5e5766a24b3ef7703ecdae1366cceab9c424594a16cabd51e89a1b7b37fbf5ea

General

Target

2023-08-25_f366fd0f208193998e28e424e306e06b_mafia_JC.exe
Size

3.1MB
MD5

f366fd0f208193998e28e424e306e06b
SHA1

0bd6bd6546dbca83da40bc4a8896a6c92accc92b
SHA256

5e5766a24b3ef7703ecdae1366cceab9c424594a16cabd51e89a1b7b37fbf5ea
SHA512

808312c8b749998af1ec5c57ca78c01ad59e1e9f9858956abfbbfa6545f7805108e0c55978629cdb512a63b365b8f3576bf62d5734ffd27b44e812a22e22c83b
SSDEEP

49152:D7TvfU+8X9GrNOsva5RbKhF3ANkTTlbuFxoEWMJzO5sS5gLz:Q+8X9G3vP3AMhujoipOOSqLz

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1045988481-1457812719-2617974652-1000\{1F839D98-CE14-4FA7-8DC6-7F3C32E2857C}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1045988481-1457812719-2617974652-1000\{CF053DB9-D52B-4B44-BDB6-BFEEFC782F26}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3536	explorer.exe
Token: SeCreatePagefilePrivilege	3536	explorer.exe
Token: SeShutdownPrivilege	3536	explorer.exe
Token: SeCreatePagefilePrivilege	3536	explorer.exe
Token: SeShutdownPrivilege	3536	explorer.exe
Token: SeCreatePagefilePrivilege	3536	explorer.exe
Token: SeShutdownPrivilege	3536	explorer.exe
Token: SeCreatePagefilePrivilege	3536	explorer.exe
Token: SeShutdownPrivilege	3536	explorer.exe
Token: SeCreatePagefilePrivilege	3536	explorer.exe
Token: SeShutdownPrivilege	3536	explorer.exe
Token: SeCreatePagefilePrivilege	3536	explorer.exe
Token: SeShutdownPrivilege	452	explorer.exe
Token: SeCreatePagefilePrivilege	452	explorer.exe
Token: SeShutdownPrivilege	452	explorer.exe
Token: SeCreatePagefilePrivilege	452	explorer.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
3536	explorer.exe
3536	explorer.exe
3536	explorer.exe
3536	explorer.exe
3536	explorer.exe
3536	explorer.exe
3536	explorer.exe
452	explorer.exe
452	explorer.exe

Suspicious use of SendNotifyMessage 11 IoCs

pid	Process
3536	explorer.exe
3536	explorer.exe
3536	explorer.exe
3536	explorer.exe
3536	explorer.exe
3536	explorer.exe
3536	explorer.exe
3536	explorer.exe
3536	explorer.exe
452	explorer.exe
452	explorer.exe

C:\Users\Admin\AppData\Local\Temp\2023-08-25_f366fd0f208193998e28e424e306e06b_mafia_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-25_f366fd0f208193998e28e424e306e06b_mafia_JC.exe"
1⤵
PID:3256

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3536

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
PID:1656

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:452