55987718e6b52db738fdbf5550659279a559d07c53d048ce9c0158cd282f06e5

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
03/08/2023, 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

534c576dfeaa559db6a1b987fe802d84_mafia_JC.exe
Size

540KB
MD5

534c576dfeaa559db6a1b987fe802d84
SHA1

1574d42d4c8dc3c334c0ce1dc74ce590c6e78f17
SHA256

55987718e6b52db738fdbf5550659279a559d07c53d048ce9c0158cd282f06e5
SHA512

b4a33de6f9f57f4a04f16e1155ba9b1e311ba0420d92297c8799a655a5b150704db8ab6c56473f0f243de79d5e4e1657c0f17638b616ce04a5eaa4eaf74a8f56
SSDEEP

12288:txLzMJ8JozBYfw6z7O90dSatRrT88pnWis8g:txsJ8JoqfzXA03PRTs8g

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2272	s1316.exe

Loads dropped DLL 4 IoCs

pid	Process
1328	534c576dfeaa559db6a1b987fe802d84_mafia_JC.exe
1328	534c576dfeaa559db6a1b987fe802d84_mafia_JC.exe
1328	534c576dfeaa559db6a1b987fe802d84_mafia_JC.exe
1328	534c576dfeaa559db6a1b987fe802d84_mafia_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	s1316.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	s1316.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	s1316.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	s1316.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1328	534c576dfeaa559db6a1b987fe802d84_mafia_JC.exe
2272	s1316.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2272	s1316.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2272	s1316.exe
2272	s1316.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 2272	1328	534c576dfeaa559db6a1b987fe802d84_mafia_JC.exe	28
PID 1328 wrote to memory of 2272	1328	534c576dfeaa559db6a1b987fe802d84_mafia_JC.exe	28
PID 1328 wrote to memory of 2272	1328	534c576dfeaa559db6a1b987fe802d84_mafia_JC.exe	28
PID 1328 wrote to memory of 2272	1328	534c576dfeaa559db6a1b987fe802d84_mafia_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\534c576dfeaa559db6a1b987fe802d84_mafia_JC.exe
"C:\Users\Admin\AppData\Local\Temp\534c576dfeaa559db6a1b987fe802d84_mafia_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Users\Admin\AppData\Local\Temp\n1316\s1316.exe
  "C:\Users\Admin\AppData\Local\Temp\n1316\s1316.exe" ins.exe /h b34083.api.socdn.com /u 4fe0cf9f-1fe4-4abb-905a-57915bc06f2f /e 11804700 /v "C:\Users\Admin\AppData\Local\Temp\534c576dfeaa559db6a1b987fe802d84_mafia_JC.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabB7FB.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB87B.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\n1316\s1316.exe

Filesize
288KB

MD5
094837e66182b13dcfa684ab0714be59

SHA1
3170c805ab2f3ebbea91a0b1693cbf14493834fb

SHA256
ebb291b372d56dc397a206d0e10bbf15768601c025c5fb1f53e02d8b15eeb602

SHA512
d2b3aa2c51e20936bcb4919f17398dd5b2c6c2e73573df379835bb954aa585e9ee995ad584455195348918ee4acfa8e7937a2d5e9e29c1240d0e389599a069e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\n1316\s1316.exe

Filesize
288KB

MD5
094837e66182b13dcfa684ab0714be59

SHA1
3170c805ab2f3ebbea91a0b1693cbf14493834fb

SHA256
ebb291b372d56dc397a206d0e10bbf15768601c025c5fb1f53e02d8b15eeb602

SHA512
d2b3aa2c51e20936bcb4919f17398dd5b2c6c2e73573df379835bb954aa585e9ee995ad584455195348918ee4acfa8e7937a2d5e9e29c1240d0e389599a069e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\n1316\s1316.exe

Filesize
288KB

MD5
094837e66182b13dcfa684ab0714be59

SHA1
3170c805ab2f3ebbea91a0b1693cbf14493834fb

SHA256
ebb291b372d56dc397a206d0e10bbf15768601c025c5fb1f53e02d8b15eeb602

SHA512
d2b3aa2c51e20936bcb4919f17398dd5b2c6c2e73573df379835bb954aa585e9ee995ad584455195348918ee4acfa8e7937a2d5e9e29c1240d0e389599a069e9

