Analysis Overview
SHA256
4d770a637191881ffccb789f004cd0402ac26c53da7d309a58c50926f873eda7
Threat Level: Known bad
The file 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia was found to be: Known bad.
Malicious Activity Summary
Disables service(s)
Detects executables containing possible sandbox analysis VM usernames
Blocklisted process makes network request
Stops running service(s)
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Enumerates connected drives
Adds Run key to start application
Drops file in System32 directory
Drops file in Program Files directory
Launches sc.exe
Enumerates physical storage devices
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious behavior: LoadsDriver
Modifies registry class
Runs net.exe
Suspicious behavior: RenamesItself
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-26 03:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 03:49
Reported
2024-05-26 03:52
Platform
win7-20240508-en
Max time kernel
150s
Max time network
120s
Command Line
Signatures
Disables service(s)
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\system.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe" | C:\Windows\SysWOW64\Rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SysWOW64\Rundll32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\system.exe | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| File created | C:\Windows\SysWOW64\uctetbtb.dll | C:\Windows\SysWOW64\system.exe | N/A |
| File created | C:\Windows\SysWOW64\hwvetbtb.dll | C:\Windows\SysWOW64\system.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\AAV\CDriver.sys | C:\Windows\SysWOW64\Rundll32.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\open\ddeexec | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\print | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\printto | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\open\command | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~2.EXE /dde" | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~2.EXE /ddenoshow" | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\open\ddeexec\ = "[open(\"%1\")]" | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\print\ddeexec\ = "[print(\"%1\")]" | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]" | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.wsp\ShellNew | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\ = "WalkScriptor.Document" | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~2.EXE,1" | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\open | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\print\ddeexec | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~2.EXE /ddenoshow" | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.wsp | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.wsp\ = "WalkScriptor.Document" | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\printto\ddeexec | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\print\command | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\printto\command | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.wsp\ShellNew\NullFile | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe"
C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
C:\Windows\SysWOW64\Rundll32.exe
Rundll32 C:\Windows\system32\uctetbtb.dll Exbcute
C:\Windows\SysWOW64\net.exe
net stop WinDefend
C:\Windows\SysWOW64\net.exe
net stop MpsSvc
C:\Windows\SysWOW64\sc.exe
sc config WinDefend start= disabled
C:\Windows\SysWOW64\sc.exe
sc config MpsSvc start= disabled
C:\Windows\SysWOW64\sc.exe
sc stop ZhuDongFangYu
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WinDefend
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
C:\Windows\SysWOW64\sc.exe
sc delete ZhuDongFangYu
C:\Windows\SysWOW64\sc.exe
sc stop 360rp
C:\Windows\SysWOW64\sc.exe
sc delete 360rp
C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" stop PolicyAgent
C:\Windows\SysWOW64\Rundll32.exe
Rundll32 C:\Windows\system32\hwvetbtb.dll Exbcute
C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tsh16.w3g7j.com | udp |
| FI | 193.166.255.171:8080 | tsh16.w3g7j.com | tcp |
Files
memory/1848-0-0x0000000000910000-0x0000000000D2D000-memory.dmp
\Windows\SysWOW64\system.exe
| MD5 | 2de43a2571b821f9cdcd84c3c23b7ce6 |
| SHA1 | ff038212807b5cc4ce85009877350a25f3495f1d |
| SHA256 | 894aa909df1f26bee14c9f66efd1e9d7a173967b83ee9040d939ce8d448062c7 |
| SHA512 | de85d63e87fcc6a8cff1cf1120b33a7b1ef2bcdc068ce24f679df12550f5471ec456de103abac73d0c96d4cbdec7ccb8f2c0f2b868fc4187e92b3c1a9b9225a7 |
C:\Windows\SysWOW64\uctetbtb.dll
| MD5 | 9b0bdefd566a844ab82d31d41cae80eb |
| SHA1 | 11221562bee4503b003ba5f8e7be67df92093dd9 |
| SHA256 | c00834615d7d447d3f9c9803ddf8ed0ced42451170ba930146d04f18d2d880dc |
| SHA512 | 66e2fd72a13ffd8bc1ddeca7b9db3eec92f15d744bd2faa11f76f35c92367af7c6ca6cef8405d9542b7ebd193c0e14b05ec96412c5ff0349826ed4e81ad43909 |
memory/1848-16-0x00000000002C0000-0x00000000002C1000-memory.dmp
C:\Windows\SysWOW64\hwvetbtb.dll
| MD5 | af18ffd71cf2abe49e60353b9202bf70 |
| SHA1 | fca0fb502f5d79eacfb6b3af613e9f38e30220d8 |
| SHA256 | adc6b3bbd691387198f597c9228df74138ed601804ff35d0e78e08cb8bb24aac |
| SHA512 | 3bd7f681a659fbdd20953a5f1442102d8c10a9eab55f5ea0b815a205478a81a7eaae180313a80646bc972e486f0f4b8abe338b47ea792c2242f85a6349e9bceb |
\Users\Admin\AppData\Local\Temp\13DE.tmp
| MD5 | b5eb5bd3066959611e1f7a80fd6cc172 |
| SHA1 | 6fb1532059212c840737b3f923a9c0b152c0887a |
| SHA256 | 1ffb68a66f28f604adcae9c135f8dcf301316ab7fda8ebd294583c56dd26f7cc |
| SHA512 | 6c0743e0ff4922e859ba66b68040ab994dbae33e80c63ce8c993ad31a0c7aad6c6467484da1550063214953cd641dbf597438dd0c02f24164505d88ca80ea1b6 |
