Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01/07/2024, 00:49
Static task
static1
Behavioral task
behavioral1
Sample
2024-07-01_44bf3be89183d4ca5bd74aec108dedd9_mafia.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-07-01_44bf3be89183d4ca5bd74aec108dedd9_mafia.exe
Resource
win10v2004-20240611-en
General
-
Target
2024-07-01_44bf3be89183d4ca5bd74aec108dedd9_mafia.exe
-
Size
2.3MB
-
MD5
44bf3be89183d4ca5bd74aec108dedd9
-
SHA1
305c4c35302019c21250e4d318473d18ac57fb79
-
SHA256
3575719618781d1118295e4f925f1a64a04341064a7272a5af8f3fca56e8baf5
-
SHA512
37218f8c8b7a6ecc972305b82ec477af641b4c33797a114d4cbb7445493e5c0d6e2934efac59847138ba8ab63a62f3b479150a47e260e25923314fc033848b63
-
SSDEEP
49152:vZRpZ8sSugiO+Kq2SDNNgaciS0O3BZrLsPZQn90IYPqIqeL:1Z8/uUq2SvgiK3BZ/sBQn90IpI
Malware Config
Signatures
-
resource behavioral2/files/0x0003000000022a5f-33.dat -
Loads dropped DLL 1 IoCs
pid Process 2080 EXCEL.EXE -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-07-01_44bf3be89183d4ca5bd74aec108dedd9_mafia.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet 2024-07-01_44bf3be89183d4ca5bd74aec108dedd9_mafia.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2080 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2080 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2080 wrote to memory of 1884 2080 EXCEL.EXE 91 PID 2080 wrote to memory of 1884 2080 EXCEL.EXE 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-07-01_44bf3be89183d4ca5bd74aec108dedd9_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-01_44bf3be89183d4ca5bd74aec108dedd9_mafia.exe"1⤵
- Checks processor information in registry
PID:668
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1884
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:3104
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD57eca219377b9d8dca9258abad66f4730
SHA1fd13a2c76cf9016d16390bbedc8caef125747df4
SHA256daf3c95cd5365199f0407ab8f43b5817673c4a58ba99a0a405a5510231852318
SHA5124786991f37ccc7f79337b45298f0dde8bd6d2cb79f2b06ea03d1c1fc09dfc4fd1254621506c3d9f25a216070463a33abe6bfd13ab1a38978dd270b66f35a2038
-
Filesize
22KB
MD529c44d16abfff0d8ccbd43a80871a904
SHA15f6417443a42856fd13d90e56153a8b5d272dffd
SHA25663c99e16ff5432d4432fd01de90d549f1c898049d63422450cb93ab8e29fdb2d
SHA512ed62a24fb42abb49a8c23aab6c4e140b4b98a25227c100f9c8081f325ba3a41d6b49a5628a704db7f1207bc0c3bb852ea02d88f4a868e7ec1f2ddf599d0839e7
-
Filesize
26KB
MD568ae3f8f60641e3b6e40c907e9f01daa
SHA1204d0f28e2970af8a6727198b88edbfdd19d5c51
SHA256759024e88c6e0063004bb09392922af4010aec87dc7c8377451c87ab13a68bf0
SHA512443d53552354407df61d688223381bfc31f61c6b2bf9618f38e18f74490e8f98ad0dbb3128990c58b4f3094790908b84eb63e62070c337385c20c8a8699bcbcf