Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/09/2024, 08:28
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-09_c3b63a758e64a1c6165eb040743e68c7_mafia.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-09-09_c3b63a758e64a1c6165eb040743e68c7_mafia.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-09-09_c3b63a758e64a1c6165eb040743e68c7_mafia.exe
-
Size
428KB
-
MD5
c3b63a758e64a1c6165eb040743e68c7
-
SHA1
4f218f2b4130771c69d8d011cb96350d10347f9c
-
SHA256
17d681450ae6eaabdd62828f628157c4e33bd65d871bdb73969b2f0b5328700a
-
SHA512
ad15434ac9d03f940ba2367f6c897225d04c9c7da10b6ecf4fa0882305f7acab9b34913c0d46a8b38c7f460ee36445547134a5ae8fd1fbbb5a5018344767b625
-
SSDEEP
12288:Z594+AcL4tBekiuKzErYVMllekWSiQlo91m9dfsl:BL4tBekiuVr3l4e3oHmDs
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2088 B5F7.tmp -
Executes dropped EXE 1 IoCs
pid Process 2088 B5F7.tmp -
Loads dropped DLL 1 IoCs
pid Process 2520 2024-09-09_c3b63a758e64a1c6165eb040743e68c7_mafia.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-09_c3b63a758e64a1c6165eb040743e68c7_mafia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B5F7.tmp -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2520 wrote to memory of 2088 2520 2024-09-09_c3b63a758e64a1c6165eb040743e68c7_mafia.exe 30 PID 2520 wrote to memory of 2088 2520 2024-09-09_c3b63a758e64a1c6165eb040743e68c7_mafia.exe 30 PID 2520 wrote to memory of 2088 2520 2024-09-09_c3b63a758e64a1c6165eb040743e68c7_mafia.exe 30 PID 2520 wrote to memory of 2088 2520 2024-09-09_c3b63a758e64a1c6165eb040743e68c7_mafia.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-09_c3b63a758e64a1c6165eb040743e68c7_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-09_c3b63a758e64a1c6165eb040743e68c7_mafia.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\B5F7.tmp"C:\Users\Admin\AppData\Local\Temp\B5F7.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-09-09_c3b63a758e64a1c6165eb040743e68c7_mafia.exe 10115F6B26427A86397AF5C3EDE48B3654BA30AB3570393CDA630E642CF2CDA7FC643EF26292083CC2DB1ADFA9C45278C4FDA6C89996A2AEA9F8E4F0E1A579FD2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2088
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
428KB
MD5ec4549d26516513a9a385d4c6dec8f2a
SHA105f876ec40acb55029941001fb7918930aa3fbd4
SHA256f73bba7e62a512e7e0f840e3fa6b11dac1fb65e728fc183946206964b5cd3f90
SHA512bd47fc710458dc3a20636efcf67424eb6fc9fc0d53777a1c43ae092acbca2fd9ac91e7b3370f24b1f8a4a9abe8024daafdf77ae87ae0830878d9131ffd4f036e