Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/02/2024, 05:27

General

  • Target

    2024-02-29_8b5fe14bc892e9ec6ef4c3d927547381_mafia.exe

  • Size

    535KB

  • MD5

    8b5fe14bc892e9ec6ef4c3d927547381

  • SHA1

    b651242f199d0929f41d1df451e406b97c242047

  • SHA256

    8d09fee926bdab3dc48b4859b5759db9c378132caf936f036edcd47b54d79a44

  • SHA512

    68c3c26144f5c499d46f77728bce16f4bf4e6cf0fb3e12ea3123215fe308670857198ba72955ec3f46e26e2ed2c04674ff6103e8d44538d1a495e3044c5ddad7

  • SSDEEP

    12288:si4g+yU+0pAiv+TXeK5F0YVBMtwPkVZWi91NZUxUlvjosTdcG93Dn:si4gXn0pD+LeQF0KHc1DXlvjRhFJ

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-29_8b5fe14bc892e9ec6ef4c3d927547381_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-29_8b5fe14bc892e9ec6ef4c3d927547381_mafia.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:632
    • C:\Users\Admin\AppData\Local\Temp\4D26.tmp
      "C:\Users\Admin\AppData\Local\Temp\4D26.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-02-29_8b5fe14bc892e9ec6ef4c3d927547381_mafia.exe D4E5842DE9BD731DF005D009C5B7588CE9C8B2265431DD9075A64CF32164FC6904A8001F78A841927FE28887A21FB2050F51444FC06A98A22DFFD98C89169515
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:4716
      • C:\Users\Admin\AppData\Local\Temp\2024-02-29_8b5fe14bc892e9ec6ef4c3d927547381_mafia.exe
        "C:\Users\Admin\AppData\Local\Temp\2024-02-29_8b5fe14bc892e9ec6ef4c3d927547381_mafia.exe"
        3⤵
        • Executes dropped EXE
        PID:60

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\2024-02-29_8b5fe14bc892e9ec6ef4c3d927547381_mafia.exe

    Filesize

    255KB

    MD5

    b7fd76103054f562a11ce616d50a0611

    SHA1

    7473656e5a33b9ecc401985f917f65054bcbd16c

    SHA256

    aba5c0bff0442597ff8743b4fe7d28de945b78be01eb88fc4a95cadd1fbee409

    SHA512

    2a2996476dbfdcd50c39c08dc91a179eff4f016013707c9c0972c6e7a0e179b9da4fcff5e2d4d4883a31312bfefdb9a88d1490e1baaa4728a516c5c7f7bdfbd2

  • C:\Users\Admin\AppData\Local\Temp\4D26.tmp

    Filesize

    535KB

    MD5

    69809d8119f8794db7150d42e446329b

    SHA1

    1e023b338ef11ec3451aa74c3a1332fe0204ceb7

    SHA256

    fa8994466039cfc30f466eed23c847eea261fae2757af3188fd9828b2e9d8c0a

    SHA512

    8b77e03729ede4954c1ae4be017163fd442133a25e800652fd0910a0f7e39109a3078d874b9e043ea6dcf8452f733331ec4a1dc18a37f45f6bde5c991b938417