Analysis
-
max time kernel
128s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
28/01/2024, 04:42
General
-
Target
2024-01-28_16e87bc6047490d5a2afb024aaf3c131_mafia.exe
-
Size
653KB
-
MD5
16e87bc6047490d5a2afb024aaf3c131
-
SHA1
afb0d6930510fb9f08ea67735c53daa992c21cb1
-
SHA256
d8538700423ba52ed9a6e1c38410c397a4a98871e8de2ab3b054c780dd68f763
-
SHA512
d42b61ce1b198b000e8d1ebebea31885903af0dfc6ee51274c8a294dea0726939d646e02a0d1f12c94197e52f82dc4b9d5009d8e03c488c2433f673fb256d5f9
-
SSDEEP
12288:Yij0isJD+m3srW+5tEZG1QRw7rZ0n9sLXxGkgXYhfu0tF:lIiG+m8rWwHfR0yXkkxVtF
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
-
Loads dropped DLL 33 IoCs
-
Registers COM server for autorun 1 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 4 IoCs
-
Drops file in Program Files directory 48 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 16 IoCs
-
Modifies Internet Explorer settings 1 TTPs 5 IoCs
-
Modifies data under HKEY_USERS 38 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-28_16e87bc6047490d5a2afb024aaf3c131_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-28_16e87bc6047490d5a2afb024aaf3c131_mafia.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\minidownload.exeC:\Users\Admin\AppData\Local\Temp\\minidownload.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
-
C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe"C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe" /Install?status=true&softurl=http%3A%2F%2Fyx.sogou.com%2Fredirectdownload.jsp%3Fu%3Dhttp%253A%252F%252Fdota2.dl.wanmei.com%252Fdota2%252Fclient%252FDOTA2Setup20150708.zip%26pcid%3D7097013680706490436%26downloadtype%3Dgame%26filename%3DDOTA2Setup20150708.zip&iconurl=http%3A%2F%2Fimg03.sogoucdn.com%2Fapp%2Fa%2F100520071%2Fff82994a024a0f096d15edb802b0c941.jpg&softname=DOTA2&softsize=89898849032⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe"C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe" /BindSogouFinder3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\SogouDownLoad\npdownload.dll"4⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies registry class
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\SogouDownLoad\IEHint.dll"4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\SogouDownLoad\IEHint64.dll"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\SogouDownLoad\IEHint64.dll"5⤵
- Loads dropped DLL
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Modifies registry class
-
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\SogouDownLoad\XLDownloadComPS.dll"4⤵
- Loads dropped DLL
- Modifies registry class
-
-
C:\Program Files (x86)\SogouDownLoad\XLDownloadCom.exe"C:\Program Files (x86)\SogouDownLoad\XLDownloadCom.exe" /Regserver4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
-
C:\Program Files (x86)\SogouDownLoad\update\UpdateService.exe"C:\Program Files (x86)\SogouDownLoad\update\UpdateService.exe" /Install4⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\SogouDownLoad\npdownload64.dll"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
-
-
C:\Program Files (x86)\SogouDownLoad\download\MiniTPFw.exe"C:\Program Files (x86)\SogouDownLoad\download\MiniTPFw.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Program Files (x86)\SogouDownLoad\download\ThunderFW.exe"C:\Program Files (x86)\SogouDownLoad\download\ThunderFW.exe" MiniThunderPlatform2024-01-2804:42:58 "C:\Program Files (x86)\SogouDownLoad\download\MiniThunderPlatform.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\SogouDownLoad\update\UpdateService.exe"C:\Program Files (x86)\SogouDownLoad\update\UpdateService.exe" /Service1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\SogouDownLoad\npdownload64.dll"1⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies data under HKEY_USERS
- Modifies registry class
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
191KB
MD587d4aa3496919af493c9365619c3fd53
SHA1a883a0be2940811ef9232592c811b854f684f4b7
SHA256d4a4eb61a6ffba806c3f34fa6bb5fca32489f53138dbaf324a8b2d210afa0771
SHA512064637554b7e7e1c5699f4e4ced73dd4ca7bf87172009b121bedeb864f8e3d03a1352b6f6b9515b9a4020137e07b9981476a664eadbd27bd32acdd8a53003372
-
Filesize
560KB
MD503311437428117fb004eec8b38b62cca
SHA1394c7c27c61d4e341f64c2be812ffac2ebe8c8af
SHA2560565e862198c1979c5d58c8b6120c15601c668c9adcc3c545c5f2f27c85c3edc
SHA512fe719a26feed2c6147c4e71a4d732afcaf59c2146d6d8adbfa533dcc3af1d2c11d6174371f4d4babe6cac2b6cc438626a14e7f02ad5e9e2fe506351891d8f4d2
-
Filesize
7KB
MD559bf1a7a08d5e3b066a650351197f0af
SHA1833d0f6bff8b4daf936b8902e375a942d3d831e7
SHA256fa2fb59f16ccb6ec42ad804a270654b1fe50fc5303a39df734621efd96daad30
SHA512fe7edeab6008a51885932a0cedcffa73327029c5a6bae636b0fc25f52f60b38d795f01e56bc1071b911d2f77aca2b644461f5f52398fead735bdb74959876592
-
Filesize
93KB
MD55790ead7ad3ba27397aedfa3d263b867
SHA18130544c215fe5d1ec081d83461bf4a711e74882
SHA2562ecd295d295bec062cedebe177e54b9d6b19fc0a841dc5c178c654c9ccff09c0
SHA512781acedc99de4ce8d53d9b43a158c645eab1b23dfdfd6b57b3c442b11acc4a344e0d5b0067d4b78bb173abbded75fb91c410f2b5a58f71d438aa6266d048d98a
-
Filesize
58KB
MD558bb62e88687791ad2ea5d8d6e3fe18b
SHA10ffb029064741d10c9cf3f629202aa97167883de
SHA256f02fa7ddab2593492b9b68e3f485e59eb755380a9235f6269705f6d219dff100
SHA512cd36b28f87be9cf718f0c44bf7c500d53186edc08889bcfa5222041ff31c5cbee509b186004480efbd99c36b2233182ae0969447f4051510e1771a73ed209da5
-
Filesize
76B
MD5eeb80831da6c34ee872846edce4d6a03
SHA1c3c314f5936b95b8a33eed6d39b2f7309e517bee
SHA256620f10c15a1d7e1cb122234ab2c862f201913c29865282733cc42db0512a485b
SHA51286162a73410639731790950b46a726321d183552217fe3473fa549e193afa03a30876b8180e8dd0fd7990b3452a31e1f02d0ebce21b361f70224303ded8f75a3
-
Filesize
5KB
MD57b73753cd524c62838f1031e52b6310d
SHA121d962ff343263f484262cc246ce9683dbac89b3
SHA256e3629d6e735ac18a47c36c4a8a3caf2469102eb6abf12d938a82df16bb012d4f
SHA5127f5ae1c87227671bd91f8a65cae9ee90976d2a427a2a5530b754ef5fad80e7d096b53e31f715cd38553f8b56776d80176a927419b467a169929f41ce185b5248
-
Filesize
6KB
MD5f122f616e4b32a843d7f6803bea9a10f
SHA19a8eed20175b74821f2678ea72d086d55330bb42
SHA256f9d5aa213ccbd78f98d6b1978e378de7a1b37b1fbffb93e4ea1f1b914a720e0d
SHA512aa5a1595c785469dc2d68dcfe20af232baa0bff2f96f3276a14ba2f925fc1316ee50b694fb193d8d963e10656cd6da9e623fb54ca6a201fae3aca4a64319f7b8
-
Filesize
1KB
MD5c2cfc62059b6259d5db8b7e64b76ea0d
SHA1eaf2eb169b87faeb829e124ce6e6f9f292f7f266
SHA256ca281adf65372f5fc51f621fbe93a935629e2d979958ffd3f5f695cf7bc3d23e
SHA5127e007989e19a8735ef7bd8c467ed213fd3321e81af2980d3a93403098f53fbf0df0a6f9bcaad794623d80fb05cbcc293b49c73c76a05be970f689d9f21bc3346
-
Filesize
25KB
MD5b6b31a4d23c2664b87dc8bf1fcf8ff22
SHA117f27a514ef7119080be4ae9dc691010acdc43fa
SHA2565ece2e217e6a50b2ecc6564601c1da92441c73a1a34a3c6c5d207d6726df8756
SHA5125506ed1fba0e3fa471c83240266ff329fbb23ae862955a5bac358ae506c90d4c03227a710fc548ca5510eb711b95ecce75c63323c30766e3dd081c081b5829cd
-
Filesize
348B
MD5915d0422e8b87e694bb052287e45de06
SHA1ae5f77eda69dd12218fc542279fe9e4e0a85db22
SHA2565fa5d3bedabe22c5193b5eace4ae3be80a5c8c6271873e1d915bc42c525ce689
SHA5124392768182f58bb14aad04d5f4287447eb239b6387cb7371def0ce25bb940be88d32c366e7c483cfd604f0aa7a11171084411530389926f3eb6cc1f9f9847852
-
Filesize
657B
MD50e0ac8352cd69f396f271fa32f3ab554
SHA1ed6d306a5033707f45477df3318a53d15b47cf43
SHA256c2c34d6bf4e17b756954e409dc9b5663169d68997abd722ce1e86473b769f10c
SHA5125d2528489c21600f16f04559500be3ebe9db5a1dc7bf9abc9c1312187b4b8b7bc5966f9eb2a38e26bff26c854a6d964fa156641fed9501cf0e7befedb60fd7e0
-
Filesize
285B
MD57db33b5890d916426f77d585ab3c4fa9
SHA199a794c3a88803ae289c7ea6f0d733e22a3b799b
SHA2565585318ea9be125540f00f04b05b29da3816ef97ce837a22a2eaee2d5d462d9b
SHA5129800273f1e605b946dd553cbae650270c5bf2af7909a4836aa81907f9e30ca348a3552a1887e3357472ca1b93fa8361a17bee3fb742fb5a2d0c1b47a5a47c773
-
Filesize
10KB
MD5631f38cfac458788af482eba736e5ac3
SHA1b1d09def39ec74eff2c9e0aafe0a7c12e7650150
SHA25613e6cf03cdd65a8174cce7b0cb40c9821d2aff04a79c3374e8664fb0abb5694d
SHA5123ae47c895cd586b1dca8bdf65c58bc896b27837881cc42bb7b3d55c9a71ea9e857939a69c5146b445b64714996393d1ec9c0d95b18d18fd5cb48f02bb8a53f42
-
Filesize
302KB
MD58523eee6d4c49b110e6c19ecfd7e5620
SHA1434ddf9f77f904812ef4c3c2329ce057b30dfdfc
