Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
21/04/2024, 07:40
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-21_deb77dac5203f677349b531153a075e7_mafia.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-21_deb77dac5203f677349b531153a075e7_mafia.exe
Resource
win10v2004-20240412-en
General
-
Target
2024-04-21_deb77dac5203f677349b531153a075e7_mafia.exe
-
Size
467KB
-
MD5
deb77dac5203f677349b531153a075e7
-
SHA1
90be2728a46e381012267864cf388e00434ee7ca
-
SHA256
072c5b069fa141dce4068e7e65aea900326fddbde22307af7eb08e07ebcce317
-
SHA512
399ffaf77ac5cd7bee6249f71ffbbda21537226450268ead152231e2d91e38831facf0b91d1cb55a7fa95be43d25d01ca575bec3d63f9c2ea3adc505691ecc7d
-
SSDEEP
12288:Bb4bZudi79LB2GGS01swd/6JMAIR6vFyG6Ak:Bb4bcdkLgS01xdyJUR6vdo
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation 49BB.tmp -
Executes dropped EXE 1 IoCs
pid Process 3880 49BB.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings 49BB.tmp -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4948 WINWORD.EXE 4948 WINWORD.EXE -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3880 49BB.tmp -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4948 WINWORD.EXE 4948 WINWORD.EXE 4948 WINWORD.EXE 4948 WINWORD.EXE 4948 WINWORD.EXE 4948 WINWORD.EXE 4948 WINWORD.EXE 4948 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4496 wrote to memory of 3880 4496 2024-04-21_deb77dac5203f677349b531153a075e7_mafia.exe 86 PID 4496 wrote to memory of 3880 4496 2024-04-21_deb77dac5203f677349b531153a075e7_mafia.exe 86 PID 4496 wrote to memory of 3880 4496 2024-04-21_deb77dac5203f677349b531153a075e7_mafia.exe 86 PID 3880 wrote to memory of 4948 3880 49BB.tmp 91 PID 3880 wrote to memory of 4948 3880 49BB.tmp 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-21_deb77dac5203f677349b531153a075e7_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-21_deb77dac5203f677349b531153a075e7_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Users\Admin\AppData\Local\Temp\49BB.tmp"C:\Users\Admin\AppData\Local\Temp\49BB.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-04-21_deb77dac5203f677349b531153a075e7_mafia.exe 305684C6FE201DD1926D8D6192878A43C2759410774280037EE5C6E202F910A37150F3CDA96A4084EBC142F4BA56AA0129D920B66729B5AD1C77F2648B5A866B2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2024-04-21_deb77dac5203f677349b531153a075e7_mafia.doc" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4948
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD5a6b03fc9e5439b7504ba08010a960962
SHA1e93a74f35ac1ed020158642eb1f2087fd31fc7c6
SHA256b3b306a9618a08a003443e00e8ce2fcb14040775c3aeadc11cf120668e98dff1
SHA512decbe4fa7eec0833a27acbde8b4de099124aa42e551f710fb615e6fc5aa0056ce9e44fc282e4930b1a669a1e012700b2c79cebc8a7b8ee4c66cfc29c800cddd0
-
Filesize
467KB
MD57e8d3ca1dc228dc31d6e801c3944ecce
SHA12c3724c3267ace30f6de0e8b396ce58a8bf4c306
SHA256c7b7a8ac5a1e32dd1c64ab5adac785f5e34f5c5bb8accbbfa121d95693406542
SHA512178ddfe2b8816c3d0fe2c21da6e8a21babc01b58a2ced6a0c8fbc72f261631dcab5fb29978112d2e83d139c891d4b336a04239e408fc4cae80f7e1e73a669565
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl
Filesize245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84