Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    19/03/2024, 12:45

General

  • Target

    2024-03-19_e442e3a5c68c592fa75e55ecd3aea323_mafia.exe

  • Size

    462KB

  • MD5

    e442e3a5c68c592fa75e55ecd3aea323

  • SHA1

    23d7c48cd7b03c98ca9d8579fa75bd928e938857

  • SHA256

    ec54fcdec9c0feb77d30145939653675986eadd9eded8f547f49b3641b6bdd51

  • SHA512

    4b645dbdda75ba2fcf05a5a153e206f42c12568976f9cc3c3d8f65aa30529e2d3c1cb6affffe1f3bdbe3c178eb775423595e1fb52e47a9a4fa35781b7bbb4c67

  • SSDEEP

    6144:zRPu8zwNAZYCZrIik3tHQoO2V+aOOrYYSS79nmKIomaBjC9FIscds8QmsH5f:zJrIik3moO5apYYSSEnnJVX9

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-19_e442e3a5c68c592fa75e55ecd3aea323_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-19_e442e3a5c68c592fa75e55ecd3aea323_mafia.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Users\Admin\AppData\Local\Temp\1249.tmp
      "C:\Users\Admin\AppData\Local\Temp\1249.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-03-19_e442e3a5c68c592fa75e55ecd3aea323_mafia.exe 7AB0490BC528FB15A997785E97680B7042C8E5410D4F90CDA38DA1CCD6E6D608AA8A31324A0854303C48DB8281224FDEE0EE8ABE6F6B18C9A141FA1ADDDC2553
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2024-03-19_e442e3a5c68c592fa75e55ecd3aea323_mafia.docx"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:2476

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\2024-03-19_e442e3a5c68c592fa75e55ecd3aea323_mafia.docx

    Filesize

    21KB

    MD5

    7079891932a64f097abafd233055a1e9

    SHA1

    246d95feafe67689d49a5a4cadba18d3ac1914e5

    SHA256

    c97189b50e5e92be09966d4732b6d61a2e435b2935d60c09989e555ae442e7a1

    SHA512

    6e9ee6427d7cc2474dc634b088cf3f35d06dfb734d2b63fbbc794f4083b4b5754379daff4804bf5024b1b430aa5e50fa6d839d3473ceeed3043d373c85e9862a

  • \Users\Admin\AppData\Local\Temp\1249.tmp

    Filesize

    462KB

    MD5

    c4b95e32fbc373aeb2b2de575b13a6f0

    SHA1

    63760cffcbabd07e07b0e2cefc849edd5407cc9c

    SHA256

    bc2df594cc418abfd8be5239816847ffddc81189e61255c94a5e40ce5c7ee880

    SHA512

    574b34855b033f06ff35ca3642c27d08f6c91390e01411fc3de3cbadcd7783344c9ab3d265f464bc78896279e039ad26e91c4a8efa76779a08955c70ff003855

  • memory/2476-7-0x000000002F361000-0x000000002F362000-memory.dmp

    Filesize

    4KB

  • memory/2476-8-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2476-9-0x000000007168D000-0x0000000071698000-memory.dmp

    Filesize

    44KB

  • memory/2476-13-0x000000007168D000-0x0000000071698000-memory.dmp

    Filesize

    44KB