Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

mablo.exe

windows10-2004-x64

7

Resubmissions

23/09/2024, 02:34

240923-c2qgpatgrj 7

15/09/2024, 00:19

240915-al9jhsvglg 7

15/09/2024, 00:17

240915-ak7zasvfkk 7

Analysis

  • max time kernel
    53s
  • max time network
    37s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/09/2024, 02:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    mablo.exe

  • Size

    8.0MB

  • MD5

    2f21fe7df1563d35db84ba5397076aeb

  • SHA1

    4e4275d43835548a01e664150e48a64f5f48c22d

  • SHA256

    e3f0e6ef9a1d7e987fc09229dad4cbef9d5599925deea5700ade79b71d5c6c85

  • SHA512

    0a38155078d7e6add03fbd62f62648aa74621531c1692e5d85c3a24ef0092ed41844cc4620177898b43251e51f078d26669ddfe6c7b57d23da623e80783936f6

  • SSDEEP

    196608:uAhYHDfyGowBdnpkYRM0/1k0W8/L13+dgScVQJ:iDfDoc6qDW8B3+d9IQ

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 21 IoCs
  • Drops file in System32 directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 19 IoCs
    adwarespyware
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 61 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\mablo.exe
    "C:\Users\Admin\AppData\Local\Temp\mablo.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1520
    • C:\Users\Admin\AppData\Local\Temp\mablo.exe
      "C:\Users\Admin\AppData\Local\Temp\mablo.exe"
      2⤵
      • Loads dropped DLL
      • Drops desktop.ini file(s)
      PID:1880
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2068
  • C:\Windows\system32\mspaint.exe
    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ResumeConvertFrom.jpe" /ForceBootstrapPaint3D
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:852
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
    1⤵
    • Drops file in System32 directory
    PID:1468
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:4452
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\MergeEnter.gif
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2940 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:880
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4444
    • C:\Windows\system32\mspaint.exe
      "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\WriteClose.jpg" /ForceBootstrapPaint3D
      1⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1348
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:3504

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft OneDrive\setup\refcount.ini
      Filesize

      27B

      MD5

      f9cd15085c5d76ee432fc6c628443b2b

      SHA1

      7f269ca79714f44cd74c94e270046f1fb2bc23b3

      SHA256

      e60bac62375e0a68e9f7da379f19f0adf35792c03bdac985ba9c37f86a36e91e

      SHA512

      dfa9507e61598a375d84c5bcc573dcf2ab45d6b14dff6407775c3e1a18da427dbedb174c6933b72cdb4b5ce0a963865939c2ca480940b55974e13caa1e1bcc25

      Download Submit

    • C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json
      Filesize

      102B

      MD5

      5295931a0945e52c52df5bebdb666a57

      SHA1

      1392aa156430a7b0b51152f40eafbe5782f10da5

      SHA256

      5d48a9c1357dfd87e4040af0563649d1ba4c5060d4bcbbbc58a8cd73c2da872e

      SHA512

      0fafced535d0f72d411147172fef6b94a416bc1a34320ed688ac0315ca4e381c9ae64911568e853a675f07c22d2c44cce9394d28e36e0f31ae8aad0b3d350488

      Download Submit

    • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
      Filesize

      48B

      MD5

      26137766814e15a7d44c6b546eea567a

      SHA1

      f7b586b120aecfbcdb96ce49e7a6566241cb6972

      SHA256

      02c1eae1d69ae625e1c060ed095ff191c079816474125db5f2af8c8053d7cd69

      SHA512

      7869704ff5508c449816d18f9cfd8bc7f72bad36e4c4ff287c416675409193815ae296cdf756e533f8260d6ce95a5d796f38087a96dd5760cb6cbc81d6d6bad7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI15202\VCRUNTIME140.dll
      Filesize

