Analysis
-
max time kernel
134s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 06:44
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe
-
Size
14.4MB
-
MD5
3e2449e9237f6d59a6d1da1925405355
-
SHA1
fceca04a2ffa5a4eb22c63fdcb95ae1d2b58b66d
-
SHA256
438b77eb32f4c8c7ce480db8c6d97f4ad6b71cd109b3691ec60da1f2fba9679e
-
SHA512
45294f406ab39ce9ee73a3749eed161ec54c4d6be5d1fe49f612f75f9ecaaba1fc857a1ac4384d06c5e60aedb7400da9646aba53fcaf9e99a525198f05e5ced8
-
SSDEEP
393216:CTt1pYPVK5ESoS2Ha9665W4X3uf0vGWi2YRVlGnMEq:8pYVxa9p5W4X3usv6Vjn
Malware Config
Signatures
-
Loads dropped DLL 5 IoCs
pid Process 4924 MsiExec.exe 4924 MsiExec.exe 4924 MsiExec.exe 4924 MsiExec.exe 4924 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe File opened (read-only) \??\X: 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe File opened (read-only) \??\I: 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe File opened (read-only) \??\Y: 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe File opened (read-only) \??\O: 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe File opened (read-only) \??\V: 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe File opened (read-only) \??\L: 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe File opened (read-only) \??\Z: 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe File opened (read-only) \??\R: 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe File opened (read-only) \??\W: 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe File opened (read-only) \??\J: 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe File opened (read-only) \??\U: 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe File opened (read-only) \??\T: 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe File opened (read-only) \??\S: 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe File opened (read-only) \??\P: 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 59 IoCs
description pid Process Token: SeCreateTokenPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeAssignPrimaryTokenPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeLockMemoryPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeIncreaseQuotaPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeMachineAccountPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeTcbPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeSecurityPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeTakeOwnershipPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeLoadDriverPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeSystemProfilePrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeSystemtimePrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeProfSingleProcessPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeIncBasePriorityPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeCreatePagefilePrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeCreatePermanentPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeBackupPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeRestorePrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeShutdownPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeDebugPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeAuditPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeSystemEnvironmentPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeChangeNotifyPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeRemoteShutdownPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeUndockPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeSyncAgentPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeEnableDelegationPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeManageVolumePrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeImpersonatePrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeCreateGlobalPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeSecurityPrivilege 3256 msiexec.exe Token: SeCreateTokenPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeAssignPrimaryTokenPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeLockMemoryPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeIncreaseQuotaPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeMachineAccountPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeTcbPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeSecurityPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeTakeOwnershipPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeLoadDriverPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeSystemProfilePrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeSystemtimePrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeProfSingleProcessPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeIncBasePriorityPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeCreatePagefilePrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeCreatePermanentPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeBