6d4eaa00386f7e31da0e5e38a6da9ab963f425b39b8d207cc429e95b0c0514cc

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18-01-2024 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-18_1ef0c1c293aad89a4d3a2ffb5fec9609_mafia.exe
Size

119KB
MD5

1ef0c1c293aad89a4d3a2ffb5fec9609
SHA1

787a3344358255291873835d2102f7f8955030bf
SHA256

6d4eaa00386f7e31da0e5e38a6da9ab963f425b39b8d207cc429e95b0c0514cc
SHA512

5b70e340c9743aac6f45d034f0d2dc06c891a68dd5879b45cef5f8e3ca1f139e67df725a88f8981e0a65853f923a0db3022417dbbd692b585375f72d13267ae3
SSDEEP

1536:eUZcxmcd+mmyR9IrpDsp9eoWF9d+xztu+qHPb4pqqnAFQONXsrJgFy0qW+zVau1:eUrcDmOIrysoWFnauHD4trJgFyzau1

Score

10^/10

evasion trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Hzl5D.exe

Detects executables calling ClearMyTracksByProcess 1 IoCs

resource	yara_rule
behavioral1/memory/2772-56-0x0000000010000000-0x0000000010061000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015dd8-15.dat	UPX
behavioral1/memory/2988-18-0x0000000003900000-0x0000000003A3F000-memory.dmp	UPX
behavioral1/memory/2772-29-0x0000000000400000-0x000000000053F000-memory.dmp	UPX
behavioral1/memory/2772-71-0x0000000000400000-0x000000000053F000-memory.dmp	UPX

Downloads MZ/PE file
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Executes dropped EXE 1 IoCs

pid	Process
2772	Hzl5D.exe

Loads dropped DLL 4 IoCs

pid	Process
2988	2024-01-18_1ef0c1c293aad89a4d3a2ffb5fec9609_mafia.exe
2988	2024-01-18_1ef0c1c293aad89a4d3a2ffb5fec9609_mafia.exe
2988	2024-01-18_1ef0c1c293aad89a4d3a2ffb5fec9609_mafia.exe
2988	2024-01-18_1ef0c1c293aad89a4d3a2ffb5fec9609_mafia.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000015dd8-15.dat	upx
behavioral1/memory/2988-18-0x0000000003900000-0x0000000003A3F000-memory.dmp	upx
behavioral1/memory/2772-29-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral1/memory/2772-71-0x0000000000400000-0x000000000053F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1968	2988	WerFault.exe	17

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Hzl5D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Hzl5D.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2988	2024-01-18_1ef0c1c293aad89a4d3a2ffb5fec9609_mafia.exe
2988	2024-01-18_1ef0c1c293aad89a4d3a2ffb5fec9609_mafia.exe
2988	2024-01-18_1ef0c1c293aad89a4d3a2ffb5fec9609_mafia.exe
2988	2024-01-18_1ef0c1c293aad89a4d3a2ffb5fec9609_mafia.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe
2772	Hzl5D.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2772	Hzl5D.exe
2772	Hzl5D.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2772	2988	2024-01-18_1ef0c1c293aad89a4d3a2ffb5fec9609_mafia.exe	31
PID 2988 wrote to memory of 2772	2988	2024-01-18_1ef0c1c293aad89a4d3a2ffb5fec9609_mafia.exe	31
PID 2988 wrote to memory of 2772	2988	2024-01-18_1ef0c1c293aad89a4d3a2ffb5fec9609_mafia.exe	31
PID 2988 wrote to memory of 2772	2988	2024-01-18_1ef0c1c293aad89a4d3a2ffb5fec9609_mafia.exe	31
PID 2988 wrote to memory of 2772	2988	2024-01-18_1ef0c1c293aad89a4d3a2ffb5fec9609_mafia.exe	31
PID 2988 wrote to memory of 2772	2988	2024-01-18_1ef0c1c293aad89a4d3a2ffb5fec9609_mafia.exe	31
PID 2988 wrote to memory of 2772	2988	2024-01-18_1ef0c1c293aad89a4d3a2ffb5fec9609_mafia.exe	31
PID 2988 wrote to memory of 1968	2988	2024-01-18_1ef0c1c293aad89a4d3a2ffb5fec9609_mafia.exe	32
PID 2988 wrote to memory of 1968	2988	2024-01-18_1ef0c1c293aad89a4d3a2ffb5fec9609_mafia.exe	32
PID 2988 wrote to memory of 1968	2988	2024-01-18_1ef0c1c293aad89a4d3a2ffb5fec9609_mafia.exe	32
PID 2988 wrote to memory of 1968	2988	2024-01-18_1ef0c1c293aad89a4d3a2ffb5fec9609_mafia.exe	32
PID 2772 wrote to memory of 2736	2772	Hzl5D.exe	33
PID 2772 wrote to memory of 2736	2772	Hzl5D.exe	33
PID 2772 wrote to memory of 2736	2772	Hzl5D.exe	33
PID 2772 wrote to memory of 2736	2772	Hzl5D.exe	33

