Analysis

  • max time kernel
    126s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    29-04-2024 16:24

General

  • Target

    2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe

  • Size

    549KB

  • MD5

    61baabd3480b2985f9df8d77a4a5b7f8

  • SHA1

    42e2a1ee4abc2a975732eb11ccea700f1f0fb46f

  • SHA256

    a65c9ccabb00b7d75c54d16b09fe27dd9cdea8ec00921a423adcd2b23c9c2ff4

  • SHA512

    611fa2eb6a4f8b4c05c6e6656ab35d9c3bf58e615438d2791983e5005fd0235e942fd1d1e62b2fe852c3a689430f3c892ae3eb3b14a00a763d2b015ba0072559

  • SSDEEP

    12288:Z+QhIge+c1e7NR5rq2z9bZBnml/WkjtQhbYjtj:cQIiUehR5rN9FMvsitj

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 32 IoCs
  • Registers COM server for autorun 1 TTPs 6 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 35 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 5 IoCs
  • Modifies data under HKEY_USERS 38 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Users\Admin\AppData\Local\Temp\minidownload.exe
      C:\Users\Admin\AppData\Local\Temp\\minidownload.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      PID:3052
    • C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe
      "C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe" /Install?status=true&softurl=http%3A%2F%2Fxiazai.sogou.com%2Fcomm%2Fredir%3Fsoftdown%3D1%26u%3DYRyEVuHeM45mBjjEUSPVUEJm8GF_McJfVdEjKPrgnocp6RPTnPFSKls2-N19zn1VFn9n9_QE91hsipUd8ZPGCKrHmAlohI-Z5xWab8-hdzEZwANlQSdM_SG1O7Kkpbde98B6SY4clrbMXmmkh16MZMnFugp9LyMZymoJGOaTh0xmq_3hQETA5LFYnXbqILusGMRyn1oqoQ-_IhNtWMXWFw..%26pcid%3D3422649212502276885%26w%3D1950%26filename%3DFirefox-setup-39.0.0.5659.exe%26extra%3D8_tencent%26downloadtype%3Dsoftware&iconurl=http%3A%2F%2Fimgstore.cdn.sogou.com%2Fv2%2Fthumb%2Fretype%2Fext%2Fjpg%2Fcls%2Fimagick%3Fappid%3D200504%26url%3Dhttp%3A%2F%2Fdl.app.sogou.com%2Fpc_logo%2F3422649212502276885.png&softname=%E7%81%AB%E7%8B%90%E6%B5%8F%E8%A7%88%E5%99%A8&softsize=41.4+MB
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2660
      • C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe
        "C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe" /Update
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2236
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe /s "C:\Program Files (x86)\SogouDownLoad\npdownload.dll"
          4⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Modifies registry class
          PID:2320
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe /s "C:\Program Files (x86)\SogouDownLoad\IEHint.dll"
          4⤵
          • Loads dropped DLL
          • Installs/modifies Browser Helper Object
          • Modifies registry class
          PID:2316
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe /s "C:\Program Files (x86)\SogouDownLoad\npdownload64.dll"
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1560
          • C:\Windows\system32\regsvr32.exe
            /s "C:\Program Files (x86)\SogouDownLoad\npdownload64.dll"
            5⤵
            • Loads dropped DLL
            • Registers COM server for autorun
            • Modifies data under HKEY_USERS
            • Modifies registry class
            PID:1600
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe /s "C:\Program Files (x86)\SogouDownLoad\IEHint64.dll"
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:860
          • C:\Windows\system32\regsvr32.exe
            /s "C:\Program Files (x86)\SogouDownLoad\IEHint64.dll"
            5⤵
            • Loads dropped DLL
            • Registers COM server for autorun
            • Installs/modifies Browser Helper Object
            • Modifies registry class
            PID:2148
        • C:\Program Files (x86)\SogouDownLoad\update\UpdateService.exe
          "C:\Program Files (x86)\SogouDownLoad\update\UpdateService.exe" /Install
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:880
        • C:\Program Files (x86)\SogouDownLoad\XLDownloadCom.exe
          "C:\Program Files (x86)\SogouDownLoad\XLDownloadCom.exe" /Regserver
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies registry class
          PID:1300
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe /s "C:\Program Files (x86)\SogouDownLoad\XLDownloadComPS.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:2348
      • C:\Program Files (x86)\SogouDownLoad\download\MiniTPFw.exe
        "C:\Program Files (x86)\SogouDownLoad\download\MiniTPFw.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2344
        • C:\Program Files (x86)\SogouDownLoad\download\ThunderFW.exe
          "C:\Program Files (x86)\SogouDownLoad\download\ThunderFW.exe" MiniThunderPlatform2024-04-2916:24:37 "C:\Program Files (x86)\SogouDownLoad\download\MiniThunderPlatform.exe"
          4⤵
          • Executes dropped EXE
          PID:324
  • C:\Program Files (x86)\SogouDownLoad\update\UpdateService.exe
    "C:\Program Files (x86)\SogouDownLoad\update\UpdateService.exe" /Service
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    PID:1668

