Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
28/01/2024, 04:45
General
-
Target
2024-01-28_9259195046d49cb9e327d004d93dae4b_mafia.exe
-
Size
653KB
-
MD5
9259195046d49cb9e327d004d93dae4b
-
SHA1
ae00378ab852a733de86031d3b06d3cfeb00a073
-
SHA256
7a242730c90b89fceefd69b52f797aa2893c64d2f7be4e034e7d5f3ebf2ceba2
-
SHA512
41406a9321524b512c29ad0928be7735c7b332250a2fbac3e82740f6c919844c4a9c9c18a65bb5df4755c397768c904c3ac7a5fdea5d312d76a50bf61c54877c
-
SSDEEP
12288:Aij0isJD+m3srW+5tEZG1QRw7rZ0n9sLXxGkgXYhfu0tF:tIiG+m8rWwHfR0yXkkxVtF
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in Program Files directory 26 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
NSIS installer 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-28_9259195046d49cb9e327d004d93dae4b_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-28_9259195046d49cb9e327d004d93dae4b_mafia.exe"1⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\minidownload.exeC:\Users\Admin\AppData\Local\Temp\\minidownload.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
-
C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe"C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe" /Install?status=true&softurl=https%3A%2F%2Fxiazai.sogou.com%2Fcomm%2Fredir%3Fsoftdown%3D1%26u%3DYRyEVuHeM44R64n5Z9vDp8w9LgPDEeC3lXW2w6UGPTm2addyN_6Z3IgRjPbEqOiHmiQXBVZPFoLfN_LPkloCAKBczwlEOKnstmnXcjf-mdyfSlrUwNn81C5fnJd6oRdx%26pcid%3D3320575651238465759%26fr%3Dxiazai%26source%3Dsogou_own%26filename%3Dsogou_pinyin_zhihui.exe&iconurl=http%3A%2F%2Fdl.app.sogou.com%2Fpc_logo%2F3320575651238465759.png&softname=%E6%90%9C%E7%8B%97%E6%8B%BC%E9%9F%B3%E6%99%BA%E6%85%A7%E7%89%88&softsize=31.50MB2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 19683⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1332 -ip 13321⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
560KB
MD503311437428117fb004eec8b38b62cca
SHA1394c7c27c61d4e341f64c2be812ffac2ebe8c8af
SHA2560565e862198c1979c5d58c8b6120c15601c668c9adcc3c545c5f2f27c85c3edc
SHA512fe719a26feed2c6147c4e71a4d732afcaf59c2146d6d8adbfa533dcc3af1d2c11d6174371f4d4babe6cac2b6cc438626a14e7f02ad5e9e2fe506351891d8f4d2
-
Filesize
7KB
MD559bf1a7a08d5e3b066a650351197f0af
SHA1833d0f6bff8b4daf936b8902e375a942d3d831e7
SHA256fa2fb59f16ccb6ec42ad804a270654b1fe50fc5303a39df734621efd96daad30
SHA512fe7edeab6008a51885932a0cedcffa73327029c5a6bae636b0fc25f52f60b38d795f01e56bc1071b911d2f77aca2b644461f5f52398fead735bdb74959876592
-
Filesize
93KB
MD55790ead7ad3ba27397aedfa3d263b867
SHA18130544c215fe5d1ec081d83461bf4a711e74882
SHA2562ecd295d295bec062cedebe177e54b9d6b19fc0a841dc5c178c654c9ccff09c0
SHA512781acedc99de4ce8d53d9b43a158c645eab1b23dfdfd6b57b3c442b11acc4a344e0d5b0067d4b78bb173abbded75fb91c410f2b5a58f71d438aa6266d048d98a
-
Filesize
76B
MD5eeb80831da6c34ee872846edce4d6a03
SHA1c3c314f5936b95b8a33eed6d39b2f7309e517bee
SHA256620f10c15a1d7e1cb122234ab2c862f201913c29865282733cc42db0512a485b