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Hzl5D.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-18_1ef0c1c293aad89a4d3a2ffb5fec9609_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-18_1ef0c1c293aad89a4d3a2ffb5fec9609_mafia.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2988
- C:\ProgramData\fMoJi6\Hzl5D.exe
  "C:\ProgramData\fMoJi6\Hzl5D.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo.>c:\xxxx.ini
    3⤵
    PID:2736
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 828
  2⤵
  - Program crash
  PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fMoJi6\Hzl5D.dat

Filesize
129KB

MD5
11e8353edb2cea51c2c39c97fdcc579d

SHA1
664056a994fa70bfa34aa768f7021dcb463db93d

SHA256
df70504e9a94a389e291ce83b4b20e6cab1bc90c30d49d074d6b57e5ec6b4fe7

SHA512
3991edc4bec1f561c9561ca7d6807e1d4c1ff19df1a340e6c434ef78cbf112a9fe5ca5e4348d369a76e0b9f34b16f27289cc12c0c5728f35e063f7e59dc08617

Download Submit
C:\ProgramData\fMoJi6\edge.jpg

Filesize
356KB

MD5
7cf3c63c8a06920ddc92a2d1906b290a

SHA1
a9396327f19d92e2b20919cfc31a20897f637e5c

SHA256
054bc4baed7194b9c67aae6995298a04c08d78df49252f3390544c3c5908421b

SHA512
50eb3298ce63368f7e0b8303b03761affb58d8e880615661a2126c169561d0791d5d77e519f5ae7c277c04b1b90df4fd2e97d82d05db747e7900e916daf0da2c

Download Submit
C:\ProgramData\fMoJi6\edge.xml

Filesize
78KB

MD5
40f433a21084d2132b4d3b761ac814c6

SHA1
a09f70cd077ee08da78de4cf71b2023c7353e3f9

SHA256
43d17f28f6104017665b2e26b9064285a12f634d7c2cdf9b8776ce312da1fbb2

SHA512
ee3c9aa54d05b82a6169b2fdcd3c7543119f625d92d5d6edb530ec24b91d2968ef46b394df552911932e63d1ce516999fa166bc362c19d5b44341fa1f13d10db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG4.JPG

Filesize
36KB

MD5
05a6b5e6f8f3c239a9669dcc693e9b83

SHA1
194ff18e37d56b8d988cd60bb9f0e94bbb23e767

SHA256
1bfa036a09bad94fc4b9ce956c13628987f4e390a5f88d64a47f44941aa31692

SHA512
0464644346aecc20a35c0ede49bd8e4484314941894553ed728f12c1005b5a01a222b18af396da9675c8183bf8935765ea59a03cacbeb71138270998f9f4c7cb

Download Submit
\ProgramData\fMoJi6\Hzl5D.exe

Filesize
476KB

MD5
25a624055a2d6e2420d245630eaacce5

SHA1
1407c3bafb299df11c8189ba61c4ae36eb093e8b

SHA256
6749248aa8790034af77ce85e8a6e24f658948a2fa91c48dd021dd6e9fbd1f40

SHA512
ce5bff16fea77f0f5d61c7eaf20ee57e964264b9ea4890110c08c5a3da2002052aeed54979f179d86edbfbe3427da014594737f2374867960381657da1376b17

Download Submit
memory/2772-56-0x0000000010000000-0x0000000010061000-memory.dmp

Filesize
388KB

Download
memory/2772-29-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2772-53-0x00000000008C0000-0x00000000008D7000-memory.dmp

Filesize
92KB

Download
memory/2772-51-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/2772-71-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2772-73-0x00000000008C0000-0x00000000008D7000-memory.dmp

Filesize
92KB

Download
memory/2988-27-0x0000000003900000-0x0000000003A3F000-memory.dmp

Filesize
1.2MB

Download
memory/2988-2-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/2988-18-0x0000000003900000-0x0000000003A3F000-memory.dmp

Filesize
1.2MB

Download