Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2024, 03:49
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe
-
Size
4.1MB
-
MD5
a9a4949fb754d99bc69284cb1cf8c39f
-
SHA1
dd60f150762cf13de06df4b8e64bb27c719d6d80
-
SHA256
4d770a637191881ffccb789f004cd0402ac26c53da7d309a58c50926f873eda7
-
SHA512
c273c28ba0c0dd25edc41170197c18bf894cf30ca358411e33ae8143ecaf8d624a403971ed2d5ff9db0fea9a23c903344e32b5907156231c76f838b6b4e63830
-
SSDEEP
98304:Fmp3JRcMEXolWyRqvbNqoiS3Dp0oHEvJ4CloCUNsoj9ghi1RebMIg9Cbk/V8NgBk:w2eWUqvbN+smPoCUNsojDIg9Cbk/V8Nr
Malware Config
Signatures
-
Detects executables containing possible sandbox analysis VM usernames 1 IoCs
resource yara_rule behavioral2/files/0x000800000002341e-28.dat INDICATOR_SUSPICIOUS_EXE_SandboxUserNames -
Blocklisted process makes network request 1 IoCs
flow pid Process 8 3112 Rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Rundll32.exe -
Executes dropped EXE 2 IoCs
pid Process 228 system.exe 768 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe -
Loads dropped DLL 3 IoCs
pid Process 4124 Rundll32.exe 3112 Rundll32.exe 3112 Rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe" Rundll32.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: Rundll32.exe File opened (read-only) \??\F: Rundll32.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\system.exe 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe File created C:\Windows\SysWOW64\kkbemgaa.dll system.exe File created C:\Windows\SysWOW64\hhffmgaa.dll system.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files\AAV\CDriver.sys Rundll32.exe -
Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4928 sc.exe 4344 sc.exe 4048 sc.exe 4672 sc.exe 2600 sc.exe 3432 sc.exe 4396 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\print\ddeexec 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\printto\ddeexec 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]" 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~2.EXE /dde" 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\open\ddeexec\ = "[open(\"%1\")]" 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\print 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\print\ddeexec\ = "[print(\"%1\")]" 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\printto 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\ = "WalkScriptor.Document" 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~2.EXE,1" 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\open\ddeexec 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsp\ShellNew 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsp\ShellNew\NullFile 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\open\command 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\print\command 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~2.EXE /ddenoshow" 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsp\ = "WalkScriptor.Document" 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\printto\command 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsp 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\DefaultIcon 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\open 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~2.EXE /ddenoshow" 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4124 Rundll32.exe 4124 Rundll32.exe 4124 Rundll32.exe 4124 Rundll32.exe 4124 Rundll32.exe 4124 Rundll32.exe 4124 Rundll32.exe 4124 Rundll32.exe 4124 Rundll32.exe 4124 Rundll32.exe 4124 Rundll32.exe 4124 Rundll32.exe 4124 Rundll32.exe 4124 Rundll32.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 664 Process not Found -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1192 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 768 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 768 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe 768 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 1192 wrote to memory of 228 1192 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe 83 PID 1192 wrote to memory of 228 1192 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe 83 PID 1192 wrote to memory of 228 1192 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe 83 PID 228 wrote to memory of 4124 228 system.exe 84 PID 228 wrote to memory of 4124 228 system.exe 84 PID 228 wrote to memory of 4124 228 system.exe 84 PID 4124 wrote to memory of 4756 4124 Rundll32.exe 85 PID 4124 wrote to memory of 4756 4124 Rundll32.exe 85 PID 4124 wrote to memory of 4756 4124 Rundll32.exe 85 PID 4124 wrote to memory of 3412 4124 Rundll32.exe 86 PID 4124 wrote to memory of 3412 4124 Rundll32.exe 86 PID 4124 wrote to memory of 3412 4124 Rundll32.exe 86 PID 4124 wrote to memory of 4344 4124 Rundll32.exe 87 PID 4124 wrote to memory of 4344 4124 Rundll32.exe 87 PID 4124 wrote to memory of 4344 4124 Rundll32.exe 87 PID 4124 wrote to memory of 4396 4124 Rundll32.exe 88 PID 4124 wrote to memory of 4396 4124 Rundll32.exe 88 PID 