Overview

overview

8

Static

static

3

2024-01-26...ia.exe

windows7-x64

8

2024-01-26...ia.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-01-2024 10:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia.exe

  • Size

    14.0MB

  • MD5

    6ef9eb531fd516f470c8ceae141e2ee3

  • SHA1

    52cdacceebe2d3eaeafd27147c1d9ba7b29393ed

  • SHA256

    f37147d4bbcaf8b05f96820aaf8d148adb18336e3f01cbecb7b5f4b21e58c845

  • SHA512

    8009f7e51fa9570a0ebbc2a1e1f996d2226c7d8ad6f3ac80ba4184a8f69344d3c0eee80e18951cf85f55a9da1d371c7d82f9048c6034972844e29312ce2a86b8

  • SSDEEP

    393216:5wMYHSUFvsLSO3xbg5/tKjCV8jbbWXxicoUYo7wRTW8NCILTR/:OVaSO3O5/tqTwgCYo8RhEILl/

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 29 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 17 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4020
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\applyconfig.bat" -l="C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\SCE5023.tmp""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3928
      • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\x86_64\HAPI\hapint64.exe
        x86_64\HAPI\hapint64.exe -i -q -k CCTK-SCE -p "hapint64.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:4636
        • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\x86_64\HAPI\dcmdev64.exe
          dcmdev64.exe remove root\dcdbas
          4⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          PID:3740
        • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\x86_64\HAPI\dcmdev64.exe
          dcmdev64.exe install .\dcdbas64.inf root\dcdbas
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Checks SCSI registry key(s)
          • Suspicious use of AdjustPrivilegeToken
          PID:6132
        • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\x86_64\HAPI\dchcfg64.exe
          dchcfg64.exe command=getsupportedsystypes
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:1760
      • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\x86_64\cctk.exe
        x86_64\cctk.exe -i config.ini -l "C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\SCE5023.tmp"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:4068
      • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\x86_64\HAPI\hapint64.exe
        x86_64\HAPI\hapint64.exe -r -q -k CCTK-SCE
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1632
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{3b990070-fedc-9740-814d-1c2c2eda17a6}\dcdbas64.inf" "9" "4dfcb1ac3" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "c:\programdata\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\x86_64\hapi"
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Modifies data under HKEY_USERS
      PID:460
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem3.inf" "oem3.inf:ef423affc3c959fa:dcdbas:8.2.0.454:root\dcdbas," "4dfcb1ac3" "000000000000014C"
      2⤵
      • Drops file in Drivers directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:2960
  • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\x86_64\HAPI\dcmdev64.exe
    dcmdev64.exe remove root\dcdbas
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:4496

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~3\dell\drivers\2024-0~1\X86\HAPI\dcdipm32.sys
    Filesize

    17B

    MD5

    9d4d9ec6ce9c703fcde269b7f1665c67

    SHA1

    d7e78cde5f87fd3ca5478a61b65af4b64ea97123

    SHA256

    ee57916b76f7c9895a83933fe239addf1a7d76ebe597bf41b8133196a0779a68

    SHA512

    4dfe5a3d8f5a675e927c1798ea6eec868c7b5dec6dd72ca584d93c69e0ed782aa25d413bb4a37ff1907e8637c4f476c4f6523e402f9c6f0193b467adfd0439a7

    Download Submit

  • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\X86_64\HAPI\dchapi32.dll
    Filesize

    336KB

    MD5

    e3d920f761c9535ecf5d92cd7d9ad5cf

    SHA1

    da4d20b4873837fcd0609c4a30aabcd76bde0aee

    SHA256

    081ae3fa46059f97a4b7b1115f6d796bc27c751bae0da57b14cc6b6c4a15f540

    SHA512

    021068eb0db2aca4e0b9220905c673a13c1af81c7aad0d5fc354b74ae03f983f72f1558326bdc4509d7cd7347c6a3dadb5243180c60d1d165847375ba22bacb4

    Download Submit

  • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\X86_64\HAPI\dchapi64.dll
    Filesize

    256KB

    MD5

    03807821350ae95e8d280e0eaf9b4b25

    SHA1

    883c884d5eb09a037be34a4c0c2f8af434ca8dd5

    SHA256

    1485c73147d0bf38099ab184999d2eef87a6b9d4fdf4e8b5cb42c8cdf5bc79eb

    SHA512

    ccaecf15e42a205cbacf6a57a8c37fa78788cdefd4826e3a38ab55f9e54fcb707916292b7d22dbe400348ca22eb3b2391550b217859d8b85eafc28af48cff6ac

    Download Submit

  • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\X86_64\HAPI\dchbas64.dll
    Filesize

    443KB

    MD5

    1fd890b5d6b7e5d374dc185d1f898e80

    SHA1

    e4c29d3f441064f249ad8fddba0fe463ef5e46e4

    SHA256

    ad6471c1084e39721e7df423d50cda8992fee44a492b9cf9d699438263ddeb7e

    SHA512

    46ed33dfd8a7f49a9f2153fbc1231d27ebb46ead1ba26639b72e727522b59d6bd2ef38e0a3cddf66f73b6da5f80016c2812886bfce2ba14620a9f3adde198208

