Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
11/07/2024, 01:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe
Resource
win10v2004-20240709-en
General
-
Target
2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe
-
Size
7.5MB
-
MD5
cb6502d347e66ad00df8d61f2bff373d
-
SHA1
36edfd1489b637c9605f7f3121d9953a0f0cee5c
-
SHA256
1f9ba4adb9f568997316645d1210d582c433321eec50e0348561efc65277001e
-
SHA512
7c29b49d159e57168af0a9d6247d1f13b291b54e47c29e49b4c0f95259c578f17505ec589541ade63f0b9dca79e9efe5b9838239291f2a0cc19d5da034641e81
-
SSDEEP
196608:FYE0SCI4rbECIwBbiL4c7RcXYP0a5Lp/3/PXCt40+isGsaNk:FYn/8ChhoFhPPXYtbjNk
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ WeChat.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion WeChat.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion WeChat.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe -
Executes dropped EXE 1 IoCs
pid Process 2368 WeChat.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine WeChat.exe -
Loads dropped DLL 3 IoCs
pid Process 2368 WeChat.exe 2368 WeChat.exe 2368 WeChat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Ver = "f34abaca" 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe -
Modifies registry class 36 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ThreadingModel = "Apartment" WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID\ = "{241D7F03-9232-4024-8373-149860BE27C0}" WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\ = "QMDispatch.QMLibrary" WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32 WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049} WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InprocServer32 WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InprocServer32 WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID\ = "QMDispatch.QMVBSRoutine" WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll" WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID\ = "QMDispatch.QMLibrary" WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ = "QMDispatch.QMVBSRoutine" WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B} WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll" WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ = "QMDispatch.QMLibrary" WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ThreadingModel = "Apartment" WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\ = "QMDispatch.QMRoutine" WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID\ = "{C07DB6A3-34FC-4084-BE2E-76BB9203B049}" WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID\ = "{EBEB87A6-E151-4054-AB45-A6E094C5334B}" WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InprocServer32 WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ThreadingModel = "Apartment" WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\ = "QMDispatch.QMVBSRoutine" WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0} WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll" WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32 WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32 WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ = "QMDispatch.QMRoutine" WeChat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID\ = "QMDispatch.QMRoutine" WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine WeChat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID WeChat.exe -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 2688 PING.EXE 3100 PING.EXE 1528 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2852 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 2852 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2852 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2852 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe -
Suspicious use of SetWindowsHookEx 27 IoCs
pid Process 2852 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 2852 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 2852 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 2852 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 2852 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 2852 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 2852 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 2852 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 2852 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 2852 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 2368 WeChat.exe 2368 WeChat.exe 2368 WeChat.exe 2368 WeChat.exe 2368 WeChat.exe 2368 WeChat.exe 2368 WeChat.exe 2368 WeChat.exe 2368 WeChat.exe 2368 WeChat.exe 2368 WeChat.exe 2368 WeChat.exe 2368 WeChat.exe 2368 WeChat.exe 2368 WeChat.exe 2852 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 