Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
04/10/2024, 13:44
General
-
Target
2024-10-04_e692c57e20350a0fee1111effbd920f6_mafia.exe
-
Size
541KB
-
MD5
e692c57e20350a0fee1111effbd920f6
-
SHA1
88c77efd63f602bd67bc687812733d64034a2d6f
-
SHA256
35c563c2f32b804634e5a74fa526f7cea654c3f96061120b238f6491f1150c52
-
SHA512
c9c118cd55236e93ac8af74b95f9cdc40775ce3e57cd74a7d990a1e0cbd3af399a6e2343473f08093c683efb44b11726b4114018db142c8081e4a9dc667f205d
-
SSDEEP
12288:UU5rCOTeifrVPRYT3YXAZ9rPLLQ+4uGFLrZa73ctO:UUQOJfrVpYT3nLfQ+4uG9rU73ctO
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-04_e692c57e20350a0fee1111effbd920f6_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-04_e692c57e20350a0fee1111effbd920f6_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\EF3C.tmp"C:\Users\Admin\AppData\Local\Temp\EF3C.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\EFC9.tmp"C:\Users\Admin\AppData\Local\Temp\EFC9.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\F065.tmp"C:\Users\Admin\AppData\Local\Temp\F065.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\F111.tmp"C:\Users\Admin\AppData\Local\Temp\F111.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\F19E.tmp"C:\Users\Admin\AppData\Local\Temp\F19E.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\F22A.tmp"C:\Users\Admin\AppData\Local\Temp\F22A.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\F2A7.tmp"C:\Users\Admin\AppData\Local\Temp\F2A7.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\F334.tmp"C:\Users\Admin\AppData\Local\Temp\F334.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\F3B1.tmp"C:\Users\Admin\AppData\Local\Temp\F3B1.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\F41E.tmp"C:\Users\Admin\AppData\Local\Temp\F41E.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\F48C.tmp"C:\Users\Admin\AppData\Local\Temp\F48C.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\F538.tmp"C:\Users\Admin\AppData\Local\Temp\F538.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\F5D4.tmp"C:\Users\Admin\AppData\Local\Temp\F5D4.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\F641.tmp"C:\Users\Admin\AppData\Local\Temp\F641.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\F6CE.tmp"C:\Users\Admin\AppData\Local\Temp\F6CE.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\F76A.tmp"C:\Users\Admin\AppData\Local\Temp\F76A.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\F806.tmp"C:\Users\Admin\AppData\Local\Temp\F806.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\F8A3.tmp"C:\Users\Admin\AppData\Local\Temp\F8A3.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\F93F.tmp"C:\Users\Admin\AppData\Local\Temp\F93F.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\F9DB.tmp"C:\Users\Admin\AppData\Local\Temp\F9DB.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FA77.tmp"C:\Users\Admin\AppData\Local\Temp\FA77.