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe

    Filesize

    529KB

    MD5

    46339e5e0b54acec4be3b105ee123b36

    SHA1

    29963314f6b97d8511caadbf9b2b531ae9fd8344

    SHA256

    a6192d7b0b7bce4648feda82506bfbd25f6e35299f4ca38a2d0952dfbe669dbb

    SHA512

    72a07caf7ad0209400e6acba520594428560ebd81f4c7baa350392fb73b75a8907ce9b175088893d9de2bf0ad710ff2a5a3c0abb0add38fdf538ff6ce870a65c

  • C:\Program Files (x86)\SogouDownLoad\IEHint.dll

    Filesize

    300KB

    MD5

    6cffe36e5e3d9364a18eaf4a44ebfc23

    SHA1

    8a3bb3fa5f76a7eac5dfc4bd201a5e5203c10bcf

    SHA256

    cd57765f8cea6a4f422862c0b8a3e1945f17292e4c14b31333ec1525e05c6025

    SHA512

    7e145a0a79bd3d8caa89bae2ddb1187ff4de481426bb820cdf8f0206c96819d38af0ade5aad6c9e89da4e11dad6d5ab692f3d8bb25b90da2596bf49619fe325b

  • C:\Program Files (x86)\SogouDownLoad\download\MiniTPFw.exe

    Filesize

    58KB

    MD5

    58bb62e88687791ad2ea5d8d6e3fe18b

    SHA1

    0ffb029064741d10c9cf3f629202aa97167883de

    SHA256

    f02fa7ddab2593492b9b68e3f485e59eb755380a9235f6269705f6d219dff100

    SHA512

    cd36b28f87be9cf718f0c44bf7c500d53186edc08889bcfa5222041ff31c5cbee509b186004480efbd99c36b2233182ae0969447f4051510e1771a73ed209da5

  • C:\Program Files (x86)\SogouDownLoad\download\ThunderFW.exe

    Filesize

    71KB

    MD5

    f0372ff8a6148498b19e04203dbb9e69

    SHA1

    27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

    SHA256

    298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

    SHA512

    65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

  • C:\Program Files (x86)\SogouDownLoad\html\css\down.css

    Filesize

    2KB

    MD5

    84db4fb862441444de44fc92f7872b28

    SHA1

    e84789926527cfc0f07000720799266e7337ce85

    SHA256

    2db706458c7b0b41021ef2f10549f4974f134f2d683f46ae4a78f49b97f981f1

    SHA512

    39e4b7ace01af64248afcbebd01a1fb550dbb441ca9d083e0ad33cd8a7b859af86baf91d1ddfeb5fe6aafb07cfcbcfee69eb1b4d8016ad974126dbbf31bb3d7c

  • C:\Program Files (x86)\SogouDownLoad\html\download.html

    Filesize

    4KB

    MD5

    e50275eb17164ac5d97624940ab96a6e

    SHA1

    13ee435c49a781db1bebccfa33a8b0c28446ec86

    SHA256

    afac1879d10be5235a4d074c9084e61aadff82aab839bacc96e39d103ba4f843

    SHA512

    4f2cb13394555cd34ad2219740d342f71186c33409c3a69cc454486341b8cbc924e2b5d3208a86b45343dc1fccc2217beb0126fba467f920f014d94516dd0fbb

  • C:\Program Files (x86)\SogouDownLoad\html\images\btn_spr.gif

    Filesize

    2KB

    MD5

    70d3c5cc5e7561ae74683b1ce4530392

    SHA1

    46c09ecdd29f1ef35de4b4b3aea3854099910597

    SHA256

    49c130fe7fd6e0d9b9e277383d7b977e2230a2986b311efa6c6e2152b46e26c4

    SHA512

    3b02311524984112da93c8bbd09898532870017dcc5c3da1915e31fdf90d22a5bbed2f7328cd938a55c2b296c6ba5edee7fed7fafa6397a8f959c657c1b3b533

  • C:\Program Files (x86)\SogouDownLoad\html\images\ico_spr.gif

    Filesize

    1KB

    MD5

    49e7f208e1f652e42b9c46eaa3df8cdf

    SHA1

    7f24027e0069d4bc93655afd1a0bae4817b0a4bb

    SHA256

    65ec71c6bcf1a5de158c7b71b3c55a71848bc2a7c15f94f7bcdaac3effd4da0e

    SHA512

    b85f4be2a43bc1ee0ef19bfbd99d7c4d1d41a8a596748770c9c00e2456c6cfb02c7130dc3d24b88dba0d7f7c929bd5fa87905804c129052a9b70098f3cdb0b1e

  • C:\Program Files (x86)\SogouDownLoad\html\images\ico_t.gif

    Filesize

    1KB

    MD5

    35cbcf30c37a40b66a7bdd9520907213

    SHA1

    f1d252908873ba61906535d7bf14ced37be2aabc

    SHA256

    4ae4ea3c7949bffc51a37c6219a9612594c2c48e2b92bff2c5991162b9ce9e41

    SHA512

    654a0edee6601c679780550a4d2c080f81acdaf19d470d26164d791f774f6b3efcbc294a9b3f481183f1cff2fe5c2542e4aa3307513ca3499dcd569d0fcb112d

  • C:\Program Files (x86)\SogouDownLoad\html\images\img_exe.gif

    Filesize

    657B

    MD5

    0e0ac8352cd69f396f271fa32f3ab554

    SHA1

    ed6d306a5033707f45477df3318a53d15b47cf43

    SHA256

    c2c34d6bf4e17b756954e409dc9b5663169d68997abd722ce1e86473b769f10c

    SHA512

    5d2528489c21600f16f04559500be3ebe9db5a1dc7bf9abc9c1312187b4b8b7bc5966f9eb2a38e26bff26c854a6d964fa156641fed9501cf0e7befedb60fd7e0

  • C:\Program Files (x86)\SogouDownLoad\npdownload.dll

    Filesize

    263KB

    MD5

    09c16c79a0093b38ef756c58c32d75e2

    SHA1

    d6721cc14a1dd1879a923b38fd046d6e8b0f40df

    SHA256

    a93cce637743104e4d418eca05f238405b3e97672163d8abd1ad429045f843b6

    SHA512

    eabb9237b5121e9755a01d4e9522513fbf5ea4594779d336fe373708933006b94d10a23a749efc623177296b1270337a63aab46d4990a0ee1f73df7ee8622f87

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\HB04BWRE.txt

    Filesize

    95B

    MD5

    43e6c149f44996d17a2b792b51526564

    SHA1

    89c5d614ff2a2609e875b7f6f2993174e9eb24f5

    SHA256

    2d5bdea43c39aca9660c8b48dcee3aea545bba6412e8e200e8dd6f7eea9897b6

    SHA512

    13110b6da95525729916d94b6ad19d567b3ad08bf45456c66dd6521a5d4b08b0c16ca27f6790c6d1175efde07204c918a13ce2cd991dd1044deb9f7b7a0850f7

  • \Program Files (x86)\SogouDownLoad\DlgHandler.dll

    Filesize

    191KB

    MD5

    87d4aa3496919af493c9365619c3fd53

    SHA1

    a883a0be2940811ef9232592c811b854f684f4b7

    SHA256

    d4a4eb61a6ffba806c3f34fa6bb5fca32489f53138dbaf324a8b2d210afa0771

    SHA512

    064637554b7e7e1c5699f4e4ced73dd4ca7bf87172009b121bedeb864f8e3d03a1352b6f6b9515b9a4020137e07b9981476a664eadbd27bd32acdd8a53003372