      95KB

      MD5

      f34eb034aa4a9735218686590cba2e8b

      SHA1

      2bc20acdcb201676b77a66fa7ec6b53fa2644713

      SHA256

      9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

      SHA512

      d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI15202\_bz2.pyd
      Filesize

      81KB

      MD5

      86d1b2a9070cd7d52124126a357ff067

      SHA1

      18e30446fe51ced706f62c3544a8c8fdc08de503

      SHA256

      62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e

      SHA512

      7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI15202\_decimal.pyd
      Filesize

      248KB

      MD5

      20c77203ddf9ff2ff96d6d11dea2edcf

      SHA1

      0d660b8d1161e72c993c6e2ab0292a409f6379a5

      SHA256

      9aac010a424c757c434c460c3c0a6515d7720966ab64bad667539282a17b4133

      SHA512

      2b24346ece2cbd1e9472a0e70768a8b4a5d2c12b3d83934f22ebdc9392d9023dcb44d2322ada9edbe2eb0e2c01b5742d2a83fa57ca23054080909ec6eb7cf3ca

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI15202\_hashlib.pyd
      Filesize

      63KB

      MD5

      d4674750c732f0db4c4dd6a83a9124fe

      SHA1

      fd8d76817abc847bb8359a7c268acada9d26bfd5

      SHA256

      caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9

      SHA512

      97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI15202\_lzma.pyd
      Filesize

      154KB

      MD5

      7447efd8d71e8a1929be0fac722b42dc

      SHA1

      6080c1b84c2dcbf03dcc2d95306615ff5fce49a6

      SHA256

      60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be

      SHA512

      c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI15202\_socket.pyd
      Filesize

      77KB

      MD5

      819166054fec07efcd1062f13c2147ee

      SHA1

      93868ebcd6e013fda9cd96d8065a1d70a66a2a26

      SHA256

      e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f

      SHA512

      da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI15202\_tkinter.pyd
      Filesize

      64KB

      MD5

      8da8e5348d9f9572ce9216ac8a628c2b

      SHA1

      35a23ea241d004a45399d69ca038042936d8288d

      SHA256

      06b96357f5dd83d0d8105127e7aaeacb834ddf1ae03fa46aaffdc1e5fd0a7621

      SHA512

      ca7a05cb49c8af6ebfa3cd5d415352bfd0c2abdbbf05d539e296042bbde075d29ddc8c2a2e5d46c9e736dcc848bc633686029784883f855167875972fb607f42

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI15202\base_library.zip
      Filesize

      859KB

      MD5

      483d9675ef53a13327e7dfc7d09f23fe

      SHA1

      2378f1db6292cd8dc4ad95763a42ad49aeb11337

      SHA256

      70c28ec0770edefcef46fa27aaa08ba8dc22a31acd6f84cb0b99257dca1b629e

      SHA512

      f905eb1817d7d4cc1f65e3a5a01bade761bca15c4a24af7097bc8f3f2b43b00e000d6ea23cd054c391d3fdc2f1114f2af43c8bb6d97c1a0ce747763260a864f5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI15202\libcrypto-1_1.dll
      Filesize

      3.3MB

      MD5

      9d7a0c99256c50afd5b0560ba2548930

      SHA1

      76bd9f13597a46f5283aa35c30b53c21976d0824

      SHA256

      9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939

      SHA512

      cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI15202\python310.dll
      Filesize

      4.3MB

      MD5

      63a1fa9259a35eaeac04174cecb90048

      SHA1

      0dc0c91bcd6f69b80dcdd7e4020365dd7853885a

      SHA256

      14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed

      SHA512

      896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI15202\select.pyd
      Filesize

      29KB

      MD5

      a653f35d05d2f6debc5d34daddd3dfa1

      SHA1

      1a2ceec28ea44388f412420425665c3781af2435

      SHA256

      db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9

      SHA512

      5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI15202\tcl86t.dll
      Filesize

