1e7919852e580945155479b817d7f6ad80377f277eba328b7c90013f7cae9b3b

General

Target

a4c4fa2c4783193431ef23b7cf24ba87_mafia_JC.exe
Size

1.9MB
MD5

a4c4fa2c4783193431ef23b7cf24ba87
SHA1

35970787d49a38684331889adf855b9d6c0c47dd
SHA256

1e7919852e580945155479b817d7f6ad80377f277eba328b7c90013f7cae9b3b
SHA512

6190d32ffd4f28d8361da59a18291994c9584743fb86aa483f0107e0dfca06e2af4615d37fdbaeb8ad0c9b556a9e0ca73ea2790f690459b1cf116906abf723ac
SSDEEP

49152:izX5pRDKnI8dHaPm1iiNU+rMDCgWBqzYU3ytCEzDvEMYiVYiwh+3:izU/sMY2YL

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1784	a4c4fa2c4783193431ef23b7cf24ba87_mafia_JC64.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E04DE896A3E666D00E687D33FFAD93BE83D349E\Blob = 190000000100000010000000b009e99a5cfc928a173190106dbb32a95c000000010000000400000080010000530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b000000010000003000000044006900670069004300650072007400200047006c006f00620061006c00200052006f006f007400200047003300000062000000010000002000000031ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0140000000100000014000000b3db48a4f9a1c5d8ae3641cc1163696229bc4bc61d0000000100000010000000d0ab39edd1a4d89a5512882deb09cb130300000001000000140000007e04de896a3e666d00e687d33ffad93be83d349e0f000000010000003000000082c80199397722b57ad473ea266b93d47ffc77fe07f09388345f20dab6addd087672f988b4bbfd154c4b133c70c9ecff2000000001000000430200003082023f308201c5a0030201020210055556bcf25ea43535c3a40fd5ab4572300a06082a8648ce3d0403033061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204733301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f742047333076301006072a8648ce3d020106052b8104002203620004dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f6f0ccd00bba615b51467e9e2d9fee8e630c17ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c72deae88a7a16bb543ce67dc23ff031ca3e23ea3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414b3db48a4f9a1c5d8ae3641cc1163696229bc4bc6300a06082a8648ce3d0403030368003065023100adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085a763f99e32de66930ff1ccb1098fdd6cabfa6b7fa0023039665bc2648db89e50dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89aa98ac5d100bdf854e29ae55b7cb32717	a4c4fa2c4783193431ef23b7cf24ba87_mafia_JC64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E04DE896A3E666D00E687D33FFAD93BE83D349E	a4c4fa2c4783193431ef23b7cf24ba87_mafia_JC64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E04DE896A3E666D00E687D33FFAD93BE83D349E\Blob = 0f000000010000003000000082c80199397722b57ad473ea266b93d47ffc77fe07f09388345f20dab6addd087672f988b4bbfd154c4b133c70c9ecff0300000001000000140000007e04de896a3e666d00e687d33ffad93be83d349e1d0000000100000010000000d0ab39edd1a4d89a5512882deb09cb13140000000100000014000000b3db48a4f9a1c5d8ae3641cc1163696229bc4bc662000000010000002000000031ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d00b000000010000003000000044006900670069004300650072007400200047006c006f00620061006c00200052006f006f0074002000470033000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c05c0000000100000004000000800100002000000001000000430200003082023f308201c5a0030201020210055556bcf25ea43535c3a40fd5ab4572300a06082a8648ce3d0403033061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204733301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f742047333076301006072a8648ce3d020106052b8104002203620004dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f6f0ccd00bba615b51467e9e2d9fee8e630c17ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c72deae88a7a16bb543ce67dc23ff031ca3e23ea3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414b3db48a4f9a1c5d8ae3641cc1163696229bc4bc6300a06082a8648ce3d0403030368003065023100adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085a763f99e32de66930ff1ccb1098fdd6cabfa6b7fa0023039665bc2648db89e50dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89aa98ac5d100bdf854e29ae55b7cb32717	a4c4fa2c4783193431ef23b7cf24ba87_mafia_JC64.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1784	a4c4fa2c4783193431ef23b7cf24ba87_mafia_JC64.exe
1784	a4c4fa2c4783193431ef23b7cf24ba87_mafia_JC64.exe
1784	a4c4fa2c4783193431ef23b7cf24ba87_mafia_JC64.exe
1784	a4c4fa2c4783193431ef23b7cf24ba87_mafia_JC64.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1616	a4c4fa2c4783193431ef23b7cf24ba87_mafia_JC.exe
Token: SeDebugPrivilege	1784	a4c4fa2c4783193431ef23b7cf24ba87_mafia_JC64.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 1784	1616	a4c4fa2c4783193431ef23b7cf24ba87_mafia_JC.exe	88
PID 1616 wrote to memory of 1784	1616	a4c4fa2c4783193431ef23b7cf24ba87_mafia_JC.exe	88

C:\Users\Admin\AppData\Local\Temp\a4c4fa2c4783193431ef23b7cf24ba87_mafia_JC.exe
"C:\Users\Admin\AppData\Local\Temp\a4c4fa2c4783193431ef23b7cf24ba87_mafia_JC.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Users\Admin\AppData\Local\Temp\a4c4fa2c4783193431ef23b7cf24ba87_mafia_JC64.exe
  C:\Users\Admin\AppData\Local\Temp\a4c4fa2c4783193431ef23b7cf24ba87_mafia_JC.exe
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a4c4fa2c4783193431ef23b7cf24ba87_mafia_JC64.exe

Filesize
1.1MB

MD5
8d498649c852e56285479359232d3812

SHA1
6daf9a7f9a69829c95ab4d84404b559a3254dabd

SHA256
fdeb54c00f1f9e9c0c16c2610e82616f7c99ba67555e1ddad3f6faf427bc67a3

SHA512
e19803dae3989ca0a090d4e1d09c46537696e084fed2c58e6df4b0f8c1ddf503997310b9445ab2d03c1d4dbfd573e7dbeed99a2f99ec04445b70ab87442af128

Download Submit
C:\Users\Admin\Desktop\Rkill.txt

Filesize
514B

MD5
e26f43a56c3eae3fd5ef0c59d4999730

SHA1
16eaa62b89308243946f3dfb879f53bb173658a6

SHA256
8e68ff5918a0a5d574779cd461a255b1fdc7895ee4210e83cc073fdf80479970

SHA512
f5532db067afd3550a3565f5d46a063b01edf41289a92d49e3a665af67576f01ce51223eb4b752959b96412c3fae2cdfd9e7c8799062a12b18f70aa90ee3c3cf

Download Submit

Analysis

Sharing