Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    01/07/2024, 02:02

General

  • Target

    2024-07-01_38096ebccfd329d3a63891879a4f93dd_mafia.exe

  • Size

    2.3MB

  • MD5

    38096ebccfd329d3a63891879a4f93dd

  • SHA1

    6ee9c66b5cb7bbfb0e9388889a84c98a7469db99

  • SHA256

    91713d4699fa9e60e1cd46fbda228f06379241698d0864b19857b9de4f3b77dc

  • SHA512

    48acb88ae3bf48c34cc0e039b679f67783e3ce832419deedf4960d32307cb5b864dd176d578964c453628380945ce6cf63d637cefe11a690a801a9b202e29805

  • SSDEEP

    49152:sZRpZ8sSugiO+Kq2SDNNgaciS0O3BZrLsPZQn90IYPqIyL:eZ8/uUq2SvgiK3BZ/sBQn90IpI

Score
8/10

Malware Config

Signatures

  • Suspicious Office macro 1 IoCs

    Office document equipped with macros.

  • Loads dropped DLL 1 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-01_38096ebccfd329d3a63891879a4f93dd_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-01_38096ebccfd329d3a63891879a4f93dd_mafia.exe"
    1⤵
    • Checks processor information in registry
    PID:1976
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • Loads dropped DLL
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2744
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2800

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\SpreadsheetTools\empty.xls

      Filesize

      22KB

      MD5

      f14e7f0ae2d441b4111534ed1bd69bc4

      SHA1

      8e3a99fc7bfb50846146d83d574d80ca55e0e2da

      SHA256

      e97d244def740eafc2d7767a0261a3ac76348b086a2c217728ec7c563de026a1

      SHA512

      53e03482d174f4aa425f5e5589a136f1fd9365fa4dad46b1524c9330c9b43547c5e7e82955c92b495b6de3b3955bef3e9617b385ed7c7e6c74bbf67cf3f38ecf

    • C:\Users\Admin\AppData\Local\SpreadsheetTools\lxLdr.xlam

      Filesize

      26KB

      MD5

      68ae3f8f60641e3b6e40c907e9f01daa

      SHA1

      204d0f28e2970af8a6727198b88edbfdd19d5c51

      SHA256

      759024e88c6e0063004bb09392922af4010aec87dc7c8377451c87ab13a68bf0

      SHA512

      443d53552354407df61d688223381bfc31f61c6b2bf9618f38e18f74490e8f98ad0dbb3128990c58b4f3094790908b84eb63e62070c337385c20c8a8699bcbcf

    • \Users\Admin\AppData\Local\SpreadsheetTools\32\LockXLSRuntime.dll

      Filesize

      1.4MB

      MD5

      9f4540c1227111a9f1466cb8e9f44977

      SHA1

      d8d0533884b02330a7c24e2217705d02242216d5

      SHA256

      7eeae01c7b5e5927436e3fdab844d185e8bdf30cf33df595bdf55bbd86708caa

      SHA512

      01348a05fbc97b4a85d498a7de36a52764b50025be6fa3b83c1806eedcc049ab9febfcb5a611846e762b34689fd154c491e1ea52406012885c47e2b78d096863

    • memory/2744-77-0x0000000000730000-0x0000000000830000-memory.dmp

      Filesize

      1024KB

    • memory/2744-20-0x0000000000730000-0x0000000000830000-memory.dmp

      Filesize

      1024KB

    • memory/2744-27-0x0000000000730000-0x0000000000830000-memory.dmp

      Filesize

      1024KB

    • memory/2744-25-0x0000000000730000-0x0000000000830000-memory.dmp

      Filesize

      1024KB

    • memory/2744-39-0x0000000000730000-0x0000000000830000-memory.dmp

      Filesize

      1024KB

    • memory/2744-24-0x0000000000730000-0x0000000000830000-memory.dmp

      Filesize

      1024KB

    • memory/2744-45-0x0000000000730000-0x0000000000830000-memory.dmp

      Filesize

      1024KB

    • memory/2744-12-0x0000000000730000-0x0000000000830000-memory.dmp

      Filesize

      1024KB

    • memory/2744-21-0x0000000000730000-0x0000000000830000-memory.dmp

      Filesize

      1024KB

    • memory/2744-154-0x0000000000730000-0x0000000000830000-memory.dmp

      Filesize

      1024KB

    • memory/2744-132-0x0000000005DA0000-0x0000000005EA0000-memory.dmp

      Filesize

      1024KB

    • memory/2744-126-0x0000000000730000-0x0000000000830000-memory.dmp

      Filesize

      1024KB

    • memory/2744-61-0x0000000000730000-0x0000000000830000-memory.dmp

      Filesize

      1024KB

    • memory/2744-8-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2744-13-0x0000000000730000-0x0000000000830000-memory.dmp

      Filesize

      1024KB

    • memory/2744-23-0x0000000000730000-0x0000000000830000-memory.dmp

      Filesize

      1024KB

    • memory/2744-9-0x000000007249D000-0x00000000724A8000-memory.dmp

      Filesize

      44KB

    • memory/2744-22-0x0000000000730000-0x0000000000830000-memory.dmp

      Filesize

      1024KB

    • memory/2744-19-0x0000000000730000-0x0000000000830000-memory.dmp

      Filesize

      1024KB

    • memory/2744-17-0x0000000000730000-0x0000000000830000-memory.dmp

      Filesize

      1024KB

    • memory/2744-18-0x0000000000730000-0x0000000000830000-memory.dmp

      Filesize

      1024KB

    • memory/2744-16-0x0000000000730000-0x0000000000830000-memory.dmp

      Filesize

      1024KB

    • memory/2744-15-0x0000000000730000-0x0000000000830000-memory.dmp

      Filesize

      1024KB

    • memory/2744-14-0x0000000000730000-0x0000000000830000-memory.dmp

      Filesize

      1024KB

    • memory/2744-26-0x0000000000730000-0x0000000000830000-memory.dmp

      Filesize

      1024KB

    • memory/2744-196-0x000000007249D000-0x00000000724A8000-memory.dmp

      Filesize

      44KB

    • memory/2744-197-0x0000000000730000-0x0000000000830000-memory.dmp

      Filesize

      1024KB

    • memory/2744-198-0x0000000000730000-0x0000000000830000-memory.dmp

      Filesize

      1024KB

    • memory/2744-199-0x0000000000730000-0x0000000000830000-memory.dmp

      Filesize

      1024KB

    • memory/2744-200-0x0000000005DA0000-0x0000000005EA0000-memory.dmp

      Filesize

      1024KB

    • memory/2744-201-0x0000000000730000-0x0000000000830000-memory.dmp

      Filesize

      1024KB

    • memory/2744-241-0x000000007249D000-0x00000000724A8000-memory.dmp

      Filesize

      44KB