f0a6eff7660e788816b7363554291cd7f0bcbb27cc636c96d0c67fb2928f7fe2

Analysis

max time kernel
147s
max time network
165s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_7a07f55857e4b8502137a211b158d4ab_mafia_JC.exe
Size

255KB
MD5

7a07f55857e4b8502137a211b158d4ab
SHA1

80ee6656759f0fe251cfa4a81a43024ce4c096ed
SHA256

f0a6eff7660e788816b7363554291cd7f0bcbb27cc636c96d0c67fb2928f7fe2
SHA512

f7b05bba81731b7f0d5aea809346a066d28405068f5dff4a9b940ac50354a5ce8dfeda55857339c8204bed0b626b7b01b2c3d4aab4b27d07eeebe98fad7f9b74
SSDEEP

6144:o64tXafE0Mqpm+SKAqpByuqPoEbLvRdvf8:o68r0Mqpm+SCB3KbLzE

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Loads dropped DLL 3 IoCs

pid	Process
2092	regsvr32.exe
2108	regsvr32.exe
2600	explorer.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-046AA8FB54F2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-046AA8FB54F2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\MediaViewer\\plugin.dat"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-046AA8FB54F2}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-046AA8FB54F2}\InprocServer32	regsvr32.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b000000012274-3.dat	upx
behavioral1/files/0x000b000000012274-4.dat	upx
behavioral1/memory/2108-7-0x000007FEF6880000-0x000007FEF68ED000-memory.dmp	upx
behavioral1/files/0x000b000000012274-6.dat	upx
behavioral1/memory/2600-27-0x000007FEFBB30000-0x000007FEFBB9D000-memory.dmp	upx
behavioral1/files/0x000b000000012274-26.dat	upx
behavioral1/memory/2600-31-0x000007FEFBB30000-0x000007FEFBB9D000-memory.dmp	upx
behavioral1/memory/2600-33-0x000007FEFBB30000-0x000007FEFBB9D000-memory.dmp	upx
behavioral1/memory/2600-35-0x000007FEFBB30000-0x000007FEFBB9D000-memory.dmp	upx
behavioral1/memory/2600-42-0x000007FEFBB30000-0x000007FEFBB9D000-memory.dmp	upx
behavioral1/memory/2600-48-0x000007FEFBB30000-0x000007FEFBB9D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 44 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AA}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AA}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming\\MediaViewer"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-046AA8FB54F2}\TypeLib\ = "{3692066A-7A10-4CB5-AFF3-9DDE336E97AA}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-046AA8FB54F2}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-046AA8FB54F2}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605622}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605622}\TypeLib\ = "{3692066A-7A10-4CB5-AFF3-9DDE336E97AA}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605622}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605622}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-046AA8FB54F2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-046AA8FB54F2}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AA}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\MediaViewer\\plugin.dat"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605622}\TypeLib	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-046AA8FB54F2}\ = "MediaViewer046A Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-046AA8FB54F2}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AA}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605622}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605622}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605622}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-046AA8FB54F2}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AA}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605622}\ = "IMediaViewerIdentifier"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-046AA8FB54F2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\MediaViewer\\plugin.dat"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AA}\1.0\0	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-046AA8FB54F2}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-046AA8FB54F2}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-046AA8FB54F2}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AA}\1.0\ = "MediaViewerPluginLib"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605622}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605622}\ = "IMediaViewerIdentifier"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-046AA8FB54F2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-046AA8FB54F2}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605622}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605622}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AA}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605622}\TypeLib\ = "{3692066A-7A10-4CB5-AFF3-9DDE336E97AA}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-046AA8FB54F2}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AA}\1.0	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2252	2023-08-26_7a07f55857e4b8502137a211b158d4ab_mafia_JC.exe
2252	2023-08-26_7a07f55857e4b8502137a211b158d4ab_mafia_JC.exe
2600	explorer.exe
2600	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2600	explorer.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2600	explorer.exe
Token: SeShutdownPrivilege	2600	explorer.exe
Token: SeShutdownPrivilege	2600	explorer.exe
Token: SeShutdownPrivilege	2600	explorer.exe
Token: SeShutdownPrivilege	2600	explorer.exe
Token: SeShutdownPrivilege	2600	explorer.exe
Token: SeShutdownPrivilege	2600	explorer.exe
Token: SeShutdownPrivilege	2600	explorer.exe
Token: SeShutdownPrivilege	2600	explorer.exe
Token: SeShutdownPrivilege	2600	explorer.exe
Token: SeShutdownPrivilege	2600	explorer.exe
Token: SeShutdownPrivilege	2600	explorer.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2092	2252	2023-08-26_7a07f55857e4b8502137a211b158d4ab_mafia_JC.exe	28
PID 2252 wrote to memory of 2092	2252	2023-08-26_7a07f55857e4b8502137a211b158d4ab_mafia_JC.exe	28
PID 2252 wrote to memory of 2092	2252	2023-08-26_7a07f55857e4b8502137a211b158d4ab_mafia_JC.exe	28
PID 2252 wrote to memory of 2092	2252	2023-08-26_7a07f55857e4b8502137a211b158d4ab_mafia_JC.exe	28
PID 2252 wrote to memory of 2092	2252	2023-08-26_7a07f55857e4b8502137a211b158d4ab_mafia_JC.exe	28
PID 2252 wrote to memory of 2092	2252	2023-08-26_7a07f55857e4b8502137a211b158d4ab_mafia_JC.exe	28
PID 2252 wrote to memory of 2092	2252	2023-08-26_7a07f55857e4b8502137a211b158d4ab_mafia_JC.exe	28
PID 2092 wrote to memory of 2108	2092	regsvr32.exe	29
PID 2092 wrote to memory of 2108	2092	regsvr32.exe	29
PID 2092 wrote to memory of 2108	2092	regsvr32.exe	29
PID 2092 wrote to memory of 2108	2092	regsvr32.exe	29
PID 2092 wrote to memory of 2108	2092	regsvr32.exe	29
PID 2092 wrote to memory of 2108	2092	regsvr32.exe	29
PID 2092 wrote to memory of 2108	2092	regsvr32.exe	29

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2023-08-26_7a07f55857e4b8502137a211b158d4ab_mafia_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_7a07f55857e4b8502137a211b158d4ab_mafia_JC.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Roaming\MediaViewer\plugin.dat"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Users\Admin\AppData\Roaming\MediaViewer\plugin.dat"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:2108

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MediaViewer\plugin.dat

Filesize
95KB

MD5
2f58f98a49adec90f45bd22a673c1444

SHA1
6fb071d14e67fc500801dc86b5018e1c541b2511

SHA256
895be3615f9624a4520f74b0efa61715a5da0a668f07a3934cb078eb53a4f62c

SHA512
535c690df1f9e78c13031cff82eb90b52570f6277eaeed1424bfa8410c67f1c6be3fa6cabbf5916fcbfb2fa02848d36e8a086342c7d36ec93cedb23ac6c0353e

Download Submit
C:\Users\Admin\AppData\Roaming\SogouPinyin.local

Filesize
77B

MD5
876ca0cb44669f23b097a0339560842d

SHA1
fd7509fb7d10c0a7c8369f24e40c3ffb80d8289c

SHA256
0649c175624ae600c32c460f6678a36762a6acfe97a06121f97241d64d349496

SHA512
5292d0f31c2c420e93eed15c8e3720b0fe98b9c4943271ff5b6a94c7547f4784abcfc31f5ec62cc0963771e3b7c7b448e7e8929d222d9d0700e2e072b14a50ff

Download Submit
\Users\Admin\AppData\Roaming\MediaViewer\plugin.dat

Filesize
95KB

MD5
2f58f98a49adec90f45bd22a673c1444

SHA1
6fb071d14e67fc500801dc86b5018e1c541b2511

SHA256
895be3615f9624a4520f74b0efa61715a5da0a668f07a3934cb078eb53a4f62c

SHA512
535c690df1f9e78c13031cff82eb90b52570f6277eaeed1424bfa8410c67f1c6be3fa6cabbf5916fcbfb2fa02848d36e8a086342c7d36ec93cedb23ac6c0353e

Download Submit
\Users\Admin\AppData\Roaming\MediaViewer\plugin.dat

Filesize
95KB

MD5
2f58f98a49adec90f45bd22a673c1444

SHA1
6fb071d14e67fc500801dc86b5018e1c541b2511

SHA256
895be3615f9624a4520f74b0efa61715a5da0a668f07a3934cb078eb53a4f62c

SHA512
535c690df1f9e78c13031cff82eb90b52570f6277eaeed1424bfa8410c67f1c6be3fa6cabbf5916fcbfb2fa02848d36e8a086342c7d36ec93cedb23ac6c0353e

Download Submit
\Users\Admin\AppData\Roaming\MediaViewer\plugin.dat

Filesize
95KB

MD5
2f58f98a49adec90f45bd22a673c1444

SHA1
6fb071d14e67fc500801dc86b5018e1c541b2511

SHA256
895be3615f9624a4520f74b0efa61715a5da0a668f07a3934cb078eb53a4f62c

SHA512
535c690df1f9e78c13031cff82eb90b52570f6277eaeed1424bfa8410c67f1c6be3fa6cabbf5916fcbfb2fa02848d36e8a086342c7d36ec93cedb23ac6c0353e

Download Submit
memory/2092-5-0x00000000001F0000-0x000000000025D000-memory.dmp

Filesize
436KB

Download
memory/2108-7-0x000007FEF6880000-0x000007FEF68ED000-memory.dmp

Filesize
436KB

Download
memory/2600-27-0x000007FEFBB30000-0x000007FEFBB9D000-memory.dmp

Filesize
436KB

Download
memory/2600-28-0x0000000001C90000-0x0000000001C91000-memory.dmp

Filesize
4KB

Download
memory/2600-30-0x00000000043B0000-0x00000000043B1000-memory.dmp

Filesize
4KB

Download
memory/2600-31-0x000007FEFBB30000-0x000007FEFBB9D000-memory.dmp

Filesize
436KB

Download
memory/2600-32-0x00000000043B0000-0x00000000043B1000-memory.dmp

Filesize
4KB

Download
memory/2600-33-0x000007FEFBB30000-0x000007FEFBB9D000-memory.dmp

Filesize
436KB

Download
memory/2600-35-0x000007FEFBB30000-0x000007FEFBB9D000-memory.dmp

Filesize
436KB

Download
memory/2600-42-0x000007FEFBB30000-0x000007FEFBB9D000-memory.dmp

Filesize
436KB

Download
memory/2600-47-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/2600-48-0x000007FEFBB30000-0x000007FEFBB9D000-memory.dmp

Filesize
436KB

Download