Download Submit
\Users\Admin\AppData\Local\Temp\n1316\s1316.exe

Filesize
288KB

MD5
094837e66182b13dcfa684ab0714be59

SHA1
3170c805ab2f3ebbea91a0b1693cbf14493834fb

SHA256
ebb291b372d56dc397a206d0e10bbf15768601c025c5fb1f53e02d8b15eeb602

SHA512
d2b3aa2c51e20936bcb4919f17398dd5b2c6c2e73573df379835bb954aa585e9ee995ad584455195348918ee4acfa8e7937a2d5e9e29c1240d0e389599a069e9

Download Submit
\Users\Admin\AppData\Local\Temp\n1316\s1316.exe

Filesize
288KB

MD5
094837e66182b13dcfa684ab0714be59

SHA1
3170c805ab2f3ebbea91a0b1693cbf14493834fb

SHA256
ebb291b372d56dc397a206d0e10bbf15768601c025c5fb1f53e02d8b15eeb602

SHA512
d2b3aa2c51e20936bcb4919f17398dd5b2c6c2e73573df379835bb954aa585e9ee995ad584455195348918ee4acfa8e7937a2d5e9e29c1240d0e389599a069e9

Download Submit
\Users\Admin\AppData\Local\Temp\n1316\s1316.exe

Filesize
288KB

MD5
094837e66182b13dcfa684ab0714be59

SHA1
3170c805ab2f3ebbea91a0b1693cbf14493834fb

SHA256
ebb291b372d56dc397a206d0e10bbf15768601c025c5fb1f53e02d8b15eeb602

SHA512
d2b3aa2c51e20936bcb4919f17398dd5b2c6c2e73573df379835bb954aa585e9ee995ad584455195348918ee4acfa8e7937a2d5e9e29c1240d0e389599a069e9

Download Submit
\Users\Admin\AppData\Local\Temp\n1316\s1316.exe

Filesize
288KB

MD5
094837e66182b13dcfa684ab0714be59

SHA1
3170c805ab2f3ebbea91a0b1693cbf14493834fb

SHA256
ebb291b372d56dc397a206d0e10bbf15768601c025c5fb1f53e02d8b15eeb602

SHA512
d2b3aa2c51e20936bcb4919f17398dd5b2c6c2e73573df379835bb954aa585e9ee995ad584455195348918ee4acfa8e7937a2d5e9e29c1240d0e389599a069e9

Download Submit
memory/2272-128-0x0000000000450000-0x00000000004D0000-memory.dmp

Filesize
512KB

Download
memory/2272-134-0x0000000000450000-0x00000000004D0000-memory.dmp

Filesize
512KB

Download
memory/2272-125-0x0000000000890000-0x00000000008DE000-memory.dmp

Filesize
312KB

Download
memory/2272-126-0x0000000000820000-0x000000000082A000-memory.dmp

Filesize
40KB

Download
memory/2272-127-0x0000000000450000-0x00000000004D0000-memory.dmp

Filesize
512KB

Download
memory/2272-92-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

Filesize
9.6MB

Download
memory/2272-129-0x0000000000450000-0x00000000004D0000-memory.dmp

Filesize
512KB

Download
memory/2272-130-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

Filesize
9.6MB

Download
memory/2272-131-0x0000000000450000-0x00000000004D0000-memory.dmp

Filesize
512KB

Download
memory/2272-132-0x0000000000450000-0x00000000004D0000-memory.dmp

Filesize
512KB

Download
memory/2272-133-0x0000000000450000-0x00000000004D0000-memory.dmp

Filesize
512KB

Download
memory/2272-93-0x0000000000450000-0x00000000004D0000-memory.dmp

Filesize
512KB

Download
memory/2272-135-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

Filesize
9.6MB

Download
memory/2272-136-0x0000000000450000-0x00000000004D0000-memory.dmp

Filesize
512KB

Download
memory/2272-137-0x0000000000450000-0x00000000004D0000-memory.dmp

Filesize
512KB

Download
memory/2272-138-0x0000000000450000-0x00000000004D0000-memory.dmp

Filesize
512KB

Download
memory/2272-139-0x0000000000450000-0x00000000004D0000-memory.dmp

Filesize
512KB

Download
memory/2272-140-0x0000000000450000-0x00000000004D0000-memory.dmp

Filesize
512KB

Download
memory/2272-141-0x0000000000450000-0x00000000004D0000-memory.dmp

Filesize
512KB

Download
memory/2272-142-0x0000000000450000-0x00000000004D0000-memory.dmp

Filesize
512KB

Download
memory/2272-143-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

Filesize
9.6MB

Download