Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

2024-05-14...ia.exe

windows7-x64

3

2024-05-14...ia.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    92s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/05/2024, 11:47 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-14_0c271d77805e847b54c586d691f59130_mafia.exe

  • Size

    4.8MB

  • MD5

    0c271d77805e847b54c586d691f59130

  • SHA1

    ba17413a67cef8d05584da2e4b763a8daf6e34b1

  • SHA256

    a1fdb1cd4eb27032a94a479025d8505be2d0130b5fa8b18fe7f027829d120a99

  • SHA512

    38631609f402cb197cacaa187167ee73ef4723b6bc89f2df7949b9b621ee4c8ea31c581e48527f258dd360c74be885b383f3fec00fb023685db1e6d5af4621da

  • SSDEEP

    98304:35J+E0SCxIk7zumFWAs/fyIgdElb3EIaFFpPVKh9uN8L4c7eBoLbL5w7APXLAYTi:JYE0SCI4rbECIwBbiL4c7NL8X

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-14_0c271d77805e847b54c586d691f59130_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-14_0c271d77805e847b54c586d691f59130_mafia.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3236
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" www.baidu.com -n 2
      2⤵
      • Runs ping.exe
      PID:5096

Network

  • flag-us
    DNS
    down.vrbrothers.com
    2024-05-14_0c271d77805e847b54c586d691f59130_mafia.exe
    Remote address:
    8.8.8.8:53
    Request
    down.vrbrothers.com
    IN A
    Response
    down.vrbrothers.com
    IN A
    117.27.139.134
  • flag-us
    DNS
    soft.anjian.com
    2024-05-14_0c271d77805e847b54c586d691f59130_mafia.exe
    Remote address:
    8.8.8.8:53
    Request
    soft.anjian.com
    IN A
    Response
    soft.anjian.com
    IN A
    117.27.139.134
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=bd6d873864604b0f8c1d9c44c49f460a&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=bd6d873864604b0f8c1d9c44c49f460a&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=383A79D0ED7E650D173C6DAFEC9E644F; domain=.bing.com; expires=Sun, 08-Jun-2025 11:47:33 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 35B4EDDC67974EBD86E5EFFC55B4C34D Ref B: LON04EDGE1111 Ref C: 2024-05-14T11:47:33Z
    date: Tue, 14 May 2024 11:47:32 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=bd6d873864604b0f8c1d9c44c49f460a&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=bd6d873864604b0f8c1d9c44c49f460a&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=383A79D0ED7E650D173C6DAFEC9E644F
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=Ty9pd6jCEy9RtTeaEf64fllV-OnfYjMp-2lIgxlr25A; domain=.bing.com; expires=Sun, 08-Jun-2025 11:47:33 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 9FE0F3E000714A1A8E38C1C680D5AF6B Ref B: LON04EDGE1111 Ref C: 2024-05-14T11:47:33Z
    date: Tue, 14 May 2024 11:47:32 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=bd6d873864604b0f8c1d9c44c49f460a&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=bd6d873864604b0f8c1d9c44c49f460a&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=383A79D0ED7E650D173C6DAFEC9E644F; MSPTC=Ty9pd6jCEy9RtTeaEf64fllV-OnfYjMp-2lIgxlr25A
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 9A335C2143F84BFEA940201E00D6E18A Ref B: LON04EDGE1111 Ref C: 2024-05-14T11:47:33Z
    date: Tue, 14 May 2024 11:47:32 GMT
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    237.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.197.79.204.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-be
    GET
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    Remote address:
    88.221.83.195:443
    Request
    GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
    host: www.bing.com
    accept: */*
    cookie: MUID=383A79D0ED7E650D173C6DAFEC9E644F; MSPTC=Ty9pd6jCEy9RtTeaEf64fllV-OnfYjMp-2lIgxlr25A
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-type: image/png
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    content-length: 1107
    date: Tue, 14 May 2024 11:47:35 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.bf53dd58.1715687255.2285ff47
  • flag-us
    DNS
    195.83.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    195.83.221.88.in-addr.arpa
    IN PTR
    Response
    195.83.221.88.in-addr.arpa
    IN PTR
    a88-221-83-195deploystaticakamaitechnologiescom
  • flag-us
    DNS
    www.baidu.com
    PING.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.baidu.com
    IN A
    Response
    www.baidu.com
    IN CNAME
    www.a.shifen.com
    www.a.shifen.com
    IN CNAME
    www.wshifen.com
    www.wshifen.com
    IN A
    103.235.46.40
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.197.17.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.197.17.2.in-addr.arpa
    IN PTR
    Response
    240.197.17.2.in-addr.arpa
    IN PTR
    a2-17-197-240deploystaticakamaitechnologiescom
  • flag-us
    DNS
    30.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    30.243.111.52.in-addr.arpa
    IN PTR
    Response
  • 117.27.139.134:80
    soft.anjian.com
    2024-05-14_0c271d77805e847b54c586d691f59130_mafia.exe
    260 B
     5
  • 204.79.197.237:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=bd6d873864604b0f8c1d9c44c49f460a&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=
    tls, http2
    2.0kB
     9.2kB
     22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=bd6d873864604b0f8c1d9c44c49f460a&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=bd6d873864604b0f8c1d9c44c49f460a&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=bd6d873864604b0f8c1d9c44c49f460a&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=

