Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    93s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/02/2024, 06:25 UTC

General

  • Target

    2024-02-29_0bde83cbc25450b0630e0f59302869a5_mafia.exe

  • Size

    468KB

  • MD5

    0bde83cbc25450b0630e0f59302869a5

  • SHA1

    90485f8c647d1cbbf65659cea4a58a4cbd94f49e

  • SHA256

    12b5b021d6602ad61b5bd49619727abc07cc07601861bfbb4e149515564e6b40

  • SHA512

    8d2fb82e0903cee26ff59facee14a205e01c880edbfdeceff63cf552ede235f4ab2abecc9cf85a9b9bed23ca1e4625b49d71f5ea785361ada0d0e1cd473e2db7

  • SSDEEP

    12288:qO4rfItL8HGJmu/gfJbRMrlAyMqQ1pkq7bWmeEVGL:qO4rQtGGIu/g1QlAyM5lumeEVGL

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-29_0bde83cbc25450b0630e0f59302869a5_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-29_0bde83cbc25450b0630e0f59302869a5_mafia.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1156
    • C:\Users\Admin\AppData\Local\Temp\3F6A.tmp
      "C:\Users\Admin\AppData\Local\Temp\3F6A.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-02-29_0bde83cbc25450b0630e0f59302869a5_mafia.exe A4E98E1047210DE05F4B7CE39857CFFDD0BE9C13269DE99140512E336E3760CF70EC33295D16098A2BFA86B4D947E1EA04DB3A1578DA73AF0DC411A5154A54C1
      2⤵
      • Deletes itself
      • Executes dropped EXE
      PID:2536

Network

  • flag-us
    DNS
    73.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.a-0001.a-msedge.net
    g-bing-com.a-0001.a-msedge.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=82b06538e2bd46b4b9a81932e1908885&localId=w:2A4A5216-14B0-E8AC-6F68-A550B400FC9F&deviceId=6825825927701325&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=82b06538e2bd46b4b9a81932e1908885&localId=w:2A4A5216-14B0-E8AC-6F68-A550B400FC9F&deviceId=6825825927701325&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=259B1C3999606EC01575080D98806F44; domain=.bing.com; expires=Tue, 25-Mar-2025 06:25:56 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 2FA37E833E2E48E798BD1B8ACB5C87DF Ref B: LON04EDGE1220 Ref C: 2024-02-29T06:25:56Z
    date: Thu, 29 Feb 2024 06:25:56 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=82b06538e2bd46b4b9a81932e1908885&localId=w:2A4A5216-14B0-E8AC-6F68-A550B400FC9F&deviceId=6825825927701325&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=82b06538e2bd46b4b9a81932e1908885&localId=w:2A4A5216-14B0-E8AC-6F68-A550B400FC9F&deviceId=6825825927701325&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=259B1C3999606EC01575080D98806F44
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=-WpzhfnP6k7Cz17EGpqDjO6Tah1QiEZIrOrc0u9lubU; domain=.bing.com; expires=Tue, 25-Mar-2025 06:25:56 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: A01AD4CBFA0042669204DBA2F5041C7C Ref B: LON04EDGE1220 Ref C: 2024-02-29T06:25:56Z
    date: Thu, 29 Feb 2024 06:25:56 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=82b06538e2bd46b4b9a81932e1908885&localId=w:2A4A5216-14B0-E8AC-6F68-A550B400FC9F&deviceId=6825825927701325&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=82b06538e2bd46b4b9a81932e1908885&localId=w:2A4A5216-14B0-E8AC-6F68-A550B400FC9F&deviceId=6825825927701325&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=259B1C3999606EC01575080D98806F44; MSPTC=-WpzhfnP6k7Cz17EGpqDjO6Tah1QiEZIrOrc0u9lubU
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 25200F1A938C4EF9AF0DACCA43DF74A7 Ref B: LON04EDGE1220 Ref C: 2024-02-29T06:25:56Z
    date: Thu, 29 Feb 2024 06:25:56 GMT
  • flag-us
    DNS
    0.205.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.205.248.87.in-addr.arpa
    IN PTR
    Response
    0.205.248.87.in-addr.arpa
    IN PTR
    https-87-248-205-0lgwllnwnet
  • flag-us
    DNS
    241.154.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.154.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    41.110.16.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    41.110.16.96.in-addr.arpa
    IN PTR
    Response
    41.110.16.96.in-addr.arpa
    IN PTR
    a96-16-110-41deploystaticakamaitechnologiescom
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    180.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    180.178.17.96.in-addr.arpa
    IN PTR
    Response
    180.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-180deploystaticakamaitechnologiescom
  • flag-us
    DNS
    21.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    21.236.111.52.in-addr.arpa
    IN PTR
    Response
  • 204.79.197.200:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=82b06538e2bd46b4b9a81932e1908885&localId=w:2A4A5216-14B0-E8AC-6F68-A550B400FC9F&deviceId=6825825927701325&anid=
    tls, http2
    2.0kB
    9.2kB
    22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=82b06538e2bd46b4b9a81932e1908885&localId=w:2A4A5216-14B0-E8AC-6F68-A550B400FC9F&deviceId=6825825927701325&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=82b06538e2bd46b4b9a81932e1908885&localId=w:2A4A5216-14B0-E8AC-6F68-A550B400FC9F&deviceId=6825825927701325&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=82b06538e2bd46b4b9a81932e1908885&localId=w:2A4A5216-14B0-E8AC-6F68-A550B400FC9F&deviceId=6825825927701325&anid=

    HTTP Response

    204
  • 20.231.121.79:80
    46 B
    1
  • 8.8.8.8:53
    73.31.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    73.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
    158 B
    1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    0.205.248.87.in-addr.arpa
    dns
    71 B
    116 B
    1
    1

    DNS Request

    0.205.248.87.in-addr.arpa

  • 8.8.8.8:53
    241.154.82.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    241.154.82.20.in-addr.arpa

  • 8.8.8.8:53
    41.110.16.96.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    41.110.16.96.in-addr.arpa

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    180.178.17.96.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    180.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    21.236.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    21.236.111.52.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3F6A.tmp

    Filesize

    468KB

    MD5

    e3b1d2ddc4e7e8ae2bc56be7b132b6bd

    SHA1

    11c9bfe965e3c34ac241ec7988cc140f52d67a00

    SHA256

    c5e41ee7a15c139e8ae11be0422ab2aaf1df77cbcdf87c40eb7485497d69139b

    SHA512

    1e0b314c8c3bade356e0382724011b0062705a5c6c1720d868063ea28ebc3a723eda60a7d3c332dedca06e8a98e11074cbab06645b71beff40b1c67c288738d3

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.