Overview

overview

8

Static

static

3

2023-08-26...JC.exe

windows7-x64

8

2023-08-26...JC.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    156s
  • max time network
    172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2023 17:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2023-08-26_5f88e9dea36c0a29fcee359567ca68a3_mafia_JC.exe

  • Size

    255KB

  • MD5

    5f88e9dea36c0a29fcee359567ca68a3

  • SHA1

    68f8fd802e635799166f1098ba17bd54235a7b0c

  • SHA256

    06a1095054a1ab69bc13662b60f21a725d50286fabecd045f6df744b213a4c4e

  • SHA512

    938b78aa7e453cd2c9352a45bf757825d00797589a568af2b415dbe9899d45cf4ab8ba535783a3d9398868fc6cbedbe11196da5d7d81c883e28bd221d181f452

  • SSDEEP

    6144:o64tXafE0Mqpm+SKAqpByuqPoEbLvRdvf1:o68r0Mqpm+SCB3KbLzN

Score
8/10
persistenceupx

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 5 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 7 IoCs
  • Registers COM server for autorun 1 TTPs 4 IoCs
    persistence
  • UPX packed file 22 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 10 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2023-08-26_5f88e9dea36c0a29fcee359567ca68a3_mafia_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\2023-08-26_5f88e9dea36c0a29fcee359567ca68a3_mafia_JC.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4124
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Roaming\MediaViewer\plugin.dat"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:4160
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Users\Admin\AppData\Roaming\MediaViewer\plugin.dat"
        3⤵
        • Loads dropped DLL
        • Registers COM server for autorun
        • Modifies registry class
        PID:1472
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Loads dropped DLL
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2160
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:4968
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Loads dropped DLL
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:408
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2220
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4900
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Loads dropped DLL
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1328
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4320
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Loads dropped DLL
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4132
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3620
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Loads dropped DLL
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SendNotifyMessage
    PID:1036
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
    Filesize

    471B

    MD5

    976ce2c91cbe61b98378e8e5c5ba4d53

    SHA1

    45b3e1eabb4e759bf46ffeb8f9722077a0d62c72

    SHA256

    255f312d16d7d080cf1a97d4eb255c236c7eee6c059d732d970e3c05c07c158e

    SHA512

    0065b7984960354aea85cd0c6792e019f40a2b359fabf7dcee438193c1bab47d74d59602627c8399df741864dffb0469d9cf8bc48907c1c67015c51d01a7b28a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
    Filesize

    412B

    MD5

    c26b2389c851219b206e422216c1ce9c

    SHA1

    076c7efaf35085f1cacc0d3b65b2f4b6226eda7d

    SHA256

    1f970bd8546a86f9bf63ccacdae10b8809e7a6db2cda84c595290f808fd17486

    SHA512

    380570e45c02838615a81cddfee131799ea5400891a3722e1432e131768318902b4bb1a10e08afa5799efe2c685cfeb26bb196c4dfa093b30b505a027044a3f2

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133415758836240810.txt
    Filesize

    75KB

    MD5

    62d81c2e1e8b21733f95af2a596e4b18

    SHA1

    91c005ecc5ae4171f450c43c02d1ba532b4474c6

    SHA256

    a5596f83717bf64653b95ffe6ec38f20e40fd928456d5e254a53a440804d80b6

    SHA512

    c7f349acf55694ff696750c30a25c265ff07ced95e4d2a88fa2829d047ca3b3007dc824613a8c403c7613085aca4212155afe03f8f237c0d7781fd87e1fb8a7c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MediaViewer\plugin.dat
    Filesize

    95KB

    MD5

    28f796d288c96da151f069c8ae89cb40

    SHA1

    f15f3279603c4069d019f01c54ea918e3456772f

    SHA256

    3e98d0b152ab1c5421e52aa42047e69afdeb4eda10624e67c5743915fbcf1ac5

    SHA512

    9e4063acb0cce4bd1ac4fd8928cf69855101795497d183be96cb383545ec218b4b114095c665df594e41ad125fde373bd7b86123bfb7cacdd4a5dea6b3244617

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MediaViewer\plugin.dat
    Filesize

    95KB

    MD5

    28f796d288c96da151f069c8ae89cb40

    SHA1

    f15f3279603c4069d019f01c54ea918e3456772f

    SHA256

    3e98d0b152ab1c5421e52aa42047e69afdeb4eda10624e67c5743915fbcf1ac5

    SHA512

    9e4063acb0cce4bd1ac4fd8928cf69855101795497d183be96cb383545ec218b4b114095c665df594e41ad125fde373bd7b86123bfb7cacdd4a5dea6b3244617

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MediaViewer\plugin.dat
    Filesize

    95KB

    MD5

    28f796d288c96da151f069c8ae89cb40

    SHA1

    f15f3279603c4069d019f01c54ea918e3456772f

    SHA256

    3e98d0b152ab1c5421e52aa42047e69afdeb4eda10624e67c5743915fbcf1ac5

    SHA512

    9e4063acb0cce4bd1ac4fd8928cf69855101795497d183be96cb383545ec218b4b114095c665df594e41ad125fde373bd7b86123bfb7cacdd4a5dea6b3244617

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MediaViewer\plugin.dat
    Filesize

