Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
157s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/06/2024, 03:50
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe
-
Size
1.0MB
-
MD5
4a0924c3e7079e44966246c1057de747
-
SHA1
9ae9a85cdcba274150a561590ceb709cc5ca4508
-
SHA256
00465a6a0df80b9136a40f295febb242ef3eb3a81c24c643aa6639aa79414f84
-
SHA512
4962f7caec157e7f6beaba4c0824b6012edab366bd6cf849bad2ed70645ed6db9fe015b1359ea68f201f1797c473c134958446c32949e62e3670c7389f89871b
-
SSDEEP
24576:HG2EgSiOmJK8f40qsis1fL+rwyf5OH/ItewTvBy81u8vLHII/GY:HGMSiiFs1aR5OH4nBynqII
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" gpqnxnblma.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride = "1" gpqnxnblma.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" gpqnxnblma.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride = "1" gpqnxnblma.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3112 netsh.exe -
Executes dropped EXE 5 IoCs
pid Process 1556 cpynsh9f1iudadincutkxorw.exe 1616 gpqnxnblma.exe 488 hzknawajtiqz.exe 3780 gpqnxnblma.exe 3980 cpynsh9dl5dstdin.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride = "1" gpqnxnblma.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" gpqnxnblma.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride = "1" gpqnxnblma.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" gpqnxnblma.exe -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\xwseykagkku\lck cpynsh9f1iudadincutkxorw.exe File opened for modification C:\Windows\gpqnxnblma.exe cpynsh9f1iudadincutkxorw.exe File opened for modification C:\Windows\xwseykagkku\tst gpqnxnblma.exe File opened for modification C:\Windows\xwseykagkku\lck gpqnxnblma.exe File created C:\Windows\hzknawajtiqz.exe gpqnxnblma.exe File opened for modification C:\Windows\xwseykagkku\ hzknawajtiqz.exe File created C:\Windows\xwseykagkku\run gpqnxnblma.exe File opened for modification C:\Windows\xwseykagkku\tst gpqnxnblma.exe File created C:\Windows\xwseykagkku\cfg gpqnxnblma.exe File opened for modification C:\Windows\xwseykagkku\ gpqnxnblma.exe File created C:\Windows\xwseykagkku\lck gpqnxnblma.exe File opened for modification C:\Windows\xwseykagkku\ 2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe File opened for modification C:\Windows\xwseykagkku\tst cpynsh9f1iudadincutkxorw.exe File created C:\Windows\gpqnxnblma.exe cpynsh9f1iudadincutkxorw.exe File opened for modification C:\Windows\hzknawajtiqz.exe gpqnxnblma.exe File opened for modification C:\Windows\xwseykagkku\tst hzknawajtiqz.exe File opened for modification C:\Windows\xwseykagkku\rng gpqnxnblma.exe File created C:\Windows\xwseykagkku\tst 2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe File opened for modification C:\Windows\xwseykagkku\ cpynsh9f1iudadincutkxorw.exe File opened for modification C:\Windows\xwseykagkku\ gpqnxnblma.exe File created C:\Windows\xwseykagkku\rng gpqnxnblma.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1616 gpqnxnblma.exe 1616 gpqnxnblma.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe 488 hzknawajtiqz.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2104 wrote to memory of 1556 2104 2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe 90 PID 2104 wrote to memory of 1556 2104 2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe 90 PID 2104 wrote to memory of 1556 2104 2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe 90 PID 1616 wrote to memory of 488 1616 gpqnxnblma.exe 92 PID 1616 wrote to memory of 488 1616 gpqnxnblma.exe 92 PID 1616 wrote to memory of 488 1616 gpqnxnblma.exe 92 PID 1556 wrote to memory of 3780 1556 cpynsh9f1iudadincutkxorw.exe 93 PID 1556 wrote to memory of 3780 1556 cpynsh9f1iudadincutkxorw.exe 93 PID 1556 wrote to memory of 3780 1556 cpynsh9f1iudadincutkxorw.exe 93 PID 1616 wrote to memory of 3112 1616 gpqnxnblma.exe 94 PID 1616 wrote to memory of 3112 1616 gpqnxnblma.exe 94 PID 1616 wrote to memory of 3112 1616 gpqnxnblma.exe 94 PID 1616 wrote to memory of 3980 1616 gpqnxnblma.exe 96 PID 1616 wrote to memory of 3980 1616 gpqnxnblma.exe 96 PID 1616 wrote to memory of 3980 1616 gpqnxnblma.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\cpynsh9f1iudadincutkxorw.exe"C:\Users\Admin\AppData\Local\Temp\cpynsh9f1iudadincutkxorw.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\gpqnxnblma.exe"C:\Windows\gpqnxnblma.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3780
-
-
-
C:\Windows\gpqnxnblma.exeC:\Windows\gpqnxnblma.exe1⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\hzknawajtiqz.exeWATCHDOGPROC "c:\windows\gpqnxnblma.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:488
-
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe firewall set opmode disable2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3112
-
-
C:\Windows\TEMP\cpynsh9dl5dstdin.exeC:\Windows\TEMP\cpynsh9dl5dstdin.exe -r 39500 tcp2⤵
- Executes dropped EXE
PID:3980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4204 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:81⤵PID:1840
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD54a0924c3e7079e44966246c1057de747
SHA19ae9a85cdcba274150a561590ceb709cc5ca4508
SHA25600465a6a0df80b9136a40f295febb242ef3eb3a81c24c643aa6639aa79414f84
SHA5124962f7caec157e7f6beaba4c0824b6012edab366bd6cf849bad2ed70645ed6db9fe015b1359ea68f201f1797c473c134958446c32949e62e3670c7389f89871b
-
Filesize
34KB
MD5476f447617f65eebf35c52d4fd3b3188
SHA1179ee6e698803a45be916f107638f01d553d6e65
SHA256a8c7fd29a25658f115213c3516dd8f77d44d42c40f9348996443e593d878dcf0
SHA51237c51cb92a2adaa3fdb70ae41c95f5499e25cc772020d6c701ef9ce157320017ae207896dcc0e27b9841d0b7890a8b37440bff6dfa0468dc01f72275d4c820f9
-
Filesize
4B
MD540497c86020084c2bbf5445cd18d597a
SHA1bd3e974b3c0619c84b98c0be0aabf91f4101bc64
SHA25695289b2dda0e64fd15afd08d382f6af6a1cf08d74d1dc4e3b607d8ca89f23760
SHA512b2d5bbd49a298259676b4ea9f0fa318f1286aac256ff69250d17a9ed96519ad564be1edd5d4f805e5f60d1fad1249c64f1491e9c2b1d19387220d646cf286779
-
Filesize
10B
MD5d9e0d258df86c6859951b803fa0e539c
SHA1d04df79fdffa92605bdc478f4247fa2b55fceb7f
SHA256e71eb9e1b484bed5dc20e32acf079f979aec46863078331771912423e08b564e
SHA5128c0dbe178f6769dac6573afea6ad1c4b3caa2443276abbcbe6cecc4698b88174963a83ad4952966526c25548b2f266dddb800d0b778b8f76327367aa7562537e