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FB23.tmp"C:\Users\Admin\AppData\Local\Temp\FB23.tmp"23⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\FBB0.tmp"C:\Users\Admin\AppData\Local\Temp\FBB0.tmp"24⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\FC4C.tmp"C:\Users\Admin\AppData\Local\Temp\FC4C.tmp"25⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\FCE8.tmp"C:\Users\Admin\AppData\Local\Temp\FCE8.tmp"26⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\FDA4.tmp"C:\Users\Admin\AppData\Local\Temp\FDA4.tmp"27⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\FE40.tmp"C:\Users\Admin\AppData\Local\Temp\FE40.tmp"28⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\FEDC.tmp"C:\Users\Admin\AppData\Local\Temp\FEDC.tmp"29⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\FF79.tmp"C:\Users\Admin\AppData\Local\Temp\FF79.tmp"30⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\15.tmp"C:\Users\Admin\AppData\Local\Temp\15.tmp"31⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\B1.tmp"C:\Users\Admin\AppData\Local\Temp\B1.tmp"32⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\13E.tmp"C:\Users\Admin\AppData\Local\Temp\13E.tmp"33⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1DA.tmp"C:\Users\Admin\AppData\Local\Temp\1DA.tmp"34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\247.tmp"C:\Users\Admin\AppData\Local\Temp\247.tmp"35⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\296.tmp"C:\Users\Admin\AppData\Local\Temp\296.tmp"36⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\303.tmp"C:\Users\Admin\AppData\Local\Temp\303.tmp"37⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\370.tmp"C:\Users\Admin\AppData\Local\Temp\370.tmp"38⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3CE.tmp"C:\Users\Admin\AppData\Local\Temp\3CE.tmp"39⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\41C.tmp"C:\Users\Admin\AppData\Local\Temp\41C.tmp"40⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\47A.tmp"C:\Users\Admin\AppData\Local\Temp\47A.tmp"41⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4E7.tmp"C:\Users\Admin\AppData\Local\Temp\4E7.tmp"42⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\545.tmp"C:\Users\Admin\AppData\Local\Temp\545.tmp"43⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5B2.tmp"C:\Users\Admin\AppData\Local\Temp\5B2.tmp"44⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\610.tmp"C:\Users\Admin\AppData\Local\Temp\610.tmp"45⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\65E.tmp"C:\Users\Admin\AppData\Local\Temp\65E.tmp"46⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\6BC.tmp"C:\Users\Admin\AppData\Local\Temp\6BC.tmp"47⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\729.tmp"C:\Users\Admin\AppData\Local\Temp\729.tmp"48⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\797.tmp"C:\Users\Admin\AppData\Local\Temp\797.tmp"49⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\814.tmp"C:\Users\Admin\AppData\Local\Temp\814.tmp"50⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\872.tmp"C:\Users\Admin\AppData\Local\Temp\872.tmp"51⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8DF.tmp"C:\Users\Admin\AppData\Local\Temp\8DF.tmp"52⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\94C.tmp"C:\Users\Admin\AppData\Local\Temp\94C.tmp"53⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\9AA.tmp"C:\Users\Admin\AppData\Local\Temp\9AA.tmp"54⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\A08.tmp"C:\Users\Admin\AppData