Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
11/07/2024, 01:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe
Resource
win10v2004-20240709-en
General
-
Target
2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe
-
Size
7.5MB
-
MD5
cb6502d347e66ad00df8d61f2bff373d
-
SHA1
36edfd1489b637c9605f7f3121d9953a0f0cee5c
-
SHA256
1f9ba4adb9f568997316645d1210d582c433321eec50e0348561efc65277001e
-
SHA512
7c29b49d159e57168af0a9d6247d1f13b291b54e47c29e49b4c0f95259c578f17505ec589541ade63f0b9dca79e9efe5b9838239291f2a0cc19d5da034641e81
-
SSDEEP
196608:FYE0SCI4rbECIwBbiL4c7RcXYP0a5Lp/3/PXCt40+isGsaNk:FYn/8ChhoFhPPXYtbjNk
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ WeChat.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion WeChat.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion WeChat.exe -
Executes dropped EXE 1 IoCs
pid Process 1308 WeChat.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine WeChat.exe -
Loads dropped DLL 6 IoCs
pid Process 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 1308 WeChat.exe 1308 WeChat.exe 1308 WeChat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Ver = "fb5627d6" 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe -
Modifies registry class 36 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B} WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID\ = "{EBEB87A6-E151-4054-AB45-A6E094C5334B}" WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ThreadingModel = "Apartment" WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID\ = "{241D7F03-9232-4024-8373-149860BE27C0}" WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID\ = "QMDispatch.QMVBSRoutine" WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID\ = "{C07DB6A3-34FC-4084-BE2E-76BB9203B049}" WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32 WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InprocServer32 WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll" WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID\ = "QMDispatch.QMRoutine" WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll" WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID\ = "QMDispatch.QMLibrary" WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll" WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\ = "QMDispatch.QMLibrary" WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32 WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ThreadingModel = "Apartment" WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32 WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\ = "QMDispatch.QMRoutine" WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049} WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ = "QMDispatch.QMLibrary" WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InprocServer32 WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ = "QMDispatch.QMRoutine" WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\ = "QMDispatch.QMVBSRoutine" WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ = "QMDispatch.QMVBSRoutine" WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ThreadingModel = "Apartment" WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0} WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InprocServer32 WeChat.exe -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 2932 PING.EXE 1924 PING.EXE 780 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe -
Suspicious use of SetWindowsHookEx 28 IoCs
pid Process 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 1308 WeChat.exe 1308 WeChat.exe 1308 WeChat.exe 1308 WeChat.exe 1308 WeChat.exe 1308 WeChat.exe 1308 WeChat.exe 1308 WeChat.exe 1308 WeChat.exe 1308 WeChat.exe 1308 WeChat.exe 1308 WeChat.exe 1308 WeChat.exe 1308 WeChat.exe 1308 WeChat.exe 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2816 wrote to memory of 780 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 30 PID 2816 wrote to memory of 780 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 30 PID 2816 wrote to memory of 780 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 30 PID 2816 wrote to memory of 780 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 30 PID 2816 wrote to memory of 1308 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 32 PID 2816 wrote to memory of 1308 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 32 PID 2816 wrote to memory of 1308 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 32 PID 2816 wrote to memory of 1308 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 32 PID 2816 wrote to memory of 2932 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 34 PID 2816 wrote to memory of 2932 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 34 PID 2816 wrote to memory of 2932 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 34 PID 2816 wrote to memory of 2932 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 34 PID 2816 wrote to memory of 1924 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 36 PID 2816 wrote to memory of 1924 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 36 PID 2816 wrote to memory of 1924 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 36 PID 2816 wrote to memory of 1924 2816 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe"1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\PING.EXE"C:\Windows\System32\PING.EXE" www.baidu.com -n 22⤵
- Runs ping.exe
PID:780
-
-
C:\Users\Admin\AppData\Roaming\MyMacro\WeChat.exe--host_id 3 --verify_key qMLwN1YSToWS --product "C:\Users\Admin\AppData\Local\Temp\2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe" --version 2014.05.177622⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1308
-
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\System32\PING.EXE" www.baidu.com -n 22⤵
- Runs ping.exe
PID:2932
-
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\System32\PING.EXE" www.baidu.com -n 22⤵
- Runs ping.exe
PID:1924
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
326B
MD5eb2059ffc40174b7a60d674366ad555d
SHA1aac530ed8d36818621659d8263fb3ff79b51ffb4
SHA256633ccfb70c7f4e4ad074d09480f2a2ce561623838108cacf91f1b6c04d941443
SHA5124e83fef69d148e47f9f083d0e33a80d9a96b1e29898bbfd3b113e101b3d6f4a73a837a0506e69222377b698f081496822608a02cdea3733089f99a0ea1554755
-
Filesize
1KB
MD56ec2d447ade6e6033723df51a0efafe5
SHA14611402ca0f2e58462b6efe8755f8088e8ea1cd8
SHA25667589fd00c257ac03df01596b75695bf4ce7ca5a4404b3e45b7470c3dbea9bf0
SHA51272848e8d31e04f29aff6a86ac6528e9095acf978cdb413155d7f0d62a74e3f9d125f2412453542e9825dbbe9dc6807bc2ed1066b15c9fcfd3a15e0fc537ece65
-
Filesize
7.2MB
MD5c77fa3dc4aebbc21dd0f12258d28bc5c
SHA16cac34000d6eebe9b2947231199793daffb213fc
SHA2569a0c9ba0e4dd1afe54e50f61b6c3d88b96d4b7dddabc275a149010c7e1ee0959
SHA5127ae33680b4f067f31ed750ee7a2c4cb19ebee4135207d8539ba268f2bfbb1dda22086e8091129925fe2f98733bf0b59d710474d07dcdf444cf50c8022107f815
-
Filesize
59KB
MD5b35416c2b3e818894df95608b76934f7
SHA1bbdd1c0f49e9ce54e9312f5edfead76d343c21cf
SHA2568147481d1c93da5ce5de7ff7a72a45756d45ea1f27d27bb8c9944642f42549a3
SHA51292382562761b36b4ed2ec0bba832c66c8f720e190630596ff830a047a498889e7a0f3628d1a3ffac066b06ccd8c2d3840e82b4304b636e1b1ee434910c6f0bdf
-
Filesize
303KB
MD5014c01cd6522778e1e15be0e696dfe0c
SHA1c908376fcc4525ec5c4b35d289ef1361ea5cb2d9
SHA256259eaf1ddc9bf610d11a22413853b3d4386fc5a8412c6e602c74eb43f1a32d46
SHA5123b8d040b4a6e879ecf3bafba336b2fc8d793d4f6931902faf87e8f64faf6eca7f1f21485794cffe16c7d0ea907b9f6db93df0b4bae8cb3684733e95608523fd9