SHA51286162a73410639731790950b46a726321d183552217fe3473fa549e193afa03a30876b8180e8dd0fd7990b3452a31e1f02d0ebce21b361f70224303ded8f75a3
-
Filesize
5KB
MD57b73753cd524c62838f1031e52b6310d
SHA121d962ff343263f484262cc246ce9683dbac89b3
SHA256e3629d6e735ac18a47c36c4a8a3caf2469102eb6abf12d938a82df16bb012d4f
SHA5127f5ae1c87227671bd91f8a65cae9ee90976d2a427a2a5530b754ef5fad80e7d096b53e31f715cd38553f8b56776d80176a927419b467a169929f41ce185b5248
-
Filesize
6KB
MD5f122f616e4b32a843d7f6803bea9a10f
SHA19a8eed20175b74821f2678ea72d086d55330bb42
SHA256f9d5aa213ccbd78f98d6b1978e378de7a1b37b1fbffb93e4ea1f1b914a720e0d
SHA512aa5a1595c785469dc2d68dcfe20af232baa0bff2f96f3276a14ba2f925fc1316ee50b694fb193d8d963e10656cd6da9e623fb54ca6a201fae3aca4a64319f7b8
-
Filesize
1KB
MD5c2cfc62059b6259d5db8b7e64b76ea0d
SHA1eaf2eb169b87faeb829e124ce6e6f9f292f7f266
SHA256ca281adf65372f5fc51f621fbe93a935629e2d979958ffd3f5f695cf7bc3d23e
SHA5127e007989e19a8735ef7bd8c467ed213fd3321e81af2980d3a93403098f53fbf0df0a6f9bcaad794623d80fb05cbcc293b49c73c76a05be970f689d9f21bc3346
-
Filesize
25KB
MD5b6b31a4d23c2664b87dc8bf1fcf8ff22
SHA117f27a514ef7119080be4ae9dc691010acdc43fa
SHA2565ece2e217e6a50b2ecc6564601c1da92441c73a1a34a3c6c5d207d6726df8756
SHA5125506ed1fba0e3fa471c83240266ff329fbb23ae862955a5bac358ae506c90d4c03227a710fc548ca5510eb711b95ecce75c63323c30766e3dd081c081b5829cd
-
Filesize
348B
MD5915d0422e8b87e694bb052287e45de06
SHA1ae5f77eda69dd12218fc542279fe9e4e0a85db22
SHA2565fa5d3bedabe22c5193b5eace4ae3be80a5c8c6271873e1d915bc42c525ce689
SHA5124392768182f58bb14aad04d5f4287447eb239b6387cb7371def0ce25bb940be88d32c366e7c483cfd604f0aa7a11171084411530389926f3eb6cc1f9f9847852
-
Filesize
657B
MD50e0ac8352cd69f396f271fa32f3ab554
SHA1ed6d306a5033707f45477df3318a53d15b47cf43
SHA256c2c34d6bf4e17b756954e409dc9b5663169d68997abd722ce1e86473b769f10c
SHA5125d2528489c21600f16f04559500be3ebe9db5a1dc7bf9abc9c1312187b4b8b7bc5966f9eb2a38e26bff26c854a6d964fa156641fed9501cf0e7befedb60fd7e0
-
Filesize
285B
MD57db33b5890d916426f77d585ab3c4fa9
SHA199a794c3a88803ae289c7ea6f0d733e22a3b799b
SHA2565585318ea9be125540f00f04b05b29da3816ef97ce837a22a2eaee2d5d462d9b
SHA5129800273f1e605b946dd553cbae650270c5bf2af7909a4836aa81907f9e30ca348a3552a1887e3357472ca1b93fa8361a17bee3fb742fb5a2d0c1b47a5a47c773
-
Filesize
10KB
MD5631f38cfac458788af482eba736e5ac3
SHA1b1d09def39ec74eff2c9e0aafe0a7c12e7650150
SHA25613e6cf03cdd65a8174cce7b0cb40c9821d2aff04a79c3374e8664fb0abb5694d
SHA5123ae47c895cd586b1dca8bdf65c58bc896b27837881cc42bb7b3d55c9a71ea9e857939a69c5146b445b64714996393d1ec9c0d95b18d18fd5cb48f02bb8a53f42
-
Filesize
324KB
MD58bde3d87157322360828ba6e8dd43073
SHA1b502f83f19da64826257800db1f62d15bbdabc7c
SHA256459e67cfd20eaa1b7768e1ad845c90f72f4c2643d428f5cd8551f7b364382307
SHA512c60d3fc3e130e164349a751a3c42d922ea4d46b42198da5a03879bdf0990ba94549bd36682d4e1e0bb2c13b4865f2d650e3967d963cd8e9deee7c6353cc3af16
-
Filesize
4KB