  • \Program Files (x86)\SogouDownLoad\IEHint64.dll

    Filesize

    346KB

    MD5

    30e7e39b49c8590aec85aca2664ff3e7

    SHA1

    8273c46fb4666e44ce3865012529aebb6aa95f1c

    SHA256

    3d3f8c1a05c2b5b5362b9ee0ddc1ce653a22abf0b559acceebcc82b73dbaf79a

    SHA512

    8d967605e4be98929cf6b508dccc217e60186da44dcb594d16e286f29b66c846dc1c4e676fab235de7f2326bcb4aae30528a535136de72f6a978a48d8a424245

  • \Program Files (x86)\SogouDownLoad\XLDownloadCom.exe

    Filesize

    133KB

    MD5

    004dcd89684f7fc42d3c77edf80dfc92

    SHA1

    8a086552df8c17ad146518757689f9237e27b87d

    SHA256

    67510f7dd0476f12e07901ac0344d92186dd761a52398ee1e835421382094f1b

    SHA512

    3a60493e77a7e59147d2b75bed788062d7482d922062d63a40ba3a050013736ce28e1f6319ba3eb7faecc44de9332ff571c028ea8582270d614d9659bf2769ac

  • \Program Files (x86)\SogouDownLoad\XLDownloadComPS.dll

    Filesize

    42KB

    MD5

    ef217dde650c290e6f15bdbd7f55f26d

    SHA1

    87ef4ca0ac1f7dd6c50bdaa0aeeebc3d1e132dcf

    SHA256

    a445ea86ffb20f9540d53aa12dc8f3737a9c87573241b9c5686109533b92e890

    SHA512

    d2ae2574d2fa5455b590513066bdee9d3765bffd6b82450a5e619d01d4378013cbdcb4f0d9cec47ba7f03125098945c07cb0c6274a9a1ad0346bddd10fe022b5

  • \Program Files (x86)\SogouDownLoad\npdownload64.dll

    Filesize

    302KB

    MD5

    8523eee6d4c49b110e6c19ecfd7e5620

    SHA1

    434ddf9f77f904812ef4c3c2329ce057b30dfdfc

    SHA256

    a4917bf56e25576632e808c5199c3c43eb21c866e4e6eb6747c79168f6044c57

    SHA512

    bb916842beac0a605675dda9bf240b2f75437a61bbdd3d89fd464694167db7addb9fd6dd2fce482b9670c9c0e46eb9b3952cf538fb555ade10a9787f4081934a

  • \Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe

    Filesize

    2.4MB

    MD5

    b58d945d3d2b83eb5199d60fc27d0e6a

    SHA1

    3b70e368422bab5ff123d1ef6c5779adb540ef5a

    SHA256

    905de1f8ab574888fa9dbe7bb5a060ca1c09f710fed2c98e3c2699e595343b79

    SHA512

    027b6ab2197451dae5224c6f3417120d3b7e1ca5cb1801e4a952cac4b832deeacd16955bb3cb3c13553317685609eac6a2202ce8d2ab85837963a5a1478eacdd

  • \Program Files (x86)\SogouDownLoad\update\UpdateService.exe

    Filesize

    154KB

    MD5

    44f5df9407679e7385a0a3a925fbc39b

    SHA1

    95681735e2b3e8d0296b39fb505a6e6644e2330b

    SHA256

    a1779be9ef6a3ec798578c0b79a279d34316872d8509eb37f62c98b2fe6af23f

    SHA512

    bf02965127b81da708e13b519b822903de9999b797bbd0ed6697a39e95279511c9e9044d793ef69d9a11f3d518fce1ba85250bbe58c6255f660a09bced35c63f

  • \Users\Admin\AppData\Local\Temp\minidownload.exe

    Filesize

    232KB

    MD5

    8ee60bd9893bafd259db1189e6650bff

    SHA1

    d3be976a5a7519f0c608b3f542b9df622ad14a97

    SHA256

    a40a56b1dc70cb7347635f17a79f03aa71a048a0ebbdff4ad54bfdff8c3e9a6d

    SHA512

    78492aca8d2d7201d983eaa94637c80d6adcd915f12e5085aedfa7f186cfb98c20e53414fd8a3cc2f3477482a8dfba166c308f199a825d143af6c520d3db40a7

  • \Users\Admin\AppData\Local\Temp\nsd36CA.tmp\System.dll

    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

  • memory/2660-28-0x0000000000130000-0x0000000000131000-memory.dmp

    Filesize

    4KB