Analysis

  • max time kernel
    118s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/06/2024, 06:44

General

  • Target

    2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe

  • Size

    14.4MB

  • MD5

    3e2449e9237f6d59a6d1da1925405355

  • SHA1

    fceca04a2ffa5a4eb22c63fdcb95ae1d2b58b66d

  • SHA256

    438b77eb32f4c8c7ce480db8c6d97f4ad6b71cd109b3691ec60da1f2fba9679e

  • SHA512

    45294f406ab39ce9ee73a3749eed161ec54c4d6be5d1fe49f612f75f9ecaaba1fc857a1ac4384d06c5e60aedb7400da9646aba53fcaf9e99a525198f05e5ced8

  • SSDEEP

    393216:CTt1pYPVK5ESoS2Ha9665W4X3uf0vGWi2YRVlGnMEq:8pYVxa9p5W4X3usv6Vjn

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 5 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 61 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2508
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2996
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding B603511524C77017477D8932F491A552 C
      2⤵
      • Loads dropped DLL
      PID:2532

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2508\dialog.jpg

    Filesize

    14KB

    MD5

    e144e2d92603c76d056c83985a8937d3

    SHA1

    6c69d26b7ee4d598d4ebcad36b3a440714552076

    SHA256

    6344d13c20f1650d4e5f630073141f2ec9f6b5fed77998d2e21cb14cdc5da461

    SHA512

    6720a22714e87176a049328c2de2125b3b9532bc3b53daaf33b1d9eb24f1f3c105932d505a1008eab264fd16a393fd97a3c5755b5c68962cc633db09b9492062

  • C:\Users\Admin\AppData\Local\Temp\MSIA91E.tmp

    Filesize

    293KB

    MD5

    10452409b027f3083752314fb20eee9b

    SHA1

    ad0eefd9ec437200e185b932038821868b261a74

    SHA256

    09b7a1facafc789e4ab4f74700c66d815fa24496c69837e05073fc619ae9cdc0

    SHA512

    5812285df37629492b4be87e4db5c2b1765c1925ee37ce891198cb0e7782de590b3f7e5573cbcd7b22b1bada594eb5a34cc2c49c73d0141065597da821b6a5b8

  • C:\Users\Admin\AppData\Roaming\NORMA Knowledge Management Systems S.R.L\NORMA K-Factor 5.1.2.312\install\KFACTOR_x86.msi

    Filesize

    7.1MB

    MD5

    9c19e9fb26bc5f0a792fde112391d8de

    SHA1

    56beb813f80e8cb196d77797548d1dcb323bb4fc

    SHA256

    32fd3394209825a71498f94df5040d4ef623a2170b1a569436d467456a39fcb5

    SHA512

    5f2f4110c35ddb5f60751e6f854bd6fe21296c88f42e3645801893678b24e0f377582f759d3f84e68696aebb770180ddb4e6a65548e465213c708b9aeadeca21

  • \Users\Admin\AppData\Local\Temp\MSIA41C.tmp

    Filesize

    85KB

    MD5

    4284e0adf522b8d84f0467cb269be963

    SHA1

    e76f5d60b8610799bdb71913dbff7a204eed1c05

    SHA256

    550961ffa04667ecf8e69be255cd73b514c02e76755de48bedecd74d8e46c73e

    SHA512

    2df47a0cfe5d735f877be3a6e08fc2df2985b9f868d2ab0a78a0e90b2645ed49b3eb45e51d283d62680f31e042f6f145b5909552bf9cdd81c627684baecef3eb

  • memory/2508-0-0x00000000001A0000-0x00000000001A1000-memory.dmp

    Filesize

    4KB

  • memory/2508-56-0x00000000001A0000-0x00000000001A1000-memory.dmp

    Filesize

    4KB