Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28/06/2024, 03:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe
Resource
win7-20240221-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe
-
Size
1.0MB
-
MD5
4a0924c3e7079e44966246c1057de747
-
SHA1
9ae9a85cdcba274150a561590ceb709cc5ca4508
-
SHA256
00465a6a0df80b9136a40f295febb242ef3eb3a81c24c643aa6639aa79414f84
-
SHA512
4962f7caec157e7f6beaba4c0824b6012edab366bd6cf849bad2ed70645ed6db9fe015b1359ea68f201f1797c473c134958446c32949e62e3670c7389f89871b
-
SSDEEP
24576:HG2EgSiOmJK8f40qsis1fL+rwyf5OH/ItewTvBy81u8vLHII/GY:HGMSiiFs1aR5OH4nBynqII
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride = "1" gpqnxnblma.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" gpqnxnblma.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride = "1" gpqnxnblma.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" gpqnxnblma.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2472 netsh.exe -
Executes dropped EXE 5 IoCs
pid Process 2252 cpynsh9ptvxnvdincutkxorw.exe 2932 gpqnxnblma.exe 2596 hzknawajtiqz.exe 2608 gpqnxnblma.exe 2504 cpynsh9aq96owdin.exe -
Loads dropped DLL 4 IoCs
pid Process 2076 2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe 2076 2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe 2932 gpqnxnblma.exe 2932 gpqnxnblma.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" gpqnxnblma.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride = "1" gpqnxnblma.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" gpqnxnblma.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride = "1" gpqnxnblma.exe -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\xwseykagkku\run gpqnxnblma.exe File created C:\Windows\xwseykagkku\tst 2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe File opened for modification C:\Windows\xwseykagkku\ cpynsh9ptvxnvdincutkxorw.exe File opened for modification C:\Windows\gpqnxnblma.exe cpynsh9ptvxnvdincutkxorw.exe File opened for modification C:\Windows\xwseykagkku\tst gpqnxnblma.exe File created C:\Windows\xwseykagkku\lck gpqnxnblma.exe File opened for modification C:\Windows\xwseykagkku\tst gpqnxnblma.exe File opened for modification C:\Windows\xwseykagkku\ hzknawajtiqz.exe File opened for modification C:\Windows\xwseykagkku\rng gpqnxnblma.exe File created C:\Windows\hzknawajtiqz.exe gpqnxnblma.exe File created C:\Windows\xwseykagkku\rng gpqnxnblma.exe File created C:\Windows\xwseykagkku\cfg gpqnxnblma.exe File opened for modification C:\Windows\xwseykagkku\ gpqnxnblma.exe File opened for modification C:\Windows\xwseykagkku\ 2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe File opened for modification C:\Windows\xwseykagkku\ gpqnxnblma.exe File opened for modification C:\Windows\xwseykagkku\lck gpqnxnblma.exe File opened for modification C:\Windows\hzknawajtiqz.exe gpqnxnblma.exe File opened for modification C:\Windows\xwseykagkku\tst hzknawajtiqz.exe File opened for modification C:\Windows\xwseykagkku\tst cpynsh9ptvxnvdincutkxorw.exe File created C:\Windows\xwseykagkku\lck cpynsh9ptvxnvdincutkxorw.exe File created C:\Windows\gpqnxnblma.exe cpynsh9ptvxnvdincutkxorw.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
