eedff853ad37727ab0f72128baacef121708cf9554c0260939c87e5db075eed0

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/02/2024, 11:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Size

8.0MB
MD5

668724f94f3b7b5318e17f7cc3e625f3
SHA1

7e967eb5ed090ea85d6f5fd07adade59dcbb0cb4
SHA256

eedff853ad37727ab0f72128baacef121708cf9554c0260939c87e5db075eed0
SHA512

c5412d345ad099167e3ec27539b8fbb7ad52912fe0c25d96c8bea761b36d1368840f79e3efd3b3da557542e7b89b828d7a2cb5c7186cb77dac4799dbc230fdae
SSDEEP

196608:YI43VGaR8wOYUOZdIlbotAdmSIdqLPwtQJ5zJ6:HgVGaNdUMC2ANIdqjwOs

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2664	MsiExec.exe
2664	MsiExec.exe
2664	MsiExec.exe
2664	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
File opened (read-only)	\??\Y:	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
File opened (read-only)	\??\O:	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
File opened (read-only)	\??\U:	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
File opened (read-only)	\??\L:	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
File opened (read-only)	\??\T:	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
File opened (read-only)	\??\V:	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
File opened (read-only)	\??\Q:	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
File opened (read-only)	\??\B:	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
File opened (read-only)	\??\H:	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
File opened (read-only)	\??\S:	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
File opened (read-only)	\??\X:	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
File opened (read-only)	\??\Z:	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
File opened (read-only)	\??\P:	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
File opened (read-only)	\??\R:	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2044	msiexec.exe
Token: SeTakeOwnershipPrivilege	2044	msiexec.exe
Token: SeSecurityPrivilege	2044	msiexec.exe
Token: SeCreateTokenPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeAssignPrimaryTokenPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeLockMemoryPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeIncreaseQuotaPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeMachineAccountPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeTcbPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeSecurityPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeTakeOwnershipPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeLoadDriverPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeSystemProfilePrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeSystemtimePrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeProfSingleProcessPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeIncBasePriorityPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeCreatePagefilePrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeCreatePermanentPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeBackupPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeRestorePrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeShutdownPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeDebugPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeAuditPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeSystemEnvironmentPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeChangeNotifyPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeRemoteShutdownPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeUndockPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeSyncAgentPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeEnableDelegationPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeManageVolumePrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeImpersonatePrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeCreateGlobalPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeCreateTokenPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeAssignPrimaryTokenPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeLockMemoryPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeIncreaseQuotaPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeMachineAccountPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeTcbPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeSecurityPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeTakeOwnershipPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeLoadDriverPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeSystemProfilePrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeSystemtimePrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeProfSingleProcessPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeIncBasePriorityPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeCreatePagefilePrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeCreatePermanentPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeBackupPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeRestorePrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeShutdownPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeDebugPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeAuditPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeSystemEnvironmentPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeChangeNotifyPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeRemoteShutdownPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeUndockPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeSyncAgentPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeEnableDelegationPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeManageVolumePrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeImpersonatePrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeCreateGlobalPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeCreateTokenPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeAssignPrimaryTokenPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
Token: SeLockMemoryPrivilege	2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2384	2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2664	2044	msiexec.exe	29
PID 2044 wrote to memory of 2664	2044	msiexec.exe	29
PID 2044 wrote to memory of 2664	2044	msiexec.exe	29
PID 2044 wrote to memory of 2664	2044	msiexec.exe	29
PID 2044 wrote to memory of 2664	2044	msiexec.exe	29
PID 2044 wrote to memory of 2664	2044	msiexec.exe	29
PID 2044 wrote to memory of 2664	2044	msiexec.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-24_668724f94f3b7b5318e17f7cc3e625f3_mafia.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2384

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C78EDCBB15DF471C46C1158185D9C417 C
  2⤵
  - Loads dropped DLL
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2384\dialog

Filesize
36KB

MD5
abf1076064505dee794fa7aed67252b8

SHA1
358d4e501bb3007feece82a4039cc1050f23fab4

SHA256
fb0d133f05de6aa6a7a3491ae532191a60c438b35d9ff7bfec9e63131f6f0c73

SHA512
9a4680a8d186c1d7550b5e03cbdd095b0c88b2e0249a3af75fa0253d2c9a6f0aa1dd570ecf1a273683a14e6c7b5fb11678be3da439a3bf23eab790372e96e321

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6B41.tmp

Filesize
91KB

MD5
3fe30e3727ac3e4a3b6e832b6a14a1c4

SHA1
a27a7f7193f5255f4a7b4150a000998cb4a420cc

SHA256
b3bc41b77a13c3a45d43fd2a7b1cdf37f5212798c602282e0e0d1ec52a4dbb8f

SHA512
b842766faeb6ce7f641854f8d120d8c34808773d4c0916b3097f04f398bdf36e92405804ef998607ebbbf5299b42bdf35420f4cc99e4a82f1508b55a058e6827

Download Submit
C:\Users\Admin\AppData\Roaming\alekseih09\Интернет радио 101.ru 4.1.3.0\install\Интернет радио 101.ru.msi

Filesize
888KB

MD5
63ad0179fe59569c2b057550e0555c14

SHA1
4c48226cc16069616ff6a2d3cd82803fe899da9d

SHA256
15b17154af37da44a2cbbaf8d91be06bd143701957fd05930e510eeebd9718a9

SHA512
a5be19324eb0cdb754a8616548721d5c479c699a76beaf610e878f51caed838dbd95d9ad4f88a296c6e224528c6e7cea95d3a0cbe9046986d1d632df1643efd6

Download Submit
memory/2384-0-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2384-51-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download