Analysis Overview
SHA256
7277aff9923bc160fc591dfb30ea8b3a8ef51c322cd9182c00713bd932753526
Threat Level: Known bad
The file 2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia was found to be: Known bad.
Malicious Activity Summary
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Unsigned PE
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-19 18:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-19 18:01
Reported
2024-02-19 19:25
Platform
win10v2004-20231222-en
Max time kernel
143s
Max time network
156s
Command Line
Signatures
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{51B4ABF3-748F-4E3B-A276-C828330E926A} | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{5F5AFF4A-2F7F-4279-88C2-CD88EB39D144} | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{CF49D4E0-1115-11CE-B03A-0020AF0BA770}\FilterData = 0200000000006000020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000700000007669647300001000800000aa00389b7100000000000000000000000000000000 | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{1B544C20-FD0B-11CE-8C63-00AA0044B51E} | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{6CFAD761-735D-4AA5-8AFC-AF91A7D61EBA}\FriendlyName = "MPEG-2 Video Stream Analyzer" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{ACD453BC-C58A-44D1-BBF5-BFB325BE2D78}\FriendlyName = "Microsoft MPEG-2 Audio Encoder" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{48025243-2D39-11CE-875D-00608CB78066}\FilterData = 020000000100800001000000000000003070693302000000000000000200000000000000000000003074793300000000480000005800000031747933000000006800000058000000646d637300001000800000aa00389b71000000000000000000000000000000007478747300001000800000aa00389b71 | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{51B4ABF3-748F-4E3B-A276-C828330E926A}\CLSID = "{51B4ABF3-748F-4E3B-A276-C828330E926A}" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{212690FB-83E5-4526-8FD7-74478B7939CD}\CLSID = "{212690FB-83E5-4526-8FD7-74478B7939CD}" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{6E8D4A20-310C-11D0-B79A-00AA003767A7} | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{FC772AB0-0C7F-11D3-8FF2-00A0C9224CF4} | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{AFB6C280-2C41-11D3-8A60-0000F81E0E4A}\CLSID = "{AFB6C280-2C41-11D3-8A60-0000F81E0E4A}" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{D3588AB0-0781-11CE-B03A-0020AF0BA770}\FriendlyName = "AVI/WAV File Source" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{FEB50740-7BEF-11CE-9BD9-0000E202599C}\CLSID = "{FEB50740-7BEF-11CE-9BD9-0000E202599C}" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{9B8C4620-2C1A-11D0-8493-00A02438AD48}\CLSID = "{9B8C4620-2C1A-11D0-8493-00A02438AD48}" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{E2510970-F137-11CE-8B67-00AA00A3F1A6} | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{33FACFE0-A9BE-11D0-A520-00A0D10129C0}\CLSID = "{33FACFE0-A9BE-11D0-A520-00A0D10129C0}" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{E436EBB5-524F-11CE-9F53-0020AF0BA770} | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{FEB50740-7BEF-11CE-9BD9-0000E202599C} | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{CC58E280-8AA1-11D1-B3F1-00AA003761C5}\CLSID = "{CC58E280-8AA1-11D1-B3F1-00AA003761C5}" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{CC58E280-8AA1-11D1-B3F1-00AA003761C5}\FriendlyName = "Smart Tee" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{2DB47AE5-CF39-43C2-B4D6-0CD8D90946F4}\FriendlyName = "StreamBufferSink" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{ACD453BC-C58A-44D1-BBF5-BFB325BE2D78}\FilterData = 02000000000020000200000000000000307069330000000000000000010000000000000000000000307479330000000090000000a00000003170693308000000000000000400000000000000000000003074793300000000b0000000c00000003174793300000000b0000000d00000003274793300000000b0000000e0000000337479330000000090000000c00000006175647300001000800000aa00389b710100000000001000800000aa00389b7183eb36e44f52ce119f530020af0ba7702b806de046dbcf11b4d100805f6cbbea22806de046dbcf11b4d100805f6cbbea23806de046dbcf11b4d100805f6cbbea | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{C1F400A4-3F08-11D3-9F0B-006008039E37}\FilterData = 020000000000200001000000000000003070693302000000000000000100000000000000000000003074793300000000380000003800000000000000000000000000000000000000 | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{C9F5FE02-F851-4EB5-99EE-AD602AF1E619}\FilterData = 02000000000020000000000000000000 | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{D51BD5A5-7548-11CF-A520-0080C77EF58A}\CLSID = "{D51BD5A5-7548-11CF-A520-0080C77EF58A}" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{E4206432-01A1-4BEE-B3E1-3702C8EDC574}\FriendlyName = "Line 21 Decoder 2" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{336475D0-942A-11CE-A870-00AA002FEAB5} | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{370A1D5D-DDEB-418C-81CD-189E0D4FA443}\FriendlyName = "VBI Codec" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{6F26A6CD-967B-47FD-874A-7AED2C9D25A2}\FriendlyName = "Video Port Manager" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{6F26A6CD-967B-47FD-874A-7AED2C9D25A2}\FilterData = 0200000000006000030000000000000030706933000000000000000001000000000000000000000030747933000000008800000098000000317069330000000000000000010000000000000000000000307479330000000088000000a8000000327069330800000000000000010000000000000000000000307479330000000088000000b80000007669647300001000800000aa00389b71406a9b5a221ad111bad900609744111a416a9b5a221ad111bad900609744111a00000000000000000000000000000000 | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{814B9800-1C88-11D1-BAD9-00609744111A}\FilterData = 0200000000006000020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000080000000800000007669647300001000800000aa00389b71416a9b5a221ad111bad900609744111a00000000000000000000000000000000 | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{C1F400A0-3F08-11D3-9F0B-006008039E37}\FriendlyName = "SampleGrabber" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{C1F400A4-3F08-11D3-9F0B-006008039E37}\CLSID = "{C1F400A4-3F08-11D3-9F0B-006008039E37}" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{E1F1A0B8-BEEE-490D-BA7C-066C40B5E2B9}\Capabilities | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{33FACFE0-A9BE-11D0-A520-00A0D10129C0}\FilterData = 02000000000040000200000000000000307069330000000000000000010000000000000000000000307479330000000060000000700000003170693308000000000000000100000000000000000000003074793300000000800000009000000083eb36e44f52ce119f530020af0ba770e0cffa33bea9d011a52000a0d10129c07478747300001000800000aa00389b7100000000000000000000000000000000 | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{42150CD9-CA9A-4EA5-9939-30EE037F6E74} | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{4EB31670-9FC6-11CF-AF6E-00AA00B67A42}\CLSID = "{4EB31670-9FC6-11CF-AF6E-00AA00B67A42}" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{FC772AB0-0C7F-11D3-8FF2-00A0C9224CF4}\FilterData = 0200000000002000020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330000000000000000010000000000000000000000307479330000000060000000800000006c175f45064bce479aef8caef73df7b500000000000000000000000000000000db271795ced2284596f63301fabb2de0 | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{814B9800-1C88-11D1-BAD9-00609744111A} | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{129D7E40-C10D-11D0-AFB9-00AA00B67A42}\CLSID = "{129D7E40-C10D-11D0-AFB9-00AA00B67A42}" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{D51BD5A1-7548-11CF-A520-0080C77EF58A}\FriendlyName = "Wave Parser" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{E436EBB5-524F-11CE-9F53-0020AF0BA770}\FilterData = 020000000000400001000000000000003070693308000000000000000100000000000000000000003074793300000000380000004800000083eb36e44f52ce119f530020af0ba77000000000000000000000000000000000 | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{FA10746C-9B63-4B6C-BC49-FC300EA5F256}\CLSID = "{FA10746C-9B63-4B6C-BC49-FC300EA5F256}" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{1DA08500-9EDC-11CF-BC10-00AA00AC74F6}\FriendlyName = "VGA 16 Color Ditherer" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{C666E115-BB62-4027-A113-82D643FE2D99}\FriendlyName = "MPEG-2 Sections and Tables" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{D51BD5A1-7548-11CF-A520-0080C77EF58A}\CLSID = "{D51BD5A1-7548-11CF-A520-0080C77EF58A}" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{D3588AB0-0781-11CE-B03A-0020AF0BA770} | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{D51BD5A2-7548-11CF-A520-0080C77EF58A} | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{E2448508-95DA-4205-9A27-7EC81E723B1A} | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{FA10746C-9B63-4B6C-BC49-FC300EA5F256}\FilterData = 02000000000020000100000000000000307069330200000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000aa00389b7100000000000000000000000000000000 | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{70E102B0-5556-11CE-97C0-00AA0055595A}\CLSID = "{70E102B0-5556-11CE-97C0-00AA0055595A}" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{70E102B0-5556-11CE-97C0-00AA0055595A}\FilterData = 02000000000040000100000000000000307069330200000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000aa00389b7100000000000000000000000000000000 | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{AD6C8934-F31B-4F43-B5E4-0541C1452F6F}\FilterData = 