Analysis
-
max time kernel
145s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 21:07
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-23_5756d11a99b650ab3936a31831582bb6_mafia.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-23_5756d11a99b650ab3936a31831582bb6_mafia.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-05-23_5756d11a99b650ab3936a31831582bb6_mafia.exe
-
Size
12.6MB
-
MD5
5756d11a99b650ab3936a31831582bb6
-
SHA1
5ecaa88c1ec46d05b8e6a6423d1c553372035aad
-
SHA256
fb05f62c977f9e9fd53ea0a129de87e4e1052824735d38b02af55332cbedae29
-
SHA512
8b1a6fcc61d0e8db24032a68394b305c096b166948218a9b25f2103412f8845b429043156a4f524e90a8d81915e350bbe9245943e913e9bea8250802f8585f8a
-
SSDEEP
6144:DqXbY+SAjhUEzmPy0jhM7o8cMp/sP9gdiw1fagj1x2EqqqqqqqqqqqqqqqqqqqqD:DqLY+4oAfj2o8X/U9gdjj
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\hbgguaa = "0" svchost.exe -
Creates new service(s) 2 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2600 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\hbgguaa\ImagePath = "C:\\Windows\\SysWOW64\\hbgguaa\\adlljhlu.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2536 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
adlljhlu.exepid process 2772 adlljhlu.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
adlljhlu.exedescription pid process target process PID 2772 set thread context of 2536 2772 adlljhlu.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2580 sc.exe 2696 sc.exe 2540 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
2024-05-23_5756d11a99b650ab3936a31831582bb6_mafia.exeadlljhlu.exedescription pid process target process PID 1308 wrote to memory of 2748 1308 2024-05-23_5756d11a99b650ab3936a31831582bb6_mafia.exe cmd.exe PID 1308 wrote to memory of 2748 1308 2024-05-23_5756d11a99b650ab3936a31831582bb6_mafia.exe cmd.exe PID 1308 wrote to memory of 2748 1308 2024-05-23_5756d11a99b650ab3936a31831582bb6_mafia.exe cmd.exe PID 1308 wrote to memory of 2748 1308 2024-05-23_5756d11a99b650ab3936a31831582bb6_mafia.exe cmd.exe PID 1308 wrote to memory of 2972 1308 2024-05-23_5756d11a99b650ab3936a31831582bb6_mafia.exe cmd.exe PID 1308 wrote to memory of 2972 1308 2024-05-23_5756d11a99b650ab3936a31831582bb6_mafia.exe cmd.exe PID 1308 wrote to memory of 2972 1308 2024-05-23_5756d11a99b650ab3936a31831582bb6_mafia.exe cmd.exe PID 1308 wrote to memory of 2972 1308 2024-05-23_5756d11a99b650ab3936a31831582bb6_mafia.exe cmd.exe PID 1308 wrote to memory of 2580 1308 2024-05-23_5756d11a99b650ab3936a31831582bb6_mafia.exe sc.exe PID 1308 wrote to memory of 2580 1308 2024-05-23_5756d11a99b650ab3936a31831582bb6_mafia.exe sc.exe PID 1308 wrote to memory of 2580 1308 2024-05-23_5756d11a99b650ab3936a31831582bb6_mafia.exe sc.exe PID 1308 wrote to memory of 2580 1308 2024-05-23_5756d11a99b650ab3936a31831582bb6_mafia.exe sc.exe PID 1308 wrote to memory of 2696 1308 2024-05-23_5756d11a99b650ab3936a31831582bb6_mafia.exe sc.exe PID 1308 wrote to memory of 2696 1308 2024-05-23_5756d11a99b650ab3936a31831582bb6_mafia.exe sc.exe PID 1308 wrote to memory of 2696 1308 2024-05-23_5756d11a99b650ab3936a31831582bb6_mafia.exe sc.exe PID 1308 wrote to memory of 2696 1308 2024-05-23_5756d11a99b650ab3936a31831582bb6_mafia.exe sc.exe PID 1308 wrote to memory of 2540 1308 2024-05-23_5756d11a99b650ab3936a31831582bb6_mafia.exe sc.exe PID 1308 wrote to memory of 2540 1308 2024-05-23_5756d11a99b650ab3936a31831582bb6_mafia.exe sc.exe PID 1308 wrote to memory of 2540 1308 2024-05-23_5756d11a99b650ab3936a31831582bb6_mafia.exe sc.exe PID 1308 wrote to memory of 2540 1308 2024-05-23_5756d11a99b650ab3936a31831582bb6_mafia.exe sc.exe PID 1308 wrote to memory of 2600 1308 2024-05-23_5756d11a99b650ab3936a31831582bb6_mafia.exe netsh.exe PID 1308 wrote to memory of 2600 1308 2024-05-23_5756d11a99b650ab3936a31831582bb6_mafia.exe netsh.exe PID 1308 wrote to memory of 2600 1308 2024-05-23_5756d11a99b650ab3936a31831582bb6_mafia.exe netsh.exe PID 1308 wrote to memory of 2600 1308 2024-05-23_5756d11a99b650ab3936a31831582bb6_mafia.exe netsh.exe PID 2772 wrote to memory of 2536 2772 adlljhlu.exe svchost.exe PID 2772 wrote to memory of 2536 2772 adlljhlu.exe svchost.exe PID 2772 wrote to memory of 2536 2772 adlljhlu.exe svchost.exe PID 2772 wrote to memory of 2536 2772 adlljhlu.exe svchost.exe PID 2772 wrote to memory of 2536 2772 adlljhlu.exe svchost.exe PID 2772 wrote to memory of 2536 2772 adlljhlu.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-23_5756d11a99b650ab3936a31831582bb6_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-23_5756d11a99b650ab3936a31831582bb6_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hbgguaa\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\adlljhlu.exe" C:\Windows\SysWOW64\hbgguaa\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create hbgguaa binPath= "C:\Windows\SysWOW64\hbgguaa\adlljhlu.exe /d\"C:\Users\Admin\AppData\Local\Temp\2024-05-23_5756d11a99b650ab3936a31831582bb6_mafia.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description hbgguaa "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start hbgguaa2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\hbgguaa\adlljhlu.exeC:\Windows\SysWOW64\hbgguaa\adlljhlu.exe /d"C:\Users\Admin\AppData\Local\Temp\2024-05-23_5756d11a99b650ab3936a31831582bb6_mafia.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\adlljhlu.exeFilesize
10.5MB
MD521ec865b65935110c03dbcf76522c192
SHA1d8647168318a507480633a7cab33c4e57255ec8f
SHA256b74114a3b966a512ecd144b96f13b5fd5f55201e55f9c772ad1f2533b5bcc56d
SHA512b3d95f7e4585dfcd8ee2ed65906f247495e13fff515e0e2f1f5e23920b4b7bdfefadf1dafca7887ebecf86ea9a41bf905ec75666f53997c8b7db211bd8cd9669
-
memory/1308-1-0x0000000000690000-0x0000000000790000-memory.dmpFilesize
1024KB
-
memory/1308-2-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/1308-6-0x0000000000400000-0x000000000051A000-memory.dmpFilesize
1.1MB
-
memory/1308-8-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/1308-7-0x0000000000690000-0x0000000000790000-memory.dmpFilesize
1024KB
-
memory/2536-13-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2536-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2536-10-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2536-16-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2536-17-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2772-14-0x0000000000400000-0x000000000051A000-memory.dmpFilesize
1.1MB