Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19/03/2024, 12:45
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-19_e442e3a5c68c592fa75e55ecd3aea323_mafia.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-19_e442e3a5c68c592fa75e55ecd3aea323_mafia.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-19_e442e3a5c68c592fa75e55ecd3aea323_mafia.exe
-
Size
462KB
-
MD5
e442e3a5c68c592fa75e55ecd3aea323
-
SHA1
23d7c48cd7b03c98ca9d8579fa75bd928e938857
-
SHA256
ec54fcdec9c0feb77d30145939653675986eadd9eded8f547f49b3641b6bdd51
-
SHA512
4b645dbdda75ba2fcf05a5a153e206f42c12568976f9cc3c3d8f65aa30529e2d3c1cb6affffe1f3bdbe3c178eb775423595e1fb52e47a9a4fa35781b7bbb4c67
-
SSDEEP
6144:zRPu8zwNAZYCZrIik3tHQoO2V+aOOrYYSS79nmKIomaBjC9FIscds8QmsH5f:zJrIik3moO5apYYSSEnnJVX9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2720 1249.tmp -
Loads dropped DLL 1 IoCs
pid Process 2088 2024-03-19_e442e3a5c68c592fa75e55ecd3aea323_mafia.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2476 WINWORD.EXE -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2720 1249.tmp -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2476 WINWORD.EXE 2476 WINWORD.EXE 2476 WINWORD.EXE 2476 WINWORD.EXE 2476 WINWORD.EXE 2476 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2088 wrote to memory of 2720 2088 2024-03-19_e442e3a5c68c592fa75e55ecd3aea323_mafia.exe 28 PID 2088 wrote to memory of 2720 2088 2024-03-19_e442e3a5c68c592fa75e55ecd3aea323_mafia.exe 28 PID 2088 wrote to memory of 2720 2088 2024-03-19_e442e3a5c68c592fa75e55ecd3aea323_mafia.exe 28 PID 2088 wrote to memory of 2720 2088 2024-03-19_e442e3a5c68c592fa75e55ecd3aea323_mafia.exe 28 PID 2720 wrote to memory of 2476 2720 1249.tmp 29 PID 2720 wrote to memory of 2476 2720 1249.tmp 29 PID 2720 wrote to memory of 2476 2720 1249.tmp 29 PID 2720 wrote to memory of 2476 2720 1249.tmp 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-19_e442e3a5c68c592fa75e55ecd3aea323_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-19_e442e3a5c68c592fa75e55ecd3aea323_mafia.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\1249.tmp"C:\Users\Admin\AppData\Local\Temp\1249.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-03-19_e442e3a5c68c592fa75e55ecd3aea323_mafia.exe 7AB0490BC528FB15A997785E97680B7042C8E5410D4F90CDA38DA1CCD6E6D608AA8A31324A0854303C48DB8281224FDEE0EE8ABE6F6B18C9A141FA1ADDDC25532⤵
- Executes dropped EXE
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2024-03-19_e442e3a5c68c592fa75e55ecd3aea323_mafia.docx"3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2476
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD57079891932a64f097abafd233055a1e9
SHA1246d95feafe67689d49a5a4cadba18d3ac1914e5
SHA256c97189b50e5e92be09966d4732b6d61a2e435b2935d60c09989e555ae442e7a1
SHA5126e9ee6427d7cc2474dc634b088cf3f35d06dfb734d2b63fbbc794f4083b4b5754379daff4804bf5024b1b430aa5e50fa6d839d3473ceeed3043d373c85e9862a
-
Filesize
462KB
MD5c4b95e32fbc373aeb2b2de575b13a6f0
SHA163760cffcbabd07e07b0e2cefc849edd5407cc9c
SHA256bc2df594cc418abfd8be5239816847ffddc81189e61255c94a5e40ce5c7ee880
SHA512574b34855b033f06ff35ca3642c27d08f6c91390e01411fc3de3cbadcd7783344c9ab3d265f464bc78896279e039ad26e91c4a8efa76779a08955c70ff003855