Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    157s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/06/2024, 03:50

General

  • Target

    2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe

  • Size

    1.0MB

  • MD5

    4a0924c3e7079e44966246c1057de747

  • SHA1

    9ae9a85cdcba274150a561590ceb709cc5ca4508

  • SHA256

    00465a6a0df80b9136a40f295febb242ef3eb3a81c24c643aa6639aa79414f84

  • SHA512

    4962f7caec157e7f6beaba4c0824b6012edab366bd6cf849bad2ed70645ed6db9fe015b1359ea68f201f1797c473c134958446c32949e62e3670c7389f89871b

  • SSDEEP

    24576:HG2EgSiOmJK8f40qsis1fL+rwyf5OH/ItewTvBy81u8vLHII/GY:HGMSiiFs1aR5OH4nBynqII

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 4 IoCs
  • Drops file in Windows directory 21 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Users\Admin\AppData\Local\Temp\cpynsh9f1iudadincutkxorw.exe
      "C:\Users\Admin\AppData\Local\Temp\cpynsh9f1iudadincutkxorw.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1556
      • C:\Windows\gpqnxnblma.exe
        "C:\Windows\gpqnxnblma.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:3780
  • C:\Windows\gpqnxnblma.exe
    C:\Windows\gpqnxnblma.exe
    1⤵
    • Windows security bypass
    • Executes dropped EXE
    • Windows security modification
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1616
    • C:\Windows\hzknawajtiqz.exe
      WATCHDOGPROC "c:\windows\gpqnxnblma.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      PID:488
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe firewall set opmode disable
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      PID:3112
    • C:\Windows\TEMP\cpynsh9dl5dstdin.exe
      C:\Windows\TEMP\cpynsh9dl5dstdin.exe -r 39500 tcp
      2⤵
      • Executes dropped EXE
      PID:3980
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4204 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1840

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\cpynsh9f1iudadincutkxorw.exe

      Filesize

      1.0MB

      MD5

      4a0924c3e7079e44966246c1057de747

      SHA1

      9ae9a85cdcba274150a561590ceb709cc5ca4508

      SHA256

      00465a6a0df80b9136a40f295febb242ef3eb3a81c24c643aa6639aa79414f84

      SHA512

      4962f7caec157e7f6beaba4c0824b6012edab366bd6cf849bad2ed70645ed6db9fe015b1359ea68f201f1797c473c134958446c32949e62e3670c7389f89871b

    • C:\Windows\Temp\cpynsh9dl5dstdin.exe

      Filesize

      34KB

      MD5

      476f447617f65eebf35c52d4fd3b3188

      SHA1

      179ee6e698803a45be916f107638f01d553d6e65

      SHA256

      a8c7fd29a25658f115213c3516dd8f77d44d42c40f9348996443e593d878dcf0

      SHA512

      37c51cb92a2adaa3fdb70ae41c95f5499e25cc772020d6c701ef9ce157320017ae207896dcc0e27b9841d0b7890a8b37440bff6dfa0468dc01f72275d4c820f9

    • C:\Windows\xwseykagkku\rng

      Filesize

      4B

      MD5

      40497c86020084c2bbf5445cd18d597a

      SHA1

      bd3e974b3c0619c84b98c0be0aabf91f4101bc64

      SHA256

      95289b2dda0e64fd15afd08d382f6af6a1cf08d74d1dc4e3b607d8ca89f23760

      SHA512

      b2d5bbd49a298259676b4ea9f0fa318f1286aac256ff69250d17a9ed96519ad564be1edd5d4f805e5f60d1fad1249c64f1491e9c2b1d19387220d646cf286779

    • C:\Windows\xwseykagkku\tst

      Filesize

      10B

      MD5

      d9e0d258df86c6859951b803fa0e539c

      SHA1

      d04df79fdffa92605bdc478f4247fa2b55fceb7f

      SHA256

      e71eb9e1b484bed5dc20e32acf079f979aec46863078331771912423e08b564e

      SHA512

      8c0dbe178f6769dac6573afea6ad1c4b3caa2443276abbcbe6cecc4698b88174963a83ad4952966526c25548b2f266dddb800d0b778b8f76327367aa7562537e

    • memory/3980-32-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB