Overview

overview

8

Static

static

3

2024-01-26...ia.exe

windows7-x64

8

2024-01-26...ia.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26/01/2024, 10:23

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia.exe

  • Size

    14.0MB

  • MD5

    6ef9eb531fd516f470c8ceae141e2ee3

  • SHA1

    52cdacceebe2d3eaeafd27147c1d9ba7b29393ed

  • SHA256

    f37147d4bbcaf8b05f96820aaf8d148adb18336e3f01cbecb7b5f4b21e58c845

  • SHA512

    8009f7e51fa9570a0ebbc2a1e1f996d2226c7d8ad6f3ac80ba4184a8f69344d3c0eee80e18951cf85f55a9da1d371c7d82f9048c6034972844e29312ce2a86b8

  • SSDEEP

    393216:5wMYHSUFvsLSO3xbg5/tKjCV8jbbWXxicoUYo7wRTW8NCILTR/:OVaSO3O5/tqTwgCYo8RhEILl/

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 4 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Drops file in System32 directory 34 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 21 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\applyconfig.bat" -l="C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\SCE4089.tmp""
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2292
      • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\x86_64\HAPI\hapint64.exe
        x86_64\HAPI\hapint64.exe -i -q -k CCTK-SCE -p "hapint64.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1896
        • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\x86_64\HAPI\dcmdev64.exe
          dcmdev64.exe remove root\dcdbas
          4⤵
          • Executes dropped EXE
          PID:108
        • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\x86_64\HAPI\dcmdev64.exe
          dcmdev64.exe install .\dcdbas64.inf root\dcdbas
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          PID:1908
        • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\x86_64\HAPI\dchcfg64.exe
          dchcfg64.exe command=getsupportedsystypes
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:2356
      • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\x86_64\cctk.exe
        x86_64\cctk.exe -i config.ini -l "C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\SCE4089.tmp"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1652
      • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\x86_64\HAPI\hapint64.exe
        x86_64\HAPI\hapint64.exe -r -q -k CCTK-SCE
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1560
        • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\x86_64\HAPI\dcmdev64.exe
          dcmdev64.exe remove root\dcdbas
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          PID:2220
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{7c59dff8-729b-70cc-4b1e-9112fe840d16}\dcdbas64.inf" "9" "6dfcb1ac3" "000000000000032C" "WinSta0\Default" "00000000000004B0" "208" "c:\programdata\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\x86_64\hapi"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1904
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem2.inf" "dcdbas64.inf:Standard.ntamd64:dcdbas:8.2.0.454:root\dcdbas" "6dfcb1ac3" "000000000000032C" "00000000000005C0" "00000000000005BC"
    1⤵
    • Drops file in Drivers directory
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2264
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
    1⤵
      PID:820

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\PROGRA~3\dell\drivers\2024-0~1\X86\HAPI\dcdtvm32.sys
            Filesize

            17B

            MD5

            9d4d9ec6ce9c703fcde269b7f1665c67

            SHA1

            d7e78cde5f87fd3ca5478a61b65af4b64ea97123

            SHA256

            ee57916b76f7c9895a83933fe239addf1a7d76ebe597bf41b8133196a0779a68

            SHA512

            4dfe5a3d8f5a675e927c1798ea6eec868c7b5dec6dd72ca584d93c69e0ed782aa25d413bb4a37ff1907e8637c4f476c4f6523e402f9c6f0193b467adfd0439a7

            Download Submit

          • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\X86_64\HAPI\dchapi32.dll
            Filesize

            336KB

            MD5

            e3d920f761c9535ecf5d92cd7d9ad5cf

            SHA1

            da4d20b4873837fcd0609c4a30aabcd76bde0aee

            SHA256

            081ae3fa46059f97a4b7b1115f6d796bc27c751bae0da57b14cc6b6c4a15f540

            SHA512

            021068eb0db2aca4e0b9220905c673a13c1af81c7aad0d5fc354b74ae03f983f72f1558326bdc4509d7cd7347c6a3dadb5243180c60d1d165847375ba22bacb4

            Download Submit

          • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\X86_64\HAPI\dchapi64.dll
            Filesize

            400KB

            MD5

            8f6f86f82fab15ecb18701a94801602c

            SHA1

            0bd48f782e532a42acd1b5d3028643763232f951

            SHA256

            4f02da8a8a122ff0504f52e3a8f27a0fd0fdba172e0377d37f13a6143c650cde

            SHA512

            7d4fa83cb08a0f36a0f8997f8f9bda35e50f9478ce52faa695bbbb0b24831888b65dd013ee9fd0e31c4ca2a6bc4967511e6971c5999af1c043a7d0ae983b295b

            Download Submit

          • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\X86_64\HAPI\dchbas32.dll
            Filesize

            376KB

            MD5

            cd26cb34bba6d1ed20212b737e1dc7ef

            SHA1

            7447358f686f29a7a919cb39abd5e82b9fedac66

            SHA256

            ea6e0180a99a4a600605cf461934fbc772b4c52437f3d7c545609018c949b565

            SHA512

            f8fbea2fabba3866895c92b5a903fbee24a2e18b46368e74f2e0f88c35d0a9b183669d08d49e299e14785a377fceaae8875f3c83c624c286ad886b1033576901

            Download Submit

          • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\X86_64\HAPI\dchbas64.dll
            Filesize

            452KB

            MD5

            cf004f9bae9042ba447a962555973658

            SHA1

            e889d6ea667a3ff57da93d83ca27e8edc00b6fa3

            SHA256

            0ed95ce084b64bf89a519f3e3cbc5b392ab3ced63cc72f5732d1d4e6cadb2910

            SHA512

            3457aa19684ceb3f4e5244215b23e4fc8b8399f92f80c7941dc98eeec07d3169298f13421d44bcef8f427532aaf3dfdc01c2b49c86c7920ae1f0aab79ce044c6

            Download Submit

          • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\X86_64\cctk.exe
            Filesize

            624KB

            MD5

            c60b4facc70a1fc3e2a71c3918361d97

            SHA1

            ffe25785a3f7dc00ef68c2cd40f73d906d882569

            SHA256

            259b5fa5dd9a49cad025a42e4875665dfb34d84a7d0cb6ecc5ed3c8e26cb62f4

            SHA512

            135f33ee2d04e43fe15bf1494fa8d2a830409a31feeceba42fc3a3821cf4642b0c026f283fdbbc793f315f1da901f4bde98dc3a3aea0ab10bbc232e941a52bd0

            Download Submit

          • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\applyconfig.bat
            Filesize

            885B

            MD5

            21636cd59fbdb36ee31ca1bd06c244a4

            SHA1

            8741556987ac6acef7475f4d5562a2984b8749ba

            SHA256

            f4128c23625b915afbd307d91a2395fda20656dd63f7b4fa408a96b3c10186b4

            SHA512

            e8e581cda06e21c5943dc11bc937bb12faa094b5c81af9d77a2f7e956d1640115f0985e4359f2e53a73d7ef3b6e965e656fb365ebdccca7efec418a738aa1ee2

            Download Submit

          • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\x86_64\HAPI\dcdbas64.inf
            Filesize

            1KB

            MD5

            7c2a6ffecdf1b526bc3fc9d1b18b28ae

            SHA1

            54ca9c16094486e242b3b641e012f74700f93ad1

            SHA256

            095ae098e9a41605fba14c0bb7f3254be7fcc05b327c27c4c78aff59d0a24853

            SHA512

            1a1523ef86755fa24589ef56662ece11f0abcb0d727219c5bf521a6dc92c152236ecbec369626212870b96c82c67e1aae23caecc97098e37e580f69bceafaa57

            Download Submit

          • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\x86_64\HAPI\dchcfl64.dll
            Filesize

            333KB

            MD5

            a300bb3f80773475042a4e13911f8e01

            SHA1

            e98109986b89e4ff44e07e89e7f889e70f0e9c92

            SHA256

            a3685ca5d69c1934e0bfd884761df95086e01de7e133ea3107cfca26f7c4e980

            SHA512

            6f32d5467dc8da2b58415fcec119bf6615cc2551febb5d2b83f0160b2fe9e67e2c2b7f3e4ce67c969ea4d6b98ccad0398c1ce0a8b913c5d54ca7cdcbd8b44ca7

            Download Submit

          • C:\Windows\SysWOW64\dchcfl32.dll
            Filesize

            287KB

            MD5

            b04598ff628e05d41318ce50fe9aa471

            SHA1

            30155cb82a8ec2218d981467492310e92dcda705

            SHA256

            18d33b974fe001863f55e1bdb2942e919e9e9755bf9d44a35616fbefcfb21d6c

            SHA512

            998f9a47808eead3781590cc3f7fb2f21c4c2304aeaae3faa308bbfccf760f84cd21d7c8353c08e0d57ed52fdefaa78bab17145d9c6e408b411100f979e459a0

            Download Submit

          • C:\Windows\System32\DriverStore\FileRepository\dcdbas64.inf_amd64_neutral_11600ecf12dd041c\dcdbas64.PNF
            Filesize

            6KB

            MD5

            7b3bcd737bbfce760f06542c332b0109

            SHA1

            2c04f1bc7faebd5c973181411edf764b76cc3ecf

            SHA256

            78318f447dfbb7ab52728447d97af8b74376063d652902f348028be3ea3ea6a4

            SHA512

            6ff4a374b362089ccea0c80755b0e3165fb6cd7890ff1d2604c08271281789ac7aaaf6349ca96d50ed1e1bc40ba7f08b04920fa6bdf9446f4d9a465137042fd2