    Download Submit

  • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\X86_64\HAPI\dchbas64.dll
    Filesize

    452KB

    MD5

    cf004f9bae9042ba447a962555973658

    SHA1

    e889d6ea667a3ff57da93d83ca27e8edc00b6fa3

    SHA256

    0ed95ce084b64bf89a519f3e3cbc5b392ab3ced63cc72f5732d1d4e6cadb2910

    SHA512

    3457aa19684ceb3f4e5244215b23e4fc8b8399f92f80c7941dc98eeec07d3169298f13421d44bcef8f427532aaf3dfdc01c2b49c86c7920ae1f0aab79ce044c6

    Download Submit

  • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\X86_64\HAPI\dchcfg32.exe
    Filesize

    347KB

    MD5

    c2c8ac125b287d8b78ab182067fed555

    SHA1

    56f73c9bc0c088dae2c5b261d8717d5370202944

    SHA256

    b7c33620286db0c9a123d092a9f7eb3bcf9923eca3932484b2e142c79cf01f6f

    SHA512

    e5cdbd443d9deac31092e47d8f8d403b0ceeefb4fa3e6b5618b1f317a8086d41d9e3bddc718c237c7eb575cb85e64de14591ecc7e5cee883a7beb5732949a964

    Download Submit

  • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\X86_64\HAPI\dchcfg64.exe
    Filesize

    416KB

    MD5

    de426e0013fd5508bc01e2976a7bdd12

    SHA1

    b861a727c7f6bba4c944b1818e8b224044ff56b4

    SHA256

    b35e2ef5e343e5397f3f3d14bce7a5ea8955e0f3958869615b1912835fe3584d

    SHA512

    fb28ebe8c2ab2146e6390b1e01ead664b32643d54a78e6b587b5072fc4610ce67e65413e849f6ba4e8019cca92f24e5e3bd9e5ad263193d7a266a0fa3c421420

    Download Submit

  • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\X86_64\HAPI\dchcfl64.dll
    Filesize

    333KB

    MD5

    a300bb3f80773475042a4e13911f8e01

    SHA1

    e98109986b89e4ff44e07e89e7f889e70f0e9c92

    SHA256

    a3685ca5d69c1934e0bfd884761df95086e01de7e133ea3107cfca26f7c4e980

    SHA512

    6f32d5467dc8da2b58415fcec119bf6615cc2551febb5d2b83f0160b2fe9e67e2c2b7f3e4ce67c969ea4d6b98ccad0398c1ce0a8b913c5d54ca7cdcbd8b44ca7

    Download Submit

  • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\X86_64\HAPI\dcmdev64.exe
    Filesize

    223KB

    MD5

    800d58aab609fb7fd456846f237d90eb

    SHA1

    5c031a0251b814b6c1297b1f426c145c712dd688

    SHA256

    95a8065e71b0d8091198adf3290e3bf36e32cb34eb53dce67218a02d0150fb48

    SHA512

    e829abe0835fa36d253c1b6720c9c2e3e40097417eb6eadf27344baaa490fc00d2325bf0ddc6bb2c3c904fbaf7c3122ddf976d61f73312d8dee80d346c1def10

    Download Submit

  • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\X86_64\HAPI\hapint64.exe
    Filesize

    477KB

    MD5

    f6e20063546210f36e95c05efdce22ad

    SHA1

    db4618172eb2d80424d3556408d71471c29ff80b

    SHA256

    23835a3fc69f19d2221a311bc60b6e2698a9859d9b2c8ab329a1264ca2c3745a

    SHA512

    70e90dcfb23e9d99fb011bd998db4eb8d5811ef9468d9741d256e16207fe6bdd6ddc562e212fb4e9da2b7d787137c953775df1e521c4b5b089766438e3fc02e1

    Download Submit

  • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\applyconfig.bat
    Filesize

    885B

    MD5

    21636cd59fbdb36ee31ca1bd06c244a4

    SHA1

    8741556987ac6acef7475f4d5562a2984b8749ba

    SHA256

    f4128c23625b915afbd307d91a2395fda20656dd63f7b4fa408a96b3c10186b4

    SHA512

    e8e581cda06e21c5943dc11bc937bb12faa094b5c81af9d77a2f7e956d1640115f0985e4359f2e53a73d7ef3b6e965e656fb365ebdccca7efec418a738aa1ee2

    Download Submit

  • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\x86_64\HAPI\dcdbas64.inf
    Filesize

    1KB

    MD5

    7c2a6ffecdf1b526bc3fc9d1b18b28ae

    SHA1

    54ca9c16094486e242b3b641e012f74700f93ad1

    SHA256

    095ae098e9a41605fba14c0bb7f3254be7fcc05b327c27c4c78aff59d0a24853

    SHA512

    1a1523ef86755fa24589ef56662ece11f0abcb0d727219c5bf521a6dc92c152236ecbec369626212870b96c82c67e1aae23caecc97098e37e580f69bceafaa57