020000000000200002000000000000003070693300000000000000000100000000000000000000003074793300000000600000007000000031706933080000000000000001000000000000000000000030747933000000008000000070000000e1762af70aebd011ace40000c0cc16bae3762af70aebd011ace40000c0cc16ba898a8bb849b0804cadcf5898985e22c1 | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{1643E180-90F5-11CE-97D5-00AA0055595A}\CLSID = "{1643E180-90F5-11CE-97D5-00AA0055595A}" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{3AE86B20-7BE8-11D1-ABE6-00A0C905F375} | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{C666E115-BB62-4027-A113-82D643FE2D99}\CLSID = "{C666E115-BB62-4027-A113-82D643FE2D99}" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{AD6C8934-F31B-4F43-B5E4-0541C1452F6F} | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{AD6C8934-F31B-4F43-B5E4-0541C1452F6F}\CLSID = "{AD6C8934-F31B-4F43-B5E4-0541C1452F6F}" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{AFB6C280-2C41-11D3-8A60-0000F81E0E4A}\FriendlyName = "MPEG-2 Demultiplexer" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{CD8743A1-3736-11D0-9E69-00C04FD7C15B} | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{1f26a602-2b5c-4b63-b8e8-9ea5c1a7dc2e}\FriendlyName = "SBE2MediaTypeProfile" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{2DB47AE5-CF39-43C2-B4D6-0CD8D90946F4}\FilterData = 02000000000020000000000000000000 | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\Instance\{48025243-2D39-11CE-875D-00608CB78066} | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe"
C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/376-1-0x0000000000400000-0x0000000001566000-memory.dmp
memory/5056-3-0x0000000003980000-0x0000000003B5F000-memory.dmp
memory/5056-5-0x0000000000400000-0x0000000001566000-memory.dmp
memory/5056-11-0x0000000003980000-0x0000000003B5F000-memory.dmp
memory/5056-14-0x0000000000400000-0x0000000001566000-memory.dmp
memory/5056-15-0x0000000000400000-0x0000000001566000-memory.dmp
memory/5056-17-0x0000000000400000-0x0000000001566000-memory.dmp
memory/5056-19-0x0000000000400000-0x0000000001566000-memory.dmp
memory/5056-20-0x0000000000400000-0x0000000001566000-memory.dmp
memory/5056-21-0x0000000000400000-0x0000000001566000-memory.dmp
memory/5056-22-0x0000000000400000-0x0000000001566000-memory.dmp
memory/5056-23-0x0000000000400000-0x0000000001566000-memory.dmp
memory/5056-24-0x0000000003980000-0x0000000003B5F000-memory.dmp
memory/5056-25-0x0000000003980000-0x0000000003B5F000-memory.dmp
memory/5056-26-0x0000000003980000-0x0000000003B5F000-memory.dmp
memory/376-27-0x0000000000400000-0x0000000001566000-memory.dmp
memory/5056-29-0x0000000000400000-0x0000000001566000-memory.dmp
memory/5056-30-0x0000000003980000-0x0000000003B5F000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-19 18:01
Reported
2024-02-19 19:25
Platform
win7-20240215-en
Max time kernel
142s
Max time network
129s
Command Line
Signatures
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\InProcServer32\ = "%SystemRoot%\\SysWow64\\WinSATAPI.dll" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\InProcServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\ProgID | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\ProgID\ = "QueryAllWinSAT" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D} | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A74FBEB4-4539-9374-D9CA-00BC1507235D}\ = "CQueryAllWinSAT Class" | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe"
C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe"
Network
Files
memory/2260-0-0x0000000000400000-0x0000000001566000-memory.dmp
memory/1840-1-0x00000000033E0000-0x00000000035BF000-memory.dmp
memory/1840-5-0x0000000000400000-0x0000000001566000-memory.dmp
memory/1840-8-0x00000000033E0000-0x00000000035BF000-memory.dmp
memory/2260-9-0x0000000003270000-0x00000000043D6000-memory.dmp
memory/1840-11-0x0000000000400000-0x0000000001566000-memory.dmp
memory/1840-12-0x00000000033E0000-0x00000000035BF000-memory.dmp
memory/1840-14-0x0000000000400000-0x0000000001566000-memory.dmp
memory/1840-15-0x0000000000400000-0x0000000001566000-memory.dmp
memory/1840-17-0x0000000000400000-0x0000000001566000-memory.dmp
memory/1840-19-0x0000000000400000-0x0000000001566000-memory.dmp
memory/1840-20-0x0000000000400000-0x0000000001566000-memory.dmp
memory/1840-21-0x0000000000400000-0x0000000001566000-memory.dmp
memory/1840-22-0x0000000000400000-0x0000000001566000-memory.dmp
memory/1840-23-0x0000000000400000-0x0000000001566000-memory.dmp
memory/1840-24-0x00000000033E0000-0x00000000035BF000-memory.dmp
memory/1840-27-0x00000000033E0000-0x00000000035BF000-memory.dmp
memory/1840-28-0x00000000033E0000-0x00000000035BF000-memory.dmp
memory/2260-29-0x0000000000400000-0x0000000001566000-memory.dmp
memory/1840-30-0x0000000000400000-0x0000000001566000-memory.dmp
memory/1840-32-0x00000000033E0000-0x00000000035BF000-memory.dmp