Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

2024-01-10...ia.exe

windows7-x64

7

2024-01-10...ia.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/01/2024, 05:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-01-10_34c0044dee04253964e0d8ec3c9cd739_mafia.exe

  • Size

    535KB

  • MD5

    34c0044dee04253964e0d8ec3c9cd739

  • SHA1

    a84e1c388b52801a1c16b85daef3e3b01ea5336a

  • SHA256

    cfc179787a2c853d906c0e301b5d3c456b8823230b03e0fed78030a705b34a76

  • SHA512

    88df2dfb899cdad27dfbef9abe17aeb0ab74438b850772860c55fb021796e9b0907ba0ebb5e5350d3e59a7b9d6cbba1727c3b27766e916ff65723c07ba8d0f78

  • SSDEEP

    12288:si4g+yU+0pAiv+CrxR5C07Y0HeqFuK8mWxUlvjosTdcG93Dn:si4gXn0pD+axR5NY0Hea8UlvjRhFJ

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-10_34c0044dee04253964e0d8ec3c9cd739_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-10_34c0044dee04253964e0d8ec3c9cd739_mafia.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3444
    • C:\Users\Admin\AppData\Local\Temp\55E0.tmp
      "C:\Users\Admin\AppData\Local\Temp\55E0.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-01-10_34c0044dee04253964e0d8ec3c9cd739_mafia.exe 0DA139D78BE75BED20C56FAD62A816DD297D550A01EE646D528C9FEFE960A772EA45B93864C19AB9949F71088C7692F85B55748585470A089361954509868D6A
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:4240
      • C:\Users\Admin\AppData\Local\Temp\2024-01-10_34c0044dee04253964e0d8ec3c9cd739_mafia.exe
        "C:\Users\Admin\AppData\Local\Temp\2024-01-10_34c0044dee04253964e0d8ec3c9cd739_mafia.exe"
        3⤵
        • Executes dropped EXE
        PID:3988

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\2024-01-10_34c0044dee04253964e0d8ec3c9cd739_mafia.exe
    Filesize

    255KB

    MD5

    b7fd76103054f562a11ce616d50a0611

    SHA1

    7473656e5a33b9ecc401985f917f65054bcbd16c

    SHA256

    aba5c0bff0442597ff8743b4fe7d28de945b78be01eb88fc4a95cadd1fbee409

    SHA512

    2a2996476dbfdcd50c39c08dc91a179eff4f016013707c9c0972c6e7a0e179b9da4fcff5e2d4d4883a31312bfefdb9a88d1490e1baaa4728a516c5c7f7bdfbd2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\55E0.tmp
    Filesize

    291KB

    MD5

    68e8350cb1387164366246516bb4832e

    SHA1

    0d35e3f27456ae483f0c2377658ebeb5c55483ee

    SHA256

    ece986dffc646886b360a07895daec0f96b7679c37e5e7988a4227ad5ab0a211

    SHA512

    ad7cb20c7c0ba9112eacb3b8e79f69ebebb56044cc4145c1c6a4337d64ac8c9220503e869eab2c224eff85fce2bfbbc8f9ba84e59b827f934d87e9aa24b1606d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\55E0.tmp
    Filesize

    308KB

    MD5

    3ff0107ca464ce95300f197098c35f22

    SHA1

    f6fa0791f33b4b939b581f383a7b5ef5aeb3236c

    SHA256

    064d9366aaaf1a8753930b777f32f8d4ba4721a3b6073fec2ab11fe1c5021341

    SHA512

    4c6d26f7e896237afdfc4fb21f36b682ee15483a5595808705771d3ed333fd85f538663785f7ca4c8a9d09aed5a880c28bcf8a843e5861274be012b11f3d8f87

    Download Submit