    Download Submit

  • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\x86_64\MXML1.dll
    Filesize

    113KB

    MD5

    18a91d7814414a47be9e5ca8c2586c9b

    SHA1

    c39291cd62d3507212b4736c6848f62b719a98b3

    SHA256

    c1504e798402c5ee36cd382e1e4a9339af5b20e9f83449aa0add6fc61eadbe16

    SHA512

    a611f85c785583849ced8bf174ffc148284fd1946587da53601c0f81a7e415f59fb98a1ace5d34c311b49f3c00fc20d2a2ccd18ecbdd0e573d81f307a56113d5

    Download Submit

  • C:\ProgramData\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\x86_64\cctk.exe
    Filesize

    624KB

    MD5

    c60b4facc70a1fc3e2a71c3918361d97

    SHA1

    ffe25785a3f7dc00ef68c2cd40f73d906d882569

    SHA256

    259b5fa5dd9a49cad025a42e4875665dfb34d84a7d0cb6ecc5ed3c8e26cb62f4

    SHA512

    135f33ee2d04e43fe15bf1494fa8d2a830409a31feeceba42fc3a3821cf4642b0c026f283fdbbc793f315f1da901f4bde98dc3a3aea0ab10bbc232e941a52bd0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{3b990070-fedc-9740-814d-1c2c2eda17a6}\dcdbas64.sys
    Filesize

    47KB

    MD5

    3ab549325a7067d23c97fc9669dd8a65

    SHA1

    55b59d442bd1abd4ba862e763ec1241a9a5d3f5f

    SHA256

    4058ff9422d30d3795b5bdc796636852e33efddbd9b6df584f3da5d2fb2d7daa

    SHA512

    b68549df9eb46857ed4df508357f94661d371bad708e1773fd835f1becb52cd833397ec7bfd843ba952a4561b6e7ea4cf48986005f384a07952a2f8493e6a972

    Download Submit

  • C:\Windows\SysWOW64\dchapi32.dll
    Filesize

    278KB

    MD5

    6b1c374573a30983c2f284afc6a5fa0f

    SHA1

    7223c8040e32195ef1db80b95bf55893e538ab47

    SHA256

    0165990c7b5ff4cde8245c16ecc9548bcafb39ea88d11da94e0f5829bf8ed008

    SHA512

    ceb2cf64befa0b6031ddbcb6660cadbc9c880ab48a0aa9b0bb0f053129e16c4beae354923a0d2c5c63b7e7bed948837dfb3998712a30ee345ac0b93c77c2cf41

    Download Submit

  • C:\Windows\SysWOW64\dchbas32.dll
    Filesize

    376KB

    MD5

    cd26cb34bba6d1ed20212b737e1dc7ef

    SHA1

    7447358f686f29a7a919cb39abd5e82b9fedac66

    SHA256

    ea6e0180a99a4a600605cf461934fbc772b4c52437f3d7c545609018c949b565

    SHA512

    f8fbea2fabba3866895c92b5a903fbee24a2e18b46368e74f2e0f88c35d0a9b183669d08d49e299e14785a377fceaae8875f3c83c624c286ad886b1033576901

    Download Submit

  • C:\Windows\SysWOW64\dchcfl32.dll
    Filesize

    287KB

    MD5

    b04598ff628e05d41318ce50fe9aa471

    SHA1

    30155cb82a8ec2218d981467492310e92dcda705

    SHA256

    18d33b974fe001863f55e1bdb2942e919e9e9755bf9d44a35616fbefcfb21d6c

    SHA512

    998f9a47808eead3781590cc3f7fb2f21c4c2304aeaae3faa308bbfccf760f84cd21d7c8353c08e0d57ed52fdefaa78bab17145d9c6e408b411100f979e459a0

    Download Submit

  • C:\Windows\system32\dchapi64.dll
    Filesize

    400KB

    MD5

    8f6f86f82fab15ecb18701a94801602c

    SHA1

    0bd48f782e532a42acd1b5d3028643763232f951

    SHA256

    4f02da8a8a122ff0504f52e3a8f27a0fd0fdba172e0377d37f13a6143c650cde

    SHA512

    7d4fa83cb08a0f36a0f8997f8f9bda35e50f9478ce52faa695bbbb0b24831888b65dd013ee9fd0e31c4ca2a6bc4967511e6971c5999af1c043a7d0ae983b295b

    Download Submit

  • \??\c:\programdata\dell\drivers\2024-01-26_6ef9eb531fd516f470c8ceae141e2ee3_mafia\x86_64\hapi\dcdbas64.cat
    Filesize

    8KB

    MD5

    d2383b90b4aab1cbb4c21aabfadc233b

    SHA1

    2ca61e2a3c097959ad25df8d99536547a8db6d8a

    SHA256

    639634a5c26e86c9545c95c31c463d4d5dd0f1822328fd9ff89190662ecf60fc

    SHA512

    605c27f229c2f55db35bc93aa3153197e813e8dfbba3e966bc1b17662f4419068e92838a1599fb1e29fd0d71accc9d329f7f0604ede0a08b0a15976c1a8e702f

    Download Submit