            Download Submit

          • C:\Windows\System32\DriverStore\INFCACHE.1
            Filesize

            1.4MB

            MD5

            73a4049c0640f6c10e1e46afbebeed84

            SHA1

            2c8c07a081ed63cb2251851004103ee9fdf91530

            SHA256

            7bd31fd32124abdb3746ab470488d02d1f295537121fb1535cca5cbe9e4fdfd4

            SHA512

            125e89ddb7bd88f971cb8213b2fdcd55fd93941950a0e0ede268877be17c18794448ef5535459a73c9dfc85d1ec5884cc7a8923a20a42e566d028fbdcd12cb0d

            Download Submit

          • C:\Windows\dchcfg32.exe
            Filesize

            347KB

            MD5

            c2c8ac125b287d8b78ab182067fed555

            SHA1

            56f73c9bc0c088dae2c5b261d8717d5370202944

            SHA256

            b7c33620286db0c9a123d092a9f7eb3bcf9923eca3932484b2e142c79cf01f6f

            SHA512

            e5cdbd443d9deac31092e47d8f8d403b0ceeefb4fa3e6b5618b1f317a8086d41d9e3bddc718c237c7eb575cb85e64de14591ecc7e5cee883a7beb5732949a964

            Download Submit

          • \??\c:\PROGRA~3\dell\drivers\2024-0~1\x86_64\hapi\dcdbas64.sys
            Filesize

            47KB

            MD5

            3ab549325a7067d23c97fc9669dd8a65

            SHA1

            55b59d442bd1abd4ba862e763ec1241a9a5d3f5f

            SHA256

            4058ff9422d30d3795b5bdc796636852e33efddbd9b6df584f3da5d2fb2d7daa

            SHA512

            b68549df9eb46857ed4df508357f94661d371bad708e1773fd835f1becb52cd833397ec7bfd843ba952a4561b6e7ea4cf48986005f384a07952a2f8493e6a972

            Download Submit

          • \??\c:\programdata\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\x86_64\hapi\dcdbas64.cat
            Filesize

            8KB

            MD5

            d2383b90b4aab1cbb4c21aabfadc233b

            SHA1

            2ca61e2a3c097959ad25df8d99536547a8db6d8a

            SHA256

            639634a5c26e86c9545c95c31c463d4d5dd0f1822328fd9ff89190662ecf60fc

            SHA512

            605c27f229c2f55db35bc93aa3153197e813e8dfbba3e966bc1b17662f4419068e92838a1599fb1e29fd0d71accc9d329f7f0604ede0a08b0a15976c1a8e702f

            Download Submit

          • \ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\X86_64\HAPI\dchcfg64.exe
            Filesize

            416KB

            MD5

            de426e0013fd5508bc01e2976a7bdd12

            SHA1

            b861a727c7f6bba4c944b1818e8b224044ff56b4

            SHA256

            b35e2ef5e343e5397f3f3d14bce7a5ea8955e0f3958869615b1912835fe3584d

            SHA512

            fb28ebe8c2ab2146e6390b1e01ead664b32643d54a78e6b587b5072fc4610ce67e65413e849f6ba4e8019cca92f24e5e3bd9e5ad263193d7a266a0fa3c421420

            Download Submit

          • \ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\X86_64\HAPI\dcmdev64.exe
            Filesize

            223KB

            MD5

            800d58aab609fb7fd456846f237d90eb

            SHA1

            5c031a0251b814b6c1297b1f426c145c712dd688

            SHA256

            95a8065e71b0d8091198adf3290e3bf36e32cb34eb53dce67218a02d0150fb48

            SHA512

            e829abe0835fa36d253c1b6720c9c2e3e40097417eb6eadf27344baaa490fc00d2325bf0ddc6bb2c3c904fbaf7c3122ddf976d61f73312d8dee80d346c1def10

            Download Submit

          • \ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\X86_64\HAPI\hapint64.exe
            Filesize

            477KB

            MD5

            f6e20063546210f36e95c05efdce22ad

            SHA1

            db4618172eb2d80424d3556408d71471c29ff80b

            SHA256

            23835a3fc69f19d2221a311bc60b6e2698a9859d9b2c8ab329a1264ca2c3745a

            SHA512

            70e90dcfb23e9d99fb011bd998db4eb8d5811ef9468d9741d256e16207fe6bdd6ddc562e212fb4e9da2b7d787137c953775df1e521c4b5b089766438e3fc02e1

            Download Submit

          • \ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\X86_64\mxml1.dll
            Filesize

            113KB

            MD5

            18a91d7814414a47be9e5ca8c2586c9b

            SHA1

            c39291cd62d3507212b4736c6848f62b719a98b3

            SHA256

            c1504e798402c5ee36cd382e1e4a9339af5b20e9f83449aa0add6fc61eadbe16

            SHA512

            a611f85c785583849ced8bf174ffc148284fd1946587da53601c0f81a7e415f59fb98a1ace5d34c311b49f3c00fc20d2a2ccd18ecbdd0e573d81f307a56113d5

            Download Submit