Modifies data under HKEY_USERS 17 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" netsh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2932 gpqnxnblma.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2932 gpqnxnblma.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2932 gpqnxnblma.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2932 gpqnxnblma.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2932 gpqnxnblma.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2932 gpqnxnblma.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2932 gpqnxnblma.exe 2596 hzknawajtiqz.exe 2596 hzknawajtiqz.exe 2932 gpqnxnblma.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2076 wrote to memory of 2252 2076 2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe 28 PID 2076 wrote to memory of 2252 2076 2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe 28 PID 2076 wrote to memory of 2252 2076 2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe 28 PID 2076 wrote to memory of 2252 2076 2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe 28 PID 2932 wrote to memory of 2596 2932 gpqnxnblma.exe 30 PID 2932 wrote to memory of 2596 2932 gpqnxnblma.exe 30 PID 2932 wrote to memory of 2596 2932 gpqnxnblma.exe 30 PID 2932 wrote to memory of 2596 2932 gpqnxnblma.exe 30 PID 2252 wrote to memory of 2608 2252 cpynsh9ptvxnvdincutkxorw.exe 31 PID 2252 wrote to memory of 2608 2252 cpynsh9ptvxnvdincutkxorw.exe 31 PID 2252 wrote to memory of 2608 2252 cpynsh9ptvxnvdincutkxorw.exe 31 PID 2252 wrote to memory of 2608 2252 cpynsh9ptvxnvdincutkxorw.exe 31 PID 2932 wrote to memory of 2472 2932 gpqnxnblma.exe 32 PID 2932 wrote to memory of 2472 2932 gpqnxnblma.exe 32 PID 2932 wrote to memory of 2472 2932 gpqnxnblma.exe 32 PID 2932 wrote to memory of 2472 2932 gpqnxnblma.exe 32 PID 2932 wrote to memory of 2504 2932 gpqnxnblma.exe 34 PID 2932 wrote to memory of 2504 2932 gpqnxnblma.exe 34 PID 2932 wrote to memory of 2504 2932 gpqnxnblma.exe 34 PID 2932 wrote to memory of 2504 2932 gpqnxnblma.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\cpynsh9ptvxnvdincutkxorw.exe"C:\Users\Admin\AppData\Local\Temp\cpynsh9ptvxnvdincutkxorw.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\gpqnxnblma.exe"C:\Windows\gpqnxnblma.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2608
-
-
-
C:\Windows\gpqnxnblma.exeC:\Windows\gpqnxnblma.exe1⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\hzknawajtiqz.exeWATCHDOGPROC "c:\windows\gpqnxnblma.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2596
-
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe firewall set opmode disable2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
PID:2472
-
-
C:\Windows\TEMP\cpynsh9aq96owdin.exeC:\Windows\TEMP\cpynsh9aq96owdin.exe -r 42719 tcp2⤵
- Executes dropped EXE
PID:2504
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4B
MD540497c86020084c2bbf5445cd18d597a
SHA1bd3e974b3c0619c84b98c0be0aabf91f4101bc64
SHA25695289b2dda0e64fd15afd08d382f6af6a1cf08d74d1dc4e3b607d8ca89f23760
SHA512b2d5bbd49a298259676b4ea9f0fa318f1286aac256ff69250d17a9ed96519ad564be1edd5d4f805e5f60d1fad1249c64f1491e9c2b1d19387220d646cf286779
-
Filesize
10B
MD5d9e0d258df86c6859951b803fa0e539c
SHA1d04df79fdffa92605bdc478f4247fa2b55fceb7f
SHA256e71eb9e1b484bed5dc20e32acf079f979aec46863078331771912423e08b564e
SHA5128c0dbe178f6769dac6573afea6ad1c4b3caa2443276abbcbe6cecc4698b88174963a83ad4952966526c25548b2f266dddb800d0b778b8f76327367aa7562537e
-
Filesize
1.0MB
MD54a0924c3e7079e44966246c1057de747
SHA19ae9a85cdcba274150a561590ceb709cc5ca4508
SHA25600465a6a0df80b9136a40f295febb242ef3eb3a81c24c643aa6639aa79414f84
SHA5124962f7caec157e7f6beaba4c0824b6012edab366bd6cf849bad2ed70645ed6db9fe015b1359ea68f201f1797c473c134958446c32949e62e3670c7389f89871b
-
Filesize
34KB
MD5476f447617f65eebf35c52d4fd3b3188
SHA1179ee6e698803a45be916f107638f01d553d6e65
SHA256a8c7fd29a25658f115213c3516dd8f77d44d42c40f9348996443e593d878dcf0
SHA51237c51cb92a2adaa3fdb70ae41c95f5499e25cc772020d6c701ef9ce157320017ae207896dcc0e27b9841d0b7890a8b37440bff6dfa0468dc01f72275d4c820f9