4124 wrote to memory of 4396 4124 Rundll32.exe 88 PID 4124 wrote to memory of 3432 4124 Rundll32.exe 92 PID 4124 wrote to memory of 3432 4124 Rundll32.exe 92 PID 4124 wrote to memory of 3432 4124 Rundll32.exe 92 PID 4124 wrote to memory of 2600 4124 Rundll32.exe 93 PID 4124 wrote to memory of 2600 4124 Rundll32.exe 93 PID 4124 wrote to memory of 2600 4124 Rundll32.exe 93 PID 4124 wrote to memory of 4672 4124 Rundll32.exe 94 PID 4124 wrote to memory of 4672 4124 Rundll32.exe 94 PID 4124 wrote to memory of 4672 4124 Rundll32.exe 94 PID 4124 wrote to memory of 4048 4124 Rundll32.exe 95 PID 4124 wrote to memory of 4048 4124 Rundll32.exe 95 PID 4124 wrote to memory of 4048 4124 Rundll32.exe 95 PID 4124 wrote to memory of 1192 4124 Rundll32.exe 82 PID 4124 wrote to memory of 1192 4124 Rundll32.exe 82 PID 4124 wrote to memory of 228 4124 Rundll32.exe 83 PID 4124 wrote to memory of 228 4124 Rundll32.exe 83 PID 4124 wrote to memory of 4756 4124 Rundll32.exe 85 PID 4124 wrote to memory of 4756 4124 Rundll32.exe 85 PID 4124 wrote to memory of 3412 4124 Rundll32.exe 86 PID 4124 wrote to memory of 3412 4124 Rundll32.exe 86 PID 4124 wrote to memory of 4344 4124 Rundll32.exe 87 PID 4124 wrote to memory of 4344 4124 Rundll32.exe 87 PID 4124 wrote to memory of 4396 4124 Rundll32.exe 88 PID 4124 wrote to memory of 4396 4124 Rundll32.exe 88 PID 4124 wrote to memory of 4928 4124 Rundll32.exe 101 PID 4124 wrote to memory of 4928 4124 Rundll32.exe 101 PID 4124 wrote to memory of 4928 4124 Rundll32.exe 101 PID 3412 wrote to memory of 5068 3412 net.exe 102 PID 3412 wrote to memory of 5068 3412 net.exe 102 PID 3412 wrote to memory of 5068 3412 net.exe 102 PID 228 wrote to memory of 3112 228 system.exe 104 PID 228 wrote to memory of 3112 228 system.exe 104 PID 228 wrote to memory of 3112 228 system.exe 104 PID 4756 wrote to memory of 1224 4756 net.exe 105 PID 4756 wrote to memory of 1224 4756 net.exe 105 PID 4756 wrote to memory of 1224 4756 net.exe 105 PID 1192 wrote to memory of 768 1192 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe 121 PID 1192 wrote to memory of 768 1192 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe 121 PID 1192 wrote to memory of 768 1192 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\Rundll32.exeRundll32 C:\Windows\system32\kkbemgaa.dll Exbcute3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\SysWOW64\net.exenet stop WinDefend4⤵
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend5⤵PID:1224
-
-
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc4⤵
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc5⤵PID:5068
-
-
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled4⤵
- Launches sc.exe
PID:4344
-
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled4⤵
- Launches sc.exe
PID:4396
-
-
C:\Windows\SysWOW64\sc.exesc stop ZhuDongFangYu4⤵
- Launches sc.exe
PID:3432
-
-
C:\Windows\SysWOW64\sc.exesc delete ZhuDongFangYu4⤵
- Launches sc.exe
PID:2600
-
-
C:\Windows\SysWOW64\sc.exesc stop 360rp4⤵
- Launches sc.exe
PID:4672
-
-
C:\Windows\SysWOW64\sc.exesc delete 360rp4⤵
- Launches sc.exe
PID:4048
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" stop PolicyAgent4⤵
- Launches sc.exe
PID:4928
-
-
-
C:\Windows\SysWOW64\Rundll32.exeRundll32 C:\Windows\system32\hhffmgaa.dll Exbcute3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
PID:3112
-
-
-
C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exeC:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:768
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD55bac61ee3eeb945c3f8be6e59986d9d6
SHA155697ed64c01452387f25d00c21b6d4cbd3e9a2b
SHA256fa7395c12fc23dd922def2b3bcbeb1d94cbda10a09a176001199f15774026c24
SHA5120198fe7bb0fa3da0e88403ffcf10886803fe1df8539da4b3372689d1026a161c358d1e9f481463615c84cbe2b0b0cc2c36f5b044751d93741e82b6dd2221e1ed
-
Filesize
4.3MB
MD56c7cdd25c2cb0073306eb22aebfc663f
SHA1a1eba8ab49272b9852fe6a543677e8af36271248
SHA25658280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705
SHA51217344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6
-
Filesize
24KB
MD5af18ffd71cf2abe49e60353b9202bf70
SHA1fca0fb502f5d79eacfb6b3af613e9f38e30220d8
SHA256adc6b3bbd691387198f597c9228df74138ed601804ff35d0e78e08cb8bb24aac
SHA5123bd7f681a659fbdd20953a5f1442102d8c10a9eab55f5ea0b815a205478a81a7eaae180313a80646bc972e486f0f4b8abe338b47ea792c2242f85a6349e9bceb
-
Filesize
75KB
MD59b0bdefd566a844ab82d31d41cae80eb
SHA111221562bee4503b003ba5f8e7be67df92093dd9
SHA256c00834615d7d447d3f9c9803ddf8ed0ced42451170ba930146d04f18d2d880dc
SHA51266e2fd72a13ffd8bc1ddeca7b9db3eec92f15d744bd2faa11f76f35c92367af7c6ca6cef8405d9542b7ebd193c0e14b05ec96412c5ff0349826ed4e81ad43909
-
Filesize
144KB
MD52de43a2571b821f9cdcd84c3c23b7ce6
SHA1ff038212807b5cc4ce85009877350a25f3495f1d
SHA256894aa909df1f26bee14c9f66efd1e9d7a173967b83ee9040d939ce8d448062c7
SHA512de85d63e87fcc6a8cff1cf1120b33a7b1ef2bcdc068ce24f679df12550f5471ec456de103abac73d0c96d4cbdec7ccb8f2c0f2b868fc4187e92b3c1a9b9225a7