2852 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2852 wrote to memory of 2688 2852 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 86 PID 2852 wrote to memory of 2688 2852 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 86 PID 2852 wrote to memory of 2688 2852 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 86 PID 2852 wrote to memory of 2368 2852 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 88 PID 2852 wrote to memory of 2368 2852 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 88 PID 2852 wrote to memory of 2368 2852 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 88 PID 2852 wrote to memory of 3100 2852 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 89 PID 2852 wrote to memory of 3100 2852 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 89 PID 2852 wrote to memory of 3100 2852 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 89 PID 2852 wrote to memory of 1528 2852 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 91 PID 2852 wrote to memory of 1528 2852 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 91 PID 2852 wrote to memory of 1528 2852 2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe"1⤵
- Checks computer location settings
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\PING.EXE"C:\Windows\System32\PING.EXE" www.baidu.com -n 22⤵
- Runs ping.exe
PID:2688
-
-
C:\Users\Admin\AppData\Roaming\MyMacro\WeChat.exe--host_id 3 --verify_key mDB62xZNEZ60 --product "C:\Users\Admin\AppData\Local\Temp\2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe" --version 2014.05.177622⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2368
-
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\System32\PING.EXE" www.baidu.com -n 22⤵
- Runs ping.exe
PID:3100
-
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\System32\PING.EXE" www.baidu.com -n 22⤵
- Runs ping.exe
PID:1528
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258B
MD579e2ab7f7505d31f1eb969b890eb24be
SHA1eeabbd70fb7339a972a471372537fad172fe37fa
SHA2564f6a655ae737853cfe2320b2ff854c583b57eaefafc1e9f08a6faf3dacb233ac
SHA5125c18b262596b6f67192fecaea0659be4dae0d6bcea325a7c287c1902a51d172d467c9f69c13f1b7431af8795373e2fb071a9e7a86e46a84fc8367a04327f13b4
-
Filesize
256KB
MD5ce80a00a46a260f471cd6771ffe2dd9a
SHA19919c9d850132b90d16c579c995494dedcb3083b
SHA256e30ce553e13d702f6064a81c1bd2958a77a1b0ce99d144b0a027fe369d5a1000
SHA5129fa15fbc09ce426fef8f9f477e91dade4861a45152d508aa9491f27d4b6efa88cec1534969386ed61bf557cf993b6dde8972e5a7bf7ec1d4317ba58b1548ef3e
-
Filesize
256KB
MD5a13fdfe6b3fb10ad51df87464cfe22c7
SHA1bdd1b0d66056f8bc0de9e15b00697be068fd9997
SHA2569442b4d239e3b7f47e270f825d507f0e4480837f123912fb5825a0c52cdb70c0
SHA512ea6f63343ae4f88419bb071ad4f2ce4d0a07bd15ed59f21bb9ecf341a7f083318feaae3429154dd14026ffe927a0aa0c4b36395dceb1ebc94fcf4c6cd52e0303
-
Filesize
561KB
MD56b0e33022eaaf52edfdaf9cbf5caa403
SHA14e8539f25c2c30684ee48ab4f45a8c39e9844a41
SHA25640bf34266d703febee31cfb23c7ba33b3b18652954c9cf0e9264fa5a16c6baec
SHA512be574469776cc70c6ee2744f4ab9ed3dc19bb99288d6ec577bfd14c5378f8a0766bacc22e76cc8632f22cbba095987a42b1b2cf9ed7bed83e5b51520be21abea
-
Filesize
326B
MD56e494b3346f24084e0e42462a1c15231
SHA18d12d8431989ef415f3469e11a2a96f510c12320
SHA256f3fd0d91f7a9105df12e76c31280c2517548826373338f1417e97f2f1df663d5
SHA512dd603984d308af38ce0bb68c7c4731af92b550180b73e0ab6442a7973c6e2046bd93ca39fdb7bcafae0112175688a03d39dca220adcf7afa5435df40da8587d6
-
Filesize
1KB
MD56ec2d447ade6e6033723df51a0efafe5
SHA14611402ca0f2e58462b6efe8755f8088e8ea1cd8
SHA25667589fd00c257ac03df01596b75695bf4ce7ca5a4404b3e45b7470c3dbea9bf0
SHA51272848e8d31e04f29aff6a86ac6528e9095acf978cdb413155d7f0d62a74e3f9d125f2412453542e9825dbbe9dc6807bc2ed1066b15c9fcfd3a15e0fc537ece65
-
Filesize
7.2MB
MD5c77fa3dc4aebbc21dd0f12258d28bc5c
SHA16cac34000d6eebe9b2947231199793daffb213fc
SHA2569a0c9ba0e4dd1afe54e50f61b6c3d88b96d4b7dddabc275a149010c7e1ee0959
SHA5127ae33680b4f067f31ed750ee7a2c4cb19ebee4135207d8539ba268f2bfbb1dda22086e8091129925fe2f98733bf0b59d710474d07dcdf444cf50c8022107f815
-
Filesize
59KB
MD5b35416c2b3e818894df95608b76934f7
SHA1bbdd1c0f49e9ce54e9312f5edfead76d343c21cf
SHA2568147481d1c93da5ce5de7ff7a72a45756d45ea1f27d27bb8c9944642f42549a3
SHA51292382562761b36b4ed2ec0bba832c66c8f720e190630596ff830a047a498889e7a0f3628d1a3ffac066b06ccd8c2d3840e82b4304b636e1b1ee434910c6f0bdf
-
Filesize
303KB
MD5014c01cd6522778e1e15be0e696dfe0c
SHA1c908376fcc4525ec5c4b35d289ef1361ea5cb2d9
SHA256259eaf1ddc9bf610d11a22413853b3d4386fc5a8412c6e602c74eb43f1a32d46
SHA5123b8d040b4a6e879ecf3bafba336b2fc8d793d4f6931902faf87e8f64faf6eca7f1f21485794cffe16c7d0ea907b9f6db93df0b4bae8cb3684733e95608523fd9