    HTTP Response

    204
  • 117.27.139.134:80
    soft.anjian.com
    2024-05-14_0c271d77805e847b54c586d691f59130_mafia.exe
    260 B
     5
  • 88.221.83.195:443
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    tls, http2
    1.5kB
     6.4kB
     16
    12

    HTTP Request

    GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

    HTTP Response

    200
  • 117.27.139.134:80
    soft.anjian.com
    2024-05-14_0c271d77805e847b54c586d691f59130_mafia.exe
    208 B
     4
  • 117.27.139.134:80
    soft.anjian.com
    2024-05-14_0c271d77805e847b54c586d691f59130_mafia.exe
    260 B
     5
  • 117.27.139.134:80
    soft.anjian.com
    2024-05-14_0c271d77805e847b54c586d691f59130_mafia.exe
    260 B
     5
  • 8.8.8.8:53
    down.vrbrothers.com
    dns
    2024-05-14_0c271d77805e847b54c586d691f59130_mafia.exe
    65 B
     81 B
     1
    1

    DNS Request

    down.vrbrothers.com

    DNS Response

    117.27.139.134

  • 8.8.8.8:53
    soft.anjian.com
    dns
    2024-05-14_0c271d77805e847b54c586d691f59130_mafia.exe
    61 B
     77 B
     1
    1

    DNS Request

    soft.anjian.com

    DNS Response

    117.27.139.134

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     151 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.237
    13.107.21.237

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    237.197.79.204.in-addr.arpa
    dns
    73 B
     143 B
     1
    1

    DNS Request

    237.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    195.83.221.88.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    195.83.221.88.in-addr.arpa

  • 8.8.8.8:53
    www.baidu.com
    dns
    PING.EXE
    59 B
     128 B
     1
    1

    DNS Request

    www.baidu.com

    DNS Response

    103.235.46.40

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    240.197.17.2.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    240.197.17.2.in-addr.arpa

  • 8.8.8.8:53
    30.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    30.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\mac5870.tmp
    Filesize

    335B

    MD5

    f0ec4dd4f88fcb2c3174b2f0d3f73d89

    SHA1

    69f18c94c71b6ddc3b5e71c3eae4eb3ab8b9de7b

    SHA256

    de8c437bd2e829a1bca66f4d26ec60138cbfa35dd6a0e04058acb84ffd1b8cb3

    SHA512

    da3651bda4516dc0c7c9eacbeaceb3e8dfff5e7bb680a566f04c2a2f32ddc414bc4fc9e69d70f499f4f79fa4138880234001320c8d698f0e4447fc41b170ec98

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.