b7e022e
-
SSDEEP
6144:fpzhInoFPRsVmVE600C978/1ZkycpBQEJIbxWeow9b51YIJNpltL33fOcMsHpeUg:frF2600C977x5w9b51tJTltr32c1JeUg
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation B9AB.tmp -
Executes dropped EXE 1 IoCs
pid Process 4872 B9AB.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings B9AB.tmp -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3020 WINWORD.EXE 3020 WINWORD.EXE -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4872 B9AB.tmp -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 3020 WINWORD.EXE 3020 WINWORD.EXE 3020 WINWORD.EXE 3020 WINWORD.EXE 3020 WINWORD.EXE 3020 WINWORD.EXE 3020 WINWORD.EXE 3020 WINWORD.EXE 3020 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2424 wrote to memory of 4872 2424 2024-01-08_e008f6de1c33acafea60d513c90cc527_mafia.exe 90 PID 2424 wrote to memory of 4872 2424 2024-01-08_e008f6de1c33acafea60d513c90cc527_mafia.exe 90 PID 2424 wrote to memory of 4872 2424 2024-01-08_e008f6de1c33acafea60d513c90cc527_mafia.exe 90 PID 4872 wrote to memory of 3020 4872 B9AB.tmp 92 PID 4872 wrote to memory of 3020 4872 B9AB.tmp 92 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-08_e008f6de1c33acafea60d513c90cc527_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-08_e008f6de1c33acafea60d513c90cc527_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\B9AB.tmp"C:\Users\Admin\AppData\Local\Temp\B9AB.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-01-08_e008f6de1c33acafea60d513c90cc527_mafia.exe 09915774D22DB986B4B5860206B32357891CE127D593FDE7B3157D92A7E3F41798793D4A40BA65138061EDB9B2C214CD42CF0E18D3EB2B1620E0DA59B310346F2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2024-01-08_e008f6de1c33acafea60d513c90cc527_mafia.docx" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3020
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
125KB
MD5f5cf4b1e9f4cca92ae51496d67d2f3e1
SHA1ded5b618c8c9790f47e84d3e0d981976b1808d30
SHA256f5384d0f3d3525b6ac0614fcc16a77a63bc091f8b069d7c030e1c5a4fa8d87c6
SHA51245ce86d7c90a3f707702f690973523176a8a8703dedd5f81d7251aa0787329a394347340da7d19cb82360b74e76fab4df70e7090c9a40d516ecce4525ab4dbe9
-
Filesize
50KB
MD5ea63f834f3c9732c655fa899d9586d6c
SHA1b52807ea6e6bdd8ea66a650025f089fcc4e061ec
SHA256274531ace5ca390d696b3cf2024f973877120da1c19e4722917844183af432a2
SHA51240f0960577674614daa2e5e03dbe7b411801fe27b85a83a2df4cbd869d4b8162558b144767452f3464065e36e562735662997e27097d78602fe1076652489120
-
Filesize
486KB
MD5b8abeb8847707651cd2a10d902c33785
SHA11b391226320c5ea0916ae70fe1e8d1d4e00357b8
SHA256b479be32a0584fd80dc922ec774c1f582feaab2b3e0c80cf725d67ba83065d3b
SHA512d534fd8173c6cd52447261c9cd5fedeb2f26dc3bd00b5d4998f102f615b4c6e654a340edc240c422a4d115c9785b7b47be6c7fb9c82ff696e8102e90556aa26e