Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/02/2024, 05:27
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-29_8b5fe14bc892e9ec6ef4c3d927547381_mafia.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-02-29_8b5fe14bc892e9ec6ef4c3d927547381_mafia.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-02-29_8b5fe14bc892e9ec6ef4c3d927547381_mafia.exe
-
Size
535KB
-
MD5
8b5fe14bc892e9ec6ef4c3d927547381
-
SHA1
b651242f199d0929f41d1df451e406b97c242047
-
SHA256
8d09fee926bdab3dc48b4859b5759db9c378132caf936f036edcd47b54d79a44
-
SHA512
68c3c26144f5c499d46f77728bce16f4bf4e6cf0fb3e12ea3123215fe308670857198ba72955ec3f46e26e2ed2c04674ff6103e8d44538d1a495e3044c5ddad7
-
SSDEEP
12288:si4g+yU+0pAiv+TXeK5F0YVBMtwPkVZWi91NZUxUlvjosTdcG93Dn:si4gXn0pD+LeQF0KHc1DXlvjRhFJ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation 4D26.tmp -
Executes dropped EXE 2 IoCs
pid Process 4716 4D26.tmp 60 2024-02-29_8b5fe14bc892e9ec6ef4c3d927547381_mafia.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4716 4D26.tmp -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 632 wrote to memory of 4716 632 2024-02-29_8b5fe14bc892e9ec6ef4c3d927547381_mafia.exe 86 PID 632 wrote to memory of 4716 632 2024-02-29_8b5fe14bc892e9ec6ef4c3d927547381_mafia.exe 86 PID 632 wrote to memory of 4716 632 2024-02-29_8b5fe14bc892e9ec6ef4c3d927547381_mafia.exe 86 PID 4716 wrote to memory of 60 4716 4D26.tmp 90 PID 4716 wrote to memory of 60 4716 4D26.tmp 90 PID 4716 wrote to memory of 60 4716 4D26.tmp 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-29_8b5fe14bc892e9ec6ef4c3d927547381_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-29_8b5fe14bc892e9ec6ef4c3d927547381_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Users\Admin\AppData\Local\Temp\4D26.tmp"C:\Users\Admin\AppData\Local\Temp\4D26.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-02-29_8b5fe14bc892e9ec6ef4c3d927547381_mafia.exe D4E5842DE9BD731DF005D009C5B7588CE9C8B2265431DD9075A64CF32164FC6904A8001F78A841927FE28887A21FB2050F51444FC06A98A22DFFD98C891695152⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Users\Admin\AppData\Local\Temp\2024-02-29_8b5fe14bc892e9ec6ef4c3d927547381_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-29_8b5fe14bc892e9ec6ef4c3d927547381_mafia.exe"3⤵
- Executes dropped EXE
PID:60
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5b7fd76103054f562a11ce616d50a0611
SHA17473656e5a33b9ecc401985f917f65054bcbd16c
SHA256aba5c0bff0442597ff8743b4fe7d28de945b78be01eb88fc4a95cadd1fbee409
SHA5122a2996476dbfdcd50c39c08dc91a179eff4f016013707c9c0972c6e7a0e179b9da4fcff5e2d4d4883a31312bfefdb9a88d1490e1baaa4728a516c5c7f7bdfbd2
-
Filesize
535KB
MD569809d8119f8794db7150d42e446329b
SHA11e023b338ef11ec3451aa74c3a1332fe0204ceb7
SHA256fa8994466039cfc30f466eed23c847eea261fae2757af3188fd9828b2e9d8c0a
SHA5128b77e03729ede4954c1ae4be017163fd442133a25e800652fd0910a0f7e39109a3078d874b9e043ea6dcf8452f733331ec4a1dc18a37f45f6bde5c991b938417