Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/02/2024, 06:25 UTC
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-29_0bde83cbc25450b0630e0f59302869a5_mafia.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-02-29_0bde83cbc25450b0630e0f59302869a5_mafia.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-02-29_0bde83cbc25450b0630e0f59302869a5_mafia.exe
-
Size
468KB
-
MD5
0bde83cbc25450b0630e0f59302869a5
-
SHA1
90485f8c647d1cbbf65659cea4a58a4cbd94f49e
-
SHA256
12b5b021d6602ad61b5bd49619727abc07cc07601861bfbb4e149515564e6b40
-
SHA512
8d2fb82e0903cee26ff59facee14a205e01c880edbfdeceff63cf552ede235f4ab2abecc9cf85a9b9bed23ca1e4625b49d71f5ea785361ada0d0e1cd473e2db7
-
SSDEEP
12288:qO4rfItL8HGJmu/gfJbRMrlAyMqQ1pkq7bWmeEVGL:qO4rQtGGIu/g1QlAyM5lumeEVGL
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2536 3F6A.tmp -
Executes dropped EXE 1 IoCs
pid Process 2536 3F6A.tmp -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1156 wrote to memory of 2536 1156 2024-02-29_0bde83cbc25450b0630e0f59302869a5_mafia.exe 87 PID 1156 wrote to memory of 2536 1156 2024-02-29_0bde83cbc25450b0630e0f59302869a5_mafia.exe 87 PID 1156 wrote to memory of 2536 1156 2024-02-29_0bde83cbc25450b0630e0f59302869a5_mafia.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-29_0bde83cbc25450b0630e0f59302869a5_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-29_0bde83cbc25450b0630e0f59302869a5_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\3F6A.tmp"C:\Users\Admin\AppData\Local\Temp\3F6A.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-02-29_0bde83cbc25450b0630e0f59302869a5_mafia.exe A4E98E1047210DE05F4B7CE39857CFFDD0BE9C13269DE99140512E336E3760CF70EC33295D16098A2BFA86B4D947E1EA04DB3A1578DA73AF0DC411A5154A54C12⤵
- Deletes itself
- Executes dropped EXE
PID:2536
-
Network
-
Remote address:8.8.8.8:53Request73.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.a-0001.a-msedge.netg-bing-com.a-0001.a-msedge.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=82b06538e2bd46b4b9a81932e1908885&localId=w:2A4A5216-14B0-E8AC-6F68-A550B400FC9F&deviceId=6825825927701325&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=82b06538e2bd46b4b9a81932e1908885&localId=w:2A4A5216-14B0-E8AC-6F68-A550B400FC9F&deviceId=6825825927701325&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=259B1C3999606EC01575080D98806F44; domain=.bing.com; expires=Tue, 25-Mar-2025 06:25:56 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2FA37E833E2E48E798BD1B8ACB5C87DF Ref B: LON04EDGE1220 Ref C: 2024-02-29T06:25:56Z
date: Thu, 29 Feb 2024 06:25:56 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=82b06538e2bd46b4b9a81932e1908885&localId=w:2A4A5216-14B0-E8AC-6F68-A550B400FC9F&deviceId=6825825927701325&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=82b06538e2bd46b4b9a81932e1908885&localId=w:2A4A5216-14B0-E8AC-6F68-A550B400FC9F&deviceId=6825825927701325&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=259B1C3999606EC01575080D98806F44
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=-WpzhfnP6k7Cz17EGpqDjO6Tah1QiEZIrOrc0u9lubU; domain=.bing.com; expires=Tue, 25-Mar-2025 06:25:56 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A01AD4CBFA0042669204DBA2F5041C7C Ref B: LON04EDGE1220 Ref C: 2024-02-29T06:25:56Z
date: Thu, 29 Feb 2024 06:25:56 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=82b06538e2bd46b4b9a81932e1908885&localId=w:2A4A5216-14B0-E8AC-6F68-A550B400FC9F&deviceId=6825825927701325&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=82b06538e2bd46b4b9a81932e1908885&localId=w:2A4A5216-14B0-E8AC-6F68-A550B400FC9F&deviceId=6825825927701325&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=259B1C3999606EC01575080D98806F44; MSPTC=-WpzhfnP6k7Cz17EGpqDjO6Tah1QiEZIrOrc0u9lubU
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 25200F1A938C4EF9AF0DACCA43DF74A7 Ref B: LON04EDGE1220 Ref C: 2024-02-29T06:25:56Z
date: Thu, 29 Feb 2024 06:25:56 GMT
-
Remote address:8.8.8.8:53Request0.205.248.87.in-addr.arpaIN PTRResponse0.205.248.87.in-addr.arpaIN PTRhttps-87-248-205-0lgwllnwnet
-
Remote address:8.8.8.8:53Request241.154.82.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request41.110.16.96.in-addr.arpaIN PTRResponse41.110.16.96.in-addr.arpaIN PTRa96-16-110-41deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request183.59.114.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request180.178.17.96.in-addr.arpaIN PTRResponse180.178.17.96.in-addr.arpaIN PTRa96-17-178-180deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request21.236.111.52.in-addr.arpaIN PTRResponse
-
204.79.197.200:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=82b06538e2bd46b4b9a81932e1908885&localId=w:2A4A5216-14B0-E8AC-6F68-A550B400FC9F&deviceId=6825825927701325&anid=tls, http22.0kB 9.2kB 22 19
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=82b06538e2bd46b4b9a81932e1908885&localId=w:2A4A5216-14B0-E8AC-6F68-A550B400FC9F&deviceId=6825825927701325&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=82b06538e2bd46b4b9a81932e1908885&localId=w:2A4A5216-14B0-E8AC-6F68-A550B400FC9F&deviceId=6825825927701325&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=82b06538e2bd46b4b9a81932e1908885&localId=w:2A4A5216-14B0-E8AC-6F68-A550B400FC9F&deviceId=6825825927701325&anid=HTTP Response
204 -
46 B 1
-
71 B 157 B 1 1
DNS Request
73.31.126.40.in-addr.arpa
-
56 B 158 B 1 1
DNS Request
g.bing.com
DNS Response
204.79.197.20013.107.21.200
-
71 B 116 B 1 1
DNS Request
0.205.248.87.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.154.82.20.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
41.110.16.96.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
183.59.114.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
180.178.17.96.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
21.236.111.52.in-addr.arpa
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
468KB
MD5e3b1d2ddc4e7e8ae2bc56be7b132b6bd
SHA111c9bfe965e3c34ac241ec7988cc140f52d67a00
SHA256c5e41ee7a15c139e8ae11be0422ab2aaf1df77cbcdf87c40eb7485497d69139b
SHA5121e0b314c8c3bade356e0382724011b0062705a5c6c1720d868063ea28ebc3a723eda60a7d3c332dedca06e8a98e11074cbab06645b71beff40b1c67c288738d3