    95KB

    MD5

    28f796d288c96da151f069c8ae89cb40

    SHA1

    f15f3279603c4069d019f01c54ea918e3456772f

    SHA256

    3e98d0b152ab1c5421e52aa42047e69afdeb4eda10624e67c5743915fbcf1ac5

    SHA512

    9e4063acb0cce4bd1ac4fd8928cf69855101795497d183be96cb383545ec218b4b114095c665df594e41ad125fde373bd7b86123bfb7cacdd4a5dea6b3244617

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MediaViewer\plugin.dat
    Filesize

    95KB

    MD5

    28f796d288c96da151f069c8ae89cb40

    SHA1

    f15f3279603c4069d019f01c54ea918e3456772f

    SHA256

    3e98d0b152ab1c5421e52aa42047e69afdeb4eda10624e67c5743915fbcf1ac5

    SHA512

    9e4063acb0cce4bd1ac4fd8928cf69855101795497d183be96cb383545ec218b4b114095c665df594e41ad125fde373bd7b86123bfb7cacdd4a5dea6b3244617

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MediaViewer\plugin.dat
    Filesize

    95KB

    MD5

    28f796d288c96da151f069c8ae89cb40

    SHA1

    f15f3279603c4069d019f01c54ea918e3456772f

    SHA256

    3e98d0b152ab1c5421e52aa42047e69afdeb4eda10624e67c5743915fbcf1ac5

    SHA512

    9e4063acb0cce4bd1ac4fd8928cf69855101795497d183be96cb383545ec218b4b114095c665df594e41ad125fde373bd7b86123bfb7cacdd4a5dea6b3244617

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MediaViewer\plugin.dat
    Filesize

    95KB

    MD5

    28f796d288c96da151f069c8ae89cb40

    SHA1

    f15f3279603c4069d019f01c54ea918e3456772f

    SHA256

    3e98d0b152ab1c5421e52aa42047e69afdeb4eda10624e67c5743915fbcf1ac5

    SHA512

    9e4063acb0cce4bd1ac4fd8928cf69855101795497d183be96cb383545ec218b4b114095c665df594e41ad125fde373bd7b86123bfb7cacdd4a5dea6b3244617

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MediaViewer\plugin.dat
    Filesize

    95KB

    MD5

    28f796d288c96da151f069c8ae89cb40

    SHA1

    f15f3279603c4069d019f01c54ea918e3456772f

    SHA256

    3e98d0b152ab1c5421e52aa42047e69afdeb4eda10624e67c5743915fbcf1ac5

    SHA512

    9e4063acb0cce4bd1ac4fd8928cf69855101795497d183be96cb383545ec218b4b114095c665df594e41ad125fde373bd7b86123bfb7cacdd4a5dea6b3244617

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SogouPinyin.local
    Filesize

    77B

    MD5

    0e5fd00754d939614533c5396348e8be

    SHA1

    9ca45d249e3fb26af1734f70a06ba033f0ed5f95

    SHA256

    a1265ca9aa4be6b1ad9ad28e47cfda9f61b55e199a11302b0a0ec251a73d286f

    SHA512

    2728054b00558acffecf313c1795ee794e2e47269133966ddc08d5698f08c5fc04afa6ca66d1a6fea2461ff027a372dfaeee4eee72774b00bb72c8efa196e245

    Download Submit

  • memory/408-27-0x00007FF90B070000-0x00007FF90B0DD000-memory.dmp

    Filesize

    436KB

    Download

  • memory/408-24-0x00007FF90B070000-0x00007FF90B0DD000-memory.dmp

    Filesize

    436KB

    Download

  • memory/408-20-0x00007FF8938C0000-0x00007FF8938C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/408-21-0x00007FF90B070000-0x00007FF90B0DD000-memory.dmp

    Filesize

    436KB

    Download

  • memory/1036-65-0x00007FF906B60000-0x00007FF906BCD000-memory.dmp

    Filesize

    436KB

    Download

  • memory/1036-98-0x00007FF906B60000-0x00007FF906BCD000-memory.dmp

    Filesize

    436KB

    Download

  • memory/1036-77-0x00000000043D0000-0x00000000043D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1036-64-0x00007FF8938C0000-0x00007FF8938C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1328-29-0x00007FF8FFA20000-0x00007FF8FFA8D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/1328-40-0x00007FF8FFA20000-0x00007FF8FFA8D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/1328-37-0x00007FF8FFA20000-0x00007FF8FFA8D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/1328-30-0x00007FF8938C0000-0x00007FF8938C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1472-7-0x00007FF8F6840000-0x00007FF8F68AD000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2160-10-0x00007FF908880000-0x00007FF9088ED000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2160-16-0x00007FF908880000-0x00007FF9088ED000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2160-9-0x00007FF8938C0000-0x00007FF8938C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4132-49-0x00007FF8FFA20000-0x00007FF8FFA8D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/4132-57-0x00007FF8FFA20000-0x00007FF8FFA8D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/4132-53-0x00007FF8FFA20000-0x00007FF8FFA8D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/4160-5-0x00000000011E0000-0x000000000124D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/4900-84-0x000001DCF8560000-0x000001DCF8580000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4900-86-0x000001DCF8520000-0x000001DCF8540000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4900-88-0x000001DCF8930000-0x000001DCF8950000-memory.dmp

    Filesize

    128KB

    Download