      1.8MB

      MD5

      75909678c6a79ca2ca780a1ceb00232e

      SHA1

      39ddbeb1c288335abe910a5011d7034345425f7d

      SHA256

      fbfd065f861ec0a90dd513bc209c56bbc23c54d2839964a0ec2df95848af7860

      SHA512

      91689413826d3b2e13fc7f579a71b676547bc4c06d2bb100b4168def12ab09b65359d1612b31a15d21cb55147bbab4934e6711351a0440c1533fb94fe53313bf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI15202\tcl\encoding\cp1252.enc
      Filesize

      1KB

      MD5

      e9117326c06fee02c478027cb625c7d8

      SHA1

      2ed4092d573289925a5b71625cf43cc82b901daf

      SHA256

      741859cf238c3a63bbb20ec6ed51e46451372bb221cfff438297d261d0561c2e

      SHA512

      d0a39bc41adc32f2f20b1a0ebad33bf48dfa6ed5cc1d8f92700cdd431db6c794c09d9f08bb5709b394acf54116c3a1e060e2abcc6b503e1501f8364d3eebcd52

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI15202\tk86t.dll
      Filesize

      1.5MB

      MD5

      4b6270a72579b38c1cc83f240fb08360

      SHA1

      1a161a014f57fe8aa2fadaab7bc4f9faaac368de

      SHA256

      cd2f60075064dfc2e65c88b239a970cb4bd07cb3eec7cc26fb1bf978d4356b08

      SHA512

      0c81434d8c205892bba8a4c93ff8fc011fb8cfb72cfec172cf69093651b86fd9837050bd0636315840290b28af83e557f2205a03e5c344239356874fce0c72b9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI15202\unicodedata.pyd
      Filesize

      1.1MB

      MD5

      81d62ad36cbddb4e57a91018f3c0816e

      SHA1

      fe4a4fc35df240b50db22b35824e4826059a807b

      SHA256

      1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e

      SHA512

      7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

      Download Submit

    • C:\Users\Public\Libraries\RecordedTV.library-ms
      Filesize

      999B

      MD5

      250a5868ecca6900d1c68d8d84b38eab

      SHA1

      8760da22445d27f8df72acdbf1b58a9e217e2ee1

      SHA256

      8fc23502742b8ff988065c203d3dafd7cae126ba2002dddd6bec219bd77e572b

      SHA512

      e6971d84df6410f5c785aea9200028f886fa1b4842112afa915e7026502ad74e89be1035664940bd892e48065800b8d904812c2b369a371340a8b386d4cc981b

      Download Submit

    • memory/1468-1278-0x000001C0A7C50000-0x000001C0A7C51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1468-1267-0x000001C09EF80000-0x000001C09EF90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1468-1282-0x000001C0A7CF0000-0x000001C0A7CF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1468-1281-0x000001C0A7CF0000-0x000001C0A7CF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1468-1279-0x000001C0A7CE0000-0x000001C0A7CE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1468-1280-0x000001C0A7CE0000-0x000001C0A7CE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1468-1276-0x000001C0A7C50000-0x000001C0A7C51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1468-1274-0x000001C0A7BD0000-0x000001C0A7BD1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1468-1263-0x000001C09EF40000-0x000001C09EF50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2068-1015-0x00000276C9940000-0x00000276C9941000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2068-1020-0x00000276C9940000-0x00000276C9941000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2068-1010-0x00000276C9940000-0x00000276C9941000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2068-1014-0x00000276C9940000-0x00000276C9941000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2068-1009-0x00000276C9940000-0x00000276C9941000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2068-1019-0x00000276C9940000-0x00000276C9941000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2068-1016-0x00000276C9940000-0x00000276C9941000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2068-1017-0x00000276C9940000-0x00000276C9941000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2068-1018-0x00000276C9940000-0x00000276C9941000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2068-1008-0x00000276C9940000-0x00000276C9941000-memory.dmp

      Filesize

      4KB

      Download