Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    26/05/2024, 03:49

General

  • Target

    2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe

  • Size

    4.1MB

  • MD5

    a9a4949fb754d99bc69284cb1cf8c39f

  • SHA1

    dd60f150762cf13de06df4b8e64bb27c719d6d80

  • SHA256

    4d770a637191881ffccb789f004cd0402ac26c53da7d309a58c50926f873eda7

  • SHA512

    c273c28ba0c0dd25edc41170197c18bf894cf30ca358411e33ae8143ecaf8d624a403971ed2d5ff9db0fea9a23c903344e32b5907156231c76f838b6b4e63830

  • SSDEEP

    98304:Fmp3JRcMEXolWyRqvbNqoiS3Dp0oHEvJ4CloCUNsoj9ghi1RebMIg9Cbk/V8NgBk:w2eWUqvbN+smPoCUNsojDIg9Cbk/V8Nr

Malware Config

Signatures

  • Disables service(s) 3 TTPs
  • Blocklisted process makes network request 1 IoCs
  • Stops running service(s) 4 TTPs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 13 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Launches sc.exe 7 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Modifies registry class 24 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1848
    • C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Windows\SysWOW64\Rundll32.exe
        Rundll32 C:\Windows\system32\uctetbtb.dll Exbcute
        3⤵
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2780
        • C:\Windows\SysWOW64\net.exe
          net stop WinDefend
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2092
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop WinDefend
            5⤵
              PID:2520
          • C:\Windows\SysWOW64\net.exe
            net stop MpsSvc
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1504
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop MpsSvc
              5⤵
                PID:1536
            • C:\Windows\SysWOW64\sc.exe
              sc config WinDefend start= disabled
              4⤵
              • Launches sc.exe
              PID:2652
            • C:\Windows\SysWOW64\sc.exe
              sc config MpsSvc start= disabled
              4⤵
              • Launches sc.exe
              PID:2620
            • C:\Windows\SysWOW64\sc.exe
              sc stop ZhuDongFangYu
              4⤵
              • Launches sc.exe
              PID:2636
            • C:\Windows\SysWOW64\sc.exe
              sc delete ZhuDongFangYu
              4⤵
              • Launches sc.exe
              PID:2900
            • C:\Windows\SysWOW64\sc.exe
              sc stop 360rp
              4⤵
              • Launches sc.exe
              PID:2628
            • C:\Windows\SysWOW64\sc.exe
              sc delete 360rp
              4⤵
              • Launches sc.exe
              PID:2788
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" stop PolicyAgent
              4⤵
              • Launches sc.exe
              PID:1964
          • C:\Windows\SysWOW64\Rundll32.exe
            Rundll32 C:\Windows\system32\hwvetbtb.dll Exbcute
            3⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            • Adds Run key to start application
            • Enumerates connected drives
            PID:2812
        • C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe
          C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies registry class
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          PID:1724

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\SysWOW64\hwvetbtb.dll

              Filesize

              24KB

              MD5

              af18ffd71cf2abe49e60353b9202bf70

              SHA1

              fca0fb502f5d79eacfb6b3af613e9f38e30220d8

              SHA256

              adc6b3bbd691387198f597c9228df74138ed601804ff35d0e78e08cb8bb24aac

              SHA512

              3bd7f681a659fbdd20953a5f1442102d8c10a9eab55f5ea0b815a205478a81a7eaae180313a80646bc972e486f0f4b8abe338b47ea792c2242f85a6349e9bceb

            • C:\Windows\SysWOW64\uctetbtb.dll

              Filesize

              75KB

              MD5

              9b0bdefd566a844ab82d31d41cae80eb

              SHA1

              11221562bee4503b003ba5f8e7be67df92093dd9

              SHA256

              c00834615d7d447d3f9c9803ddf8ed0ced42451170ba930146d04f18d2d880dc

              SHA512

              66e2fd72a13ffd8bc1ddeca7b9db3eec92f15d744bd2faa11f76f35c92367af7c6ca6cef8405d9542b7ebd193c0e14b05ec96412c5ff0349826ed4e81ad43909

            • \Users\Admin\AppData\Local\Temp\13DE.tmp

              Filesize

              1.7MB

              MD5

              b5eb5bd3066959611e1f7a80fd6cc172

              SHA1

              6fb1532059212c840737b3f923a9c0b152c0887a

              SHA256

              1ffb68a66f28f604adcae9c135f8dcf301316ab7fda8ebd294583c56dd26f7cc

              SHA512

              6c0743e0ff4922e859ba66b68040ab994dbae33e80c63ce8c993ad31a0c7aad6c6467484da1550063214953cd641dbf597438dd0c02f24164505d88ca80ea1b6

            • \Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe

              Filesize

              3.9MB

              MD5

              5bac61ee3eeb945c3f8be6e59986d9d6

              SHA1

              55697ed64c01452387f25d00c21b6d4cbd3e9a2b

              SHA256

              fa7395c12fc23dd922def2b3bcbeb1d94cbda10a09a176001199f15774026c24

              SHA512

              0198fe7bb0fa3da0e88403ffcf10886803fe1df8539da4b3372689d1026a161c358d1e9f481463615c84cbe2b0b0cc2c36f5b044751d93741e82b6dd2221e1ed

            • \Windows\SysWOW64\system.exe

              Filesize

              144KB

              MD5

              2de43a2571b821f9cdcd84c3c23b7ce6

              SHA1

              ff038212807b5cc4ce85009877350a25f3495f1d

              SHA256

              894aa909df1f26bee14c9f66efd1e9d7a173967b83ee9040d939ce8d448062c7

              SHA512

              de85d63e87fcc6a8cff1cf1120b33a7b1ef2bcdc068ce24f679df12550f5471ec456de103abac73d0c96d4cbdec7ccb8f2c0f2b868fc4187e92b3c1a9b9225a7

            • memory/1848-0-0x0000000000910000-0x0000000000D2D000-memory.dmp

              Filesize

              4.1MB

            • memory/1848-16-0x00000000002C0000-0x00000000002C1000-memory.dmp

              Filesize

              4KB

            • memory/1848-56-0x0000000000910000-0x0000000000D2D000-memory.dmp

              Filesize

              4.1MB