Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    11/07/2024, 01:25

General

  • Target

    2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe

  • Size

    7.5MB

  • MD5

    cb6502d347e66ad00df8d61f2bff373d

  • SHA1

    36edfd1489b637c9605f7f3121d9953a0f0cee5c

  • SHA256

    1f9ba4adb9f568997316645d1210d582c433321eec50e0348561efc65277001e

  • SHA512

    7c29b49d159e57168af0a9d6247d1f13b291b54e47c29e49b4c0f95259c578f17505ec589541ade63f0b9dca79e9efe5b9838239291f2a0cc19d5da034641e81

  • SSDEEP

    196608:FYE0SCI4rbECIwBbiL4c7RcXYP0a5Lp/3/PXCt40+isGsaNk:FYn/8ChhoFhPPXYtbjNk

Score
9/10

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 36 IoCs
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 28 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe"
    1⤵
    • Loads dropped DLL
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2816
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" www.baidu.com -n 2
      2⤵
      • Runs ping.exe
      PID:780
    • C:\Users\Admin\AppData\Roaming\MyMacro\WeChat.exe
      --host_id 3 --verify_key qMLwN1YSToWS --product "C:\Users\Admin\AppData\Local\Temp\2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe" --version 2014.05.17762
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1308
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" www.baidu.com -n 2
      2⤵
      • Runs ping.exe
      PID:2932
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" www.baidu.com -n 2
      2⤵
      • Runs ping.exe
      PID:1924

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\QMLog\20240711.log

    Filesize

    326B

    MD5

    eb2059ffc40174b7a60d674366ad555d

    SHA1

    aac530ed8d36818621659d8263fb3ff79b51ffb4

    SHA256

    633ccfb70c7f4e4ad074d09480f2a2ce561623838108cacf91f1b6c04d941443

    SHA512

    4e83fef69d148e47f9f083d0e33a80d9a96b1e29898bbfd3b113e101b3d6f4a73a837a0506e69222377b698f081496822608a02cdea3733089f99a0ea1554755

  • C:\Users\Admin\AppData\Local\Temp\mac6893.tmp

    Filesize

    1KB

    MD5

    6ec2d447ade6e6033723df51a0efafe5

    SHA1

    4611402ca0f2e58462b6efe8755f8088e8ea1cd8

    SHA256

    67589fd00c257ac03df01596b75695bf4ce7ca5a4404b3e45b7470c3dbea9bf0

    SHA512

    72848e8d31e04f29aff6a86ac6528e9095acf978cdb413155d7f0d62a74e3f9d125f2412453542e9825dbbe9dc6807bc2ed1066b15c9fcfd3a15e0fc537ece65

  • \Users\Admin\AppData\Roaming\MyMacro\WeChat.exe

    Filesize

    7.2MB

    MD5

    c77fa3dc4aebbc21dd0f12258d28bc5c

    SHA1

    6cac34000d6eebe9b2947231199793daffb213fc

    SHA256

    9a0c9ba0e4dd1afe54e50f61b6c3d88b96d4b7dddabc275a149010c7e1ee0959

    SHA512

    7ae33680b4f067f31ed750ee7a2c4cb19ebee4135207d8539ba268f2bfbb1dda22086e8091129925fe2f98733bf0b59d710474d07dcdf444cf50c8022107f815

  • \Users\Admin\AppData\Roaming\MyMacro\cfgdll.dll

    Filesize

    59KB

    MD5

    b35416c2b3e818894df95608b76934f7

    SHA1

    bbdd1c0f49e9ce54e9312f5edfead76d343c21cf

    SHA256

    8147481d1c93da5ce5de7ff7a72a45756d45ea1f27d27bb8c9944642f42549a3

    SHA512

    92382562761b36b4ed2ec0bba832c66c8f720e190630596ff830a047a498889e7a0f3628d1a3ffac066b06ccd8c2d3840e82b4304b636e1b1ee434910c6f0bdf

  • \Users\Admin\AppData\Roaming\MyMacro\qdisp.dll

    Filesize

    303KB

    MD5

    014c01cd6522778e1e15be0e696dfe0c

    SHA1

    c908376fcc4525ec5c4b35d289ef1361ea5cb2d9

    SHA256

    259eaf1ddc9bf610d11a22413853b3d4386fc5a8412c6e602c74eb43f1a32d46

    SHA512

    3b8d040b4a6e879ecf3bafba336b2fc8d793d4f6931902faf87e8f64faf6eca7f1f21485794cffe16c7d0ea907b9f6db93df0b4bae8cb3684733e95608523fd9

  • memory/1308-82-0x0000000000400000-0x0000000000B31000-memory.dmp

    Filesize

    7.2MB

  • memory/1308-100-0x0000000000400000-0x0000000000B31000-memory.dmp

    Filesize

    7.2MB

  • memory/1308-105-0x0000000000400000-0x0000000000B31000-memory.dmp

    Filesize

    7.2MB

  • memory/1308-58-0x0000000000400000-0x0000000000B31000-memory.dmp

    Filesize

    7.2MB

  • memory/1308-78-0x0000000000400000-0x0000000000B31000-memory.dmp

    Filesize

    7.2MB

  • memory/1308-104-0x0000000000400000-0x0000000000B31000-memory.dmp

    Filesize

    7.2MB

  • memory/1308-81-0x0000000000400000-0x0000000000B31000-memory.dmp

    Filesize

    7.2MB

  • memory/1308-103-0x0000000000400000-0x0000000000B31000-memory.dmp

    Filesize

    7.2MB

  • memory/1308-83-0x0000000000400000-0x0000000000B31000-memory.dmp

    Filesize

    7.2MB

  • memory/1308-84-0x0000000000400000-0x0000000000B31000-memory.dmp

    Filesize

    7.2MB

  • memory/1308-93-0x0000000000400000-0x0000000000B31000-memory.dmp

    Filesize

    7.2MB

  • memory/1308-94-0x0000000000400000-0x0000000000B31000-memory.dmp

    Filesize

    7.2MB

  • memory/1308-95-0x0000000000400000-0x0000000000B31000-memory.dmp

    Filesize

    7.2MB

  • memory/1308-102-0x0000000000400000-0x0000000000B31000-memory.dmp

    Filesize

    7.2MB

  • memory/1308-101-0x0000000000400000-0x0000000000B31000-memory.dmp

    Filesize

    7.2MB

  • memory/2816-54-0x0000000005510000-0x0000000005C41000-memory.dmp

    Filesize

    7.2MB

  • memory/2816-57-0x0000000005510000-0x0000000005C41000-memory.dmp

    Filesize

    7.2MB

  • memory/2816-80-0x0000000005510000-0x0000000005C41000-memory.dmp

    Filesize

    7.2MB

  • memory/2816-56-0x0000000005510000-0x0000000005C41000-memory.dmp

    Filesize

    7.2MB