SHA256a4917bf56e25576632e808c5199c3c43eb21c866e4e6eb6747c79168f6044c57
SHA512bb916842beac0a605675dda9bf240b2f75437a61bbdd3d89fd464694167db7addb9fd6dd2fce482b9670c9c0e46eb9b3952cf538fb555ade10a9787f4081934a
-
Filesize
1.1MB
MD55bee2b0eda81834b55fbfed974c31087
SHA1d5d2e51ce10d62f0c3387f8b14f6ac6bb82b609d
SHA2569a8858e8897e81a05de6725e2dd6da76318c00cbabea1c6e230c1ac19e420c73
SHA51260aab7f4dd3414bb1067333299453c7b4cf95c258ccedd245bd857543987bbab9df41bfbb36b6a7a275cc4af016a604d9202d4b44aab76df04668767caee8ed1
-
Filesize
1.3MB
MD5ecedaf2709c522538dba0632ba31000c
SHA1e7a0b78e5dc2b8dfe658c4cea1092a579e76503e
SHA2567f737937192794c3415e972c307b01acfedb6a2c86e59f46a79012d8c8a95253
SHA5120c1a91ba2b404dd379de6772e6ab5f4afff70ce4eeb9f47b0b22e95f56f91776cc8451e25171b9b9346304b5ec33b187895e78349d6c538e833288c9c04f6eed
-
Filesize
1.5MB
MD58d715f3c249e3717f0a81080c439f1c6
SHA12b197a7a6d69ebbd6d6304abf65b49b361f30401
SHA256dd6efdf03d3f1ea640d62d533dd9e4f28a2f2f17f32c47e36a85f532bc97305f
SHA5120c9cddce1b40e617f5328289ece6d080a297a77b7f88f34702a05b6c183ab0bc8504a22abc036e678c5d3dc0d410e99ad1021d408b40c1048ac04df015fd1483
-
Filesize
992B
MD59bc1ea6b68652f96baf232b93e2be6c5
SHA10369f758870c638d067d88211c76f6a1297c49ec
SHA256f28098a7782778b514cfc7bc74af6c4b71735ab38e5bf731ab2f4317fbd3f182
SHA512d240bcc4b953d2275bf645a6a6b7f7151c900551cd5a2a066d3030311c50d34a8d1390d6a6cd5361b3544c92127bc4823aa9437a70d277358c1a0fe573fdeefa
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
96B
MD5555dab2d015ba4f22a8f885d3fc100f7
SHA108cbeed7c7f5afc01ca27984a9c824e54b2b7683
SHA2564f74b2a491d50298172001ea419cf9eea0ea4f6cf94d0f53c5e6fe09f83e0d47
SHA51252cf4c05cba436e5a2e358ad1ff9e5d828c9640c2a0efe4dcb07e6e80754ed59bb7a6652bf3dbd6cfb81ac7e556824e321ab674a80092dbc374aff644f67f854
-
Filesize
83KB
MD56a695550741cdbafba406d0c7a9ebd00
SHA132e9128129068e4524370fac7eba88ca9f6c109e
SHA256d16b036fab037ef7f529c963a746e6963a552b7bf56bd6026db84028bd6aadb9
SHA512d4d15129e446fc1d5ac0d9688f775b83d736bb296617a86c93f0a6208931bb84936adab5e4e71339065dcd3d6ec6b1a2af189b8802409a2d4ab5f5556f85f81a
-
Filesize
300KB
MD56cffe36e5e3d9364a18eaf4a44ebfc23
SHA18a3bb3fa5f76a7eac5dfc4bd201a5e5203c10bcf
SHA256cd57765f8cea6a4f422862c0b8a3e1945f17292e4c14b31333ec1525e05c6025
SHA5127e145a0a79bd3d8caa89bae2ddb1187ff4de481426bb820cdf8f0206c96819d38af0ade5aad6c9e89da4e11dad6d5ab692f3d8bb25b90da2596bf49619fe325b
-
Filesize
346KB
MD530e7e39b49c8590aec85aca2664ff3e7
SHA18273c46fb4666e44ce3865012529aebb6aa95f1c
SHA2563d3f8c1a05c2b5b5362b9ee0ddc1ce653a22abf0b559acceebcc82b73dbaf79a
SHA5128d967605e4be98929cf6b508dccc217e60186da44dcb594d16e286f29b66c846dc1c4e676fab235de7f2326bcb4aae30528a535136de72f6a978a48d8a424245
-
Filesize
133KB
MD5004dcd89684f7fc42d3c77edf80dfc92
SHA18a086552df8c17ad146518757689f9237e27b87d
SHA25667510f7dd0476f12e07901ac0344d92186dd761a52398ee1e835421382094f1b
SHA5123a60493e77a7e59147d2b75bed788062d7482d922062d63a40ba3a050013736ce28e1f6319ba3eb7faecc44de9332ff571c028ea8582270d614d9659bf2769ac
-
Filesize
42KB
MD5ef217dde650c290e6f15bdbd7f55f26d
SHA187ef4ca0ac1f7dd6c50bdaa0aeeebc3d1e132dcf
SHA256a445ea86ffb20f9540d53aa12dc8f3737a9c87573241b9c5686109533b92e890
SHA512d2ae2574d2fa5455b590513066bdee9d3765bffd6b82450a5e619d01d4378013cbdcb4f0d9cec47ba7f03125098945c07cb0c6274a9a1ad0346bddd10fe022b5
-
Filesize
263KB
MD509c16c79a0093b38ef756c58c32d75e2
SHA1d6721cc14a1dd1879a923b38fd046d6e8b0f40df
SHA256a93cce637743104e4d418eca05f238405b3e97672163d8abd1ad429045f843b6
SHA512eabb9237b5121e9755a01d4e9522513fbf5ea4594779d336fe373708933006b94d10a23a749efc623177296b1270337a63aab46d4990a0ee1f73df7ee8622f87
-
Filesize
1.7MB
MD50b3ff635b1c259cb0529d44571ef9e35
SHA1715396e57b5a350ac1d998426a3b4f1003886f3d
SHA256e94984577a46a34557cabc87693c12ebdcc12b1bada0de003b924e64828f7131
SHA51260e3d8dff44fb282da489dfc8c8ab1ccee6da9208178643937d2b9ad287a0e1b39723b8a2b2acd717afe298ab931aff78855be8de8ecd3867d6716068910d3aa
-
Filesize
1.3MB
MD54dcb94ef2ac04fe0ffac16e5d30654f5
SHA109a227ebc8fd13f89723145f639b8e84c8bc3073
SHA2562fe7fd91ddcf0e55a6cf13fafe5a1fb1cb34463dca3eb9a07945a4e539199d1f
SHA5123ea839101122dac34e2775fc95e79e25fd48b8f6f8041d53a46d19d42427b203061b703d1419f38ed0eb47d9de141b8da50568955f84265b63738eb340d44db6
-
Filesize
1.3MB
MD517e7d8bd029fb1c789adc8618f6051f9
SHA1c8a1c32ff9ec25242feef62667a2f3b21c81282d
SHA2563dd3067fd724b2a7f0b426a15750d812555072768074c5a485545a9b085308d7
SHA512de17366757cf8d3ed10b9be257fab9b44ebdea354c7213ec0b1135c8ed42d7d1931e6085ee465d9f33977d85608e85f6127e1c647fbb5e34eef45137e2531516
-
Filesize
1.0MB
MD5620f001769ebca1d067e0b0eccd506db
SHA1073bd205bd3ef9b12d8985614d0c15c8777f47cc
SHA2568693abb5e69b35d94c1dd21534aa16614485fc5aa5bc6fb4794831ee5fbf31f7
SHA51282268cb35c9a3a36e522a3415f5be6b00cf9f49b4c34893ff374c34d0c22911bf664a2d2684899e1eb2b645beefdd147a4a41e971f2396381f19c0cd6db5b9dd
-
Filesize
154KB
MD544f5df9407679e7385a0a3a925fbc39b
SHA195681735e2b3e8d0296b39fb505a6e6644e2330b
SHA256a1779be9ef6a3ec798578c0b79a279d34316872d8509eb37f62c98b2fe6af23f
SHA512bf02965127b81da708e13b519b822903de9999b797bbd0ed6697a39e95279511c9e9044d793ef69d9a11f3d518fce1ba85250bbe58c6255f660a09bced35c63f
-
Filesize
324KB
MD58bde3d87157322360828ba6e8dd43073
SHA1b502f83f19da64826257800db1f62d15bbdabc7c
SHA256459e67cfd20eaa1b7768e1ad845c90f72f4c2643d428f5cd8551f7b364382307
SHA512c60d3fc3e130e164349a751a3c42d922ea4d46b42198da5a03879bdf0990ba94549bd36682d4e1e0bb2c13b4865f2d650e3967d963cd8e9deee7c6353cc3af16
-
Filesize
4KB
