Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01/07/2024, 02:02
Static task
static1
Behavioral task
behavioral1
Sample
2024-07-01_38096ebccfd329d3a63891879a4f93dd_mafia.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-07-01_38096ebccfd329d3a63891879a4f93dd_mafia.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-07-01_38096ebccfd329d3a63891879a4f93dd_mafia.exe
-
Size
2.3MB
-
MD5
38096ebccfd329d3a63891879a4f93dd
-
SHA1
6ee9c66b5cb7bbfb0e9388889a84c98a7469db99
-
SHA256
91713d4699fa9e60e1cd46fbda228f06379241698d0864b19857b9de4f3b77dc
-
SHA512
48acb88ae3bf48c34cc0e039b679f67783e3ce832419deedf4960d32307cb5b864dd176d578964c453628380945ce6cf63d637cefe11a690a801a9b202e29805
-
SSDEEP
49152:sZRpZ8sSugiO+Kq2SDNNgaciS0O3BZrLsPZQn90IYPqIyL:eZ8/uUq2SvgiK3BZ/sBQn90IpI
Malware Config
Signatures
-
resource behavioral2/files/0x00080000000233ef-32.dat -
Loads dropped DLL 1 IoCs
pid Process 3156 EXCEL.EXE -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet 2024-07-01_38096ebccfd329d3a63891879a4f93dd_mafia.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-07-01_38096ebccfd329d3a63891879a4f93dd_mafia.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3156 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3156 EXCEL.EXE 3156 EXCEL.EXE 3156 EXCEL.EXE 3156 EXCEL.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3156 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 3156 EXCEL.EXE 3156 EXCEL.EXE 3156 EXCEL.EXE 3156 EXCEL.EXE 3156 EXCEL.EXE 3156 EXCEL.EXE 3156 EXCEL.EXE 3156 EXCEL.EXE 3156 EXCEL.EXE 3156 EXCEL.EXE 3156 EXCEL.EXE 3156 EXCEL.EXE 3156 EXCEL.EXE 3156 EXCEL.EXE 3156 EXCEL.EXE 3156 EXCEL.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-07-01_38096ebccfd329d3a63891879a4f93dd_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-01_38096ebccfd329d3a63891879a4f93dd_mafia.exe"1⤵
- Checks processor information in registry
PID:620
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3156
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD57eca219377b9d8dca9258abad66f4730
SHA1fd13a2c76cf9016d16390bbedc8caef125747df4
SHA256daf3c95cd5365199f0407ab8f43b5817673c4a58ba99a0a405a5510231852318
SHA5124786991f37ccc7f79337b45298f0dde8bd6d2cb79f2b06ea03d1c1fc09dfc4fd1254621506c3d9f25a216070463a33abe6bfd13ab1a38978dd270b66f35a2038
-
Filesize
22KB
MD529c44d16abfff0d8ccbd43a80871a904
SHA15f6417443a42856fd13d90e56153a8b5d272dffd
SHA25663c99e16ff5432d4432fd01de90d549f1c898049d63422450cb93ab8e29fdb2d
SHA512ed62a24fb42abb49a8c23aab6c4e140b4b98a25227c100f9c8081f325ba3a41d6b49a5628a704db7f1207bc0c3bb852ea02d88f4a868e7ec1f2ddf599d0839e7
-
Filesize
26KB
MD568ae3f8f60641e3b6e40c907e9f01daa
SHA1204d0f28e2970af8a6727198b88edbfdd19d5c51
SHA256759024e88c6e0063004bb09392922af4010aec87dc7c8377451c87ab13a68bf0
SHA512443d53552354407df61d688223381bfc31f61c6b2bf9618f38e18f74490e8f98ad0dbb3128990c58b4f3094790908b84eb63e62070c337385c20c8a8699bcbcf