96b71e0100fbd340ce544a9cdd524e7fa6540b4994fb113dfe1f10fcff9b6b94

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
25-08-2023 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c3ec506c6698e1701f42c9aaff52148_mafia_JC.exe
Size

1.2MB
MD5

9c3ec506c6698e1701f42c9aaff52148
SHA1

80e3228f5b3cd1d40ac88cb78d588768fb3a8eb1
SHA256

96b71e0100fbd340ce544a9cdd524e7fa6540b4994fb113dfe1f10fcff9b6b94
SHA512

98a5b9edd58abc1aa56fadab4d985ec289dbeaec36fe2013f9452e1cd577a6daaac29cfbb8191e3b5b26fc2ba478c75ecdcb5a346c44e1a417079e29e997d69c
SSDEEP

24576:ZPx2Qnyr4NvGXVT/H2HCmUykZgV88UAeK4bFo7aYwsWNqDqbNQoC8R:2Qnyr4NeX5/2HCmUykuieeKQS7aY0NmA

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1548	NFWCHK.exe

Loads dropped DLL 1 IoCs

pid	Process
1732	9c3ec506c6698e1701f42c9aaff52148_mafia_JC.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main	9c3ec506c6698e1701f42c9aaff52148_mafia_JC.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1416	dw20.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1732	9c3ec506c6698e1701f42c9aaff52148_mafia_JC.exe
1732	9c3ec506c6698e1701f42c9aaff52148_mafia_JC.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1548	1732	9c3ec506c6698e1701f42c9aaff52148_mafia_JC.exe	28
PID 1732 wrote to memory of 1548	1732	9c3ec506c6698e1701f42c9aaff52148_mafia_JC.exe	28
PID 1732 wrote to memory of 1548	1732	9c3ec506c6698e1701f42c9aaff52148_mafia_JC.exe	28
PID 1732 wrote to memory of 1548	1732	9c3ec506c6698e1701f42c9aaff52148_mafia_JC.exe	28
PID 1548 wrote to memory of 1416	1548	NFWCHK.exe	30
PID 1548 wrote to memory of 1416	1548	NFWCHK.exe	30
PID 1548 wrote to memory of 1416	1548	NFWCHK.exe	30

C:\Users\Admin\AppData\Local\Temp\9c3ec506c6698e1701f42c9aaff52148_mafia_JC.exe
"C:\Users\Admin\AppData\Local\Temp\9c3ec506c6698e1701f42c9aaff52148_mafia_JC.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Public\Documents\Wondershare\NFWCHK.exe
  C:\Users\Public\Documents\Wondershare\NFWCHK.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
    dw20.exe -x -s 424
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wsWAE.log

Filesize
716B

MD5
3afd2cff66e02fc234efa658198b2488

SHA1
f6bcb2efbc8677f0d80a5ad0611b66729df56d4d

SHA256
13f060cdf7dcfa6b613e0b94b29e6a0802eb05e525c5f7205a339ac433b05880

SHA512
6f7dfbd0aaad60bf5e34d9994452f18d79bc0ee7d8f6837f3505d712c5a765377eb5002aa33978f8d0ec90717f2c7de7a7df8dc5465c1c39018b539cbbdaa991

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsWAE.log

Filesize
1KB

MD5
77a2f445b865855f69b9f9caeb4feb16

SHA1
4615914c13bfe582e6a6b52f204fa3cc8a685305

SHA256
0523f0a9e057cb451cd0815368057277c75771e0c091ff855f355471900fecc5

SHA512
bdc31d1698e4560620f3105529bc0263934051980ca97870bff2ad3c527eaed5e1eb8a7b453937c190fc94e670b5b4bed9ad72d1576a951370131a7bd3f4b8f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
960B

MD5
56a763e319c03395aaf43165345ebd2d

SHA1
fa8848f88331b2c306888e8265352edf58305d0c

SHA256
8dfa5949368394ac44e95456f05f4abea739b54914ae7139fe67fa6561a0d244

SHA512
d842ad423937d24a40e5cb80e83ce8a79bd4541ef7c9866c7d8d66309b641c1cec066c4eb106f2bb6fe0391ee9997a969053e71060e3d7de7c58e6df590e0854

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
2KB

MD5
e9252c71df6a7d16c03a2e8ad6ed1f97

SHA1
14c9f07d2f834be2db27e5ec43950c79157498c1

SHA256
9a3e038fc9e84e85fbbe4f80e5bdeb099c53ba9ad05b22cfe44421b98d24e805

SHA512
3a85745540d667d68d693d79443e487b25f66e2554d9e08db266ff907f495f887775a30f3e858ab1cf88af902f015547e93ecd5a454077882becffa6a6d49694

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
4KB

MD5
8dc4385c5418902fd6a9fd93f7df3c55

SHA1
3a328e2448817e1d3fd0d0feb8261f5a4335d726

SHA256
4d1963d7cdc651dbe3a73b81ed85b9af4ffac27ae7889cd2fde49dcea3c5e24a

SHA512
58913ca4389cfa5d0639e24aeaafb538e5e4f0f2b9b4d0144e4f2ccb81727000fcb1769b680c17644e8948eb2a39db4b059ad005f9f017e05f4ef518d41ede50

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe

Filesize
7KB

MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe

Filesize
7KB

MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe.config

Filesize
229B

MD5
ad0967a0ab95aa7d71b3dc92b71b8f7a

SHA1
ed63f517e32094c07a2c5b664ed1cab412233ab5

SHA256
9c1212bc648a2533b53a2d0afcec518846d97630afb013742a9622f0df7b04fc

SHA512
85766a907331f60044ec205cf345453fc3d44bfcac296ac93a12e8a752b84290dfd94f73b71de82f46f9503177d29602cbb87549f89dc61373d889b4ea26634b

Download Submit
\Users\Public\Documents\Wondershare\NFWCHK.exe

Filesize
7KB

MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
memory/1416-1081-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1548-1077-0x0000000000C80000-0x0000000000C88000-memory.dmp

Filesize
32KB

Download
memory/1548-1079-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/1548-1080-0x0000000000BC0000-0x0000000000C40000-memory.dmp

Filesize
512KB

Download
memory/1548-1082-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/1548-1083-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download