memory/1848-56-0x0000000000910000-0x0000000000D2D000-memory.dmp
\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe
| MD5 | 5bac61ee3eeb945c3f8be6e59986d9d6 |
| SHA1 | 55697ed64c01452387f25d00c21b6d4cbd3e9a2b |
| SHA256 | fa7395c12fc23dd922def2b3bcbeb1d94cbda10a09a176001199f15774026c24 |
| SHA512 | 0198fe7bb0fa3da0e88403ffcf10886803fe1df8539da4b3372689d1026a161c358d1e9f481463615c84cbe2b0b0cc2c36f5b044751d93741e82b6dd2221e1ed |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-26 03:49
Reported
2024-05-26 03:52
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Disables service(s)
Detects executables containing possible sandbox analysis VM usernames
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\Rundll32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\system.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe" | C:\Windows\SysWOW64\Rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SysWOW64\Rundll32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\system.exe | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| File created | C:\Windows\SysWOW64\kkbemgaa.dll | C:\Windows\SysWOW64\system.exe | N/A |
| File created | C:\Windows\SysWOW64\hhffmgaa.dll | C:\Windows\SysWOW64\system.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\AAV\CDriver.sys | C:\Windows\SysWOW64\Rundll32.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\print\ddeexec | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\printto\ddeexec | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]" | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~2.EXE /dde" | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\open\ddeexec\ = "[open(\"%1\")]" | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\print | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\print\ddeexec\ = "[print(\"%1\")]" | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\printto | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\ = "WalkScriptor.Document" | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~2.EXE,1" | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\open\ddeexec | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.wsp\ShellNew | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.wsp\ShellNew\NullFile | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\open\command | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\print\command | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~2.EXE /ddenoshow" | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.wsp\ = "WalkScriptor.Document" | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\printto\command | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.wsp | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\open | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~2.EXE /ddenoshow" | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe"
C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
C:\Windows\SysWOW64\Rundll32.exe
Rundll32 C:\Windows\system32\kkbemgaa.dll Exbcute
C:\Windows\SysWOW64\net.exe
net stop WinDefend
C:\Windows\SysWOW64\net.exe
net stop MpsSvc
C:\Windows\SysWOW64\sc.exe
sc config WinDefend start= disabled
C:\Windows\SysWOW64\sc.exe
sc config MpsSvc start= disabled
C:\Windows\SysWOW64\sc.exe
sc stop ZhuDongFangYu
C:\Windows\SysWOW64\sc.exe
sc delete ZhuDongFangYu
C:\Windows\SysWOW64\sc.exe
sc stop 360rp
C:\Windows\SysWOW64\sc.exe
sc delete 360rp
C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" stop PolicyAgent
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
C:\Windows\SysWOW64\Rundll32.exe
Rundll32 C:\Windows\system32\hhffmgaa.dll Exbcute
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WinDefend
C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tsh16.w3g7j.com | udp |
| FI | 193.166.255.171:8080 | tsh16.w3g7j.com | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
Files
memory/1192-1-0x0000000000B30000-0x0000000000F4D000-memory.dmp
C:\Windows\SysWOW64\system.exe
| MD5 | 2de43a2571b821f9cdcd84c3c23b7ce6 |
| SHA1 | ff038212807b5cc4ce85009877350a25f3495f1d |
| SHA256 | 894aa909df1f26bee14c9f66efd1e9d7a173967b83ee9040d939ce8d448062c7 |
| SHA512 | de85d63e87fcc6a8cff1cf1120b33a7b1ef2bcdc068ce24f679df12550f5471ec456de103abac73d0c96d4cbdec7ccb8f2c0f2b868fc4187e92b3c1a9b9225a7 |
C:\Windows\SysWOW64\kkbemgaa.dll
| MD5 | 9b0bdefd566a844ab82d31d41cae80eb |
| SHA1 | 11221562bee4503b003ba5f8e7be67df92093dd9 |
| SHA256 | c00834615d7d447d3f9c9803ddf8ed0ced42451170ba930146d04f18d2d880dc |
| SHA512 | 66e2fd72a13ffd8bc1ddeca7b9db3eec92f15d744bd2faa11f76f35c92367af7c6ca6cef8405d9542b7ebd193c0e14b05ec96412c5ff0349826ed4e81ad43909 |
memory/1192-9-0x0000000001420000-0x0000000001421000-memory.dmp
C:\Windows\SysWOW64\hhffmgaa.dll
| MD5 | af18ffd71cf2abe49e60353b9202bf70 |
| SHA1 | fca0fb502f5d79eacfb6b3af613e9f38e30220d8 |
| SHA256 | adc6b3bbd691387198f597c9228df74138ed601804ff35d0e78e08cb8bb24aac |
| SHA512 | 3bd7f681a659fbdd20953a5f1442102d8c10a9eab55f5ea0b815a205478a81a7eaae180313a80646bc972e486f0f4b8abe338b47ea792c2242f85a6349e9bceb |
C:\Users\Admin\AppData\Local\Temp\590D.tmp
| MD5 | 6c7cdd25c2cb0073306eb22aebfc663f |
| SHA1 | a1eba8ab49272b9852fe6a543677e8af36271248 |
| SHA256 | 58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705 |
| SHA512 | 17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6 |
C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe
| MD5 | 5bac61ee3eeb945c3f8be6e59986d9d6 |
| SHA1 | 55697ed64c01452387f25d00c21b6d4cbd3e9a2b |
| SHA256 | fa7395c12fc23dd922def2b3bcbeb1d94cbda10a09a176001199f15774026c24 |
| SHA512 | 0198fe7bb0fa3da0e88403ffcf10886803fe1df8539da4b3372689d1026a161c358d1e9f481463615c84cbe2b0b0cc2c36f5b044751d93741e82b6dd2221e1ed |