\Local\Temp\A08.tmp"55⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\A75.tmp"C:\Users\Admin\AppData\Local\Temp\A75.tmp"56⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\AD3.tmp"C:\Users\Admin\AppData\Local\Temp\AD3.tmp"57⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\B21.tmp"C:\Users\Admin\AppData\Local\Temp\B21.tmp"58⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\B7F.tmp"C:\Users\Admin\AppData\Local\Temp\B7F.tmp"59⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BCD.tmp"C:\Users\Admin\AppData\Local\Temp\BCD.tmp"60⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C1B.tmp"C:\Users\Admin\AppData\Local\Temp\C1B.tmp"61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\C88.tmp"C:\Users\Admin\AppData\Local\Temp\C88.tmp"62⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\CF6.tmp"C:\Users\Admin\AppData\Local\Temp\CF6.tmp"63⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\D44.tmp"C:\Users\Admin\AppData\Local\Temp\D44.tmp"64⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\DA2.tmp"C:\Users\Admin\AppData\Local\Temp\DA2.tmp"65⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\DFF.tmp"C:\Users\Admin\AppData\Local\Temp\DFF.tmp"66⤵
-
C:\Users\Admin\AppData\Local\Temp\E5D.tmp"C:\Users\Admin\AppData\Local\Temp\E5D.tmp"67⤵
-
C:\Users\Admin\AppData\Local\Temp\EBB.tmp"C:\Users\Admin\AppData\Local\Temp\EBB.tmp"68⤵
-
C:\Users\Admin\AppData\Local\Temp\F19.tmp"C:\Users\Admin\AppData\Local\Temp\F19.tmp"69⤵
-
C:\Users\Admin\AppData\Local\Temp\F76.tmp"C:\Users\Admin\AppData\Local\Temp\F76.tmp"70⤵
-
C:\Users\Admin\AppData\Local\Temp\FD4.tmp"C:\Users\Admin\AppData\Local\Temp\FD4.tmp"71⤵
-
C:\Users\Admin\AppData\Local\Temp\1032.tmp"C:\Users\Admin\AppData\Local\Temp\1032.tmp"72⤵
-
C:\Users\Admin\AppData\Local\Temp\1090.tmp"C:\Users\Admin\AppData\Local\Temp\1090.tmp"73⤵
-
C:\Users\Admin\AppData\Local\Temp\10ED.tmp"C:\Users\Admin\AppData\Local\Temp\10ED.tmp"74⤵
-
C:\Users\Admin\AppData\Local\Temp\114B.tmp"C:\Users\Admin\AppData\Local\Temp\114B.tmp"75⤵
-
C:\Users\Admin\AppData\Local\Temp\11B9.tmp"C:\Users\Admin\AppData\Local\Temp\11B9.tmp"76⤵
-
C:\Users\Admin\AppData\Local\Temp\1216.tmp"C:\Users\Admin\AppData\Local\Temp\1216.tmp"77⤵
-
C:\Users\Admin\AppData\Local\Temp\1274.tmp"C:\Users\Admin\AppData\Local\Temp\1274.tmp"78⤵
-
C:\Users\Admin\AppData\Local\Temp\12D2.tmp"C:\Users\Admin\AppData\Local\Temp\12D2.tmp"79⤵
-
C:\Users\Admin\AppData\Local\Temp\133F.tmp"C:\Users\Admin\AppData\Local\Temp\133F.tmp"80⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\139D.tmp"C:\Users\Admin\AppData\Local\Temp\139D.tmp"81⤵
-
C:\Users\Admin\AppData\Local\Temp\13FB.tmp"C:\Users\Admin\AppData\Local\Temp\13FB.tmp"82⤵
-
C:\Users\Admin\AppData\Local\Temp\1468.tmp"C:\Users\Admin\AppData\Local\Temp\1468.tmp"83⤵
-
C:\Users\Admin\AppData\Local\Temp\14D5.tmp"C:\Users\Admin\AppData\Local\Temp\14D5.tmp"84⤵
-
C:\Users\Admin\AppData\Local\Temp\1543.tmp"C:\Users\Admin\AppData\Local\Temp\1543.tmp"85⤵
-
C:\Users\Admin\AppData\Local\Temp\15B0.tmp"C:\Users\Admin\AppData\Local\Temp\15B0.tmp"86⤵
-
C:\Users\Admin\AppData\Local\Temp\15FE.tmp"C:\Users\Admin\AppData\Local\Temp\15FE.tmp"87⤵
-
C:\Users\Admin\AppData\Local\Temp\166C.tmp"C:\Users\Admin\AppData\Local\Temp\166C.tmp"88⤵
-
C:\Users\Admin\AppData\Local\Temp\16C9.tmp"C:\Users\Admin\AppData\Local\Temp\16C9.tmp"89⤵
-
C:\Users\Admin\AppData\Local\Temp\1727.tmp"C:\Users\Admin\AppData\Local\Temp\1727.tmp"90⤵
-
C:\Users\Admin\AppData\Local\Temp\1785.tmp"C:\Users\Admin\AppData\Local\Temp\1785.tmp"91⤵
-
C:\Users\Admin\AppData\Local\Temp\17D3.tmp"C:\Users\Admin\AppData\Local\Temp\17D3.tmp"92⤵
-
C:\Users\Admin\AppData\Local\Temp\1840.tmp"C:\Users\Admin\AppData\Local\Temp\1840.tmp"93⤵
-
C:\Users\Admin\AppData\Local\Temp\18AE.tmp"C:\Users\Admin\AppData\Local\Temp\18AE.tmp"94⤵
-
C:\Users\Admin\AppData\Local\Temp\190C.tmp"C:\Users\Admin\AppData\Local\Temp\190C.tmp"95⤵
-
C:\Users\Admin\AppData\Local\Temp\1969.tmp"C:\Users\Admin\AppData\Local\Temp\1969.tmp"96⤵
-
C:\Users\Admin\AppData\Local\Temp\19C7.tmp"C:\Users\Admin\AppData\Local\Temp\19C7.tmp"97⤵
-
C:\Users\Admin\AppData\Local\Temp\1A34.tmp"C:\Users\Admin\AppData\Local\Temp\1A34.tmp"98⤵
-
C:\Users\Admin\AppData\Local\Temp\1AA2.tmp"C:\Users\Admin\AppData\Local\Temp\1AA2.tmp"99⤵
-
C:\Users\Admin\AppData\Local\Temp\1B0F.tmp"C:\Users\Admin\AppData\Local\Temp\1B0F.tmp"100⤵
-
C:\Users\Admin\AppData\Local\Temp\1B5D.tmp"C:\Users\Admin\AppData\Local\Temp\1B5D.tmp"101⤵
-
C:\Users\Admin\AppData\Local\Temp\1BBB.tmp"C:\Users\Admin\AppData\Local\Temp\1BBB.tmp"102⤵
-
C:\Users\Admin\AppData\Local\Temp\1C19.tmp"C:\Users\Admin\AppData\Local\Temp\1C19.tmp"103⤵
-
C:\Users\Admin\AppData\Local\Temp\1C77.tmp"C:\Users\Admin\AppData\Local\Temp\1C77.tmp"104⤵
-
C:\Users\Admin\AppData\Local\Temp\1CE4.tmp"C:\Users\Admin\AppData\Local\Temp\1CE4.tmp"105⤵
-
C:\Users\Admin\AppData\Local\Temp\1D51.tmp"C:\Users\Admin\AppData\Local\Temp\1D51.tmp"106⤵
-
C:\Users\Admin\AppData\Local\Temp\1D9F.tmp"C:\Users\Admin\AppData\Local\Temp\1D9F.tmp"107⤵
-
C:\Users\Admin\AppData\Local\Temp\1E0D.tmp"C:\Users\Admin\AppData\Local\Temp\1E0D.tmp"108⤵
-
C:\Users\Admin\AppData\Local\Temp\1E7A.tmp"C:\Users\Admin\AppData\Local\Temp\1E7A.tmp"109⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\1EF7.tmp"C:\Users\Admin\AppData\Local\Temp\1EF7.tmp"110⤵
-
C:\Users\Admin\AppData\Local\Temp\1F65.tmp"C:\Users\Admin\AppData\Local\Temp\1F65.tmp"111⤵
-
C:\Users\Admin\AppData\Local\Temp\1FD2.tmp"C:\Users\Admin\AppData\Local\Temp\1FD2.tmp"112⤵
-
C:\Users\Admin\AppData\Local\Temp\2030.tmp"C:\Users\Admin\AppData\Local\Temp\2030.tmp"113⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\208D.tmp"C:\Users\Admin\AppData\Local\Temp\208D.tmp"114⤵
-
C:\Users\Admin\AppData\Local\Temp\20FB.tmp"C:\Users\Admin\AppData\Local\Temp\20FB.tmp"115⤵
-
C:\Users\Admin\AppData\Local\Temp\2159.tmp"C:\Users\Admin\AppData\Local\Temp\2159.tmp"116⤵
-
C:\Users\Admin\AppData\Local\Temp\21B6.tmp"C:\Users\Admin\AppData\Local\Temp\21B6.tmp"117⤵
-
C:\Users\Admin\AppData\Local\Temp\2214.tmp"C:\Users\Admin\AppData\Local\Temp\2214.tmp"118⤵
-
C:\Users\Admin\AppData\Local\Temp\2272.tmp"C:\Users\Admin\AppData\Local\Temp\2272.tmp"119⤵
-
C:\Users\Admin\AppData\Local\Temp\22D0.tmp"C:\Users\Admin\AppData\Local\Temp\22D0.tmp"120⤵
-
C:\Users\Admin\AppData\Local\Temp\231E.tmp"C:\Users\Admin\AppData\Local\Temp\231E.tmp"121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-