Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09/09/2024, 08:28
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-09_c3b63a758e64a1c6165eb040743e68c7_mafia.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-09-09_c3b63a758e64a1c6165eb040743e68c7_mafia.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-09-09_c3b63a758e64a1c6165eb040743e68c7_mafia.exe
-
Size
428KB
-
MD5
c3b63a758e64a1c6165eb040743e68c7
-
SHA1
4f218f2b4130771c69d8d011cb96350d10347f9c
-
SHA256
17d681450ae6eaabdd62828f628157c4e33bd65d871bdb73969b2f0b5328700a
-
SHA512
ad15434ac9d03f940ba2367f6c897225d04c9c7da10b6ecf4fa0882305f7acab9b34913c0d46a8b38c7f460ee36445547134a5ae8fd1fbbb5a5018344767b625
-
SSDEEP
12288:Z594+AcL4tBekiuKzErYVMllekWSiQlo91m9dfsl:BL4tBekiuVr3l4e3oHmDs
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3976 BCF7.tmp -
Executes dropped EXE 1 IoCs
pid Process 3976 BCF7.tmp -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-09_c3b63a758e64a1c6165eb040743e68c7_mafia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BCF7.tmp -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4532 wrote to memory of 3976 4532 2024-09-09_c3b63a758e64a1c6165eb040743e68c7_mafia.exe 83 PID 4532 wrote to memory of 3976 4532 2024-09-09_c3b63a758e64a1c6165eb040743e68c7_mafia.exe 83 PID 4532 wrote to memory of 3976 4532 2024-09-09_c3b63a758e64a1c6165eb040743e68c7_mafia.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-09_c3b63a758e64a1c6165eb040743e68c7_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-09_c3b63a758e64a1c6165eb040743e68c7_mafia.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\BCF7.tmp"C:\Users\Admin\AppData\Local\Temp\BCF7.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-09-09_c3b63a758e64a1c6165eb040743e68c7_mafia.exe FDC1804564ABD04B3D3376955F41E31EABDDF8DBC7CC91D259D9EB6271100A16A1F0D467117B737E4B39B061B6CBD47EEAB6D6F526D6E730A4FDA446DD64AFA02⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3976
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
428KB
MD520981ccad909638ca039727156fc856c
SHA1c98f792a68dac6eb72322767966bb82a02e8ea21
SHA2563ec2d8f8567f3a45f7ada1f90a0c164989660e3ea45c94d28562e2ec9ba40588
SHA51274157a57b9ab599e4ddb04fe97c06caf73e71dac6870ccf60de5c1f8e860cfc533799918cf75a7ff3bf0a1645ca5d4d160f9ff47df42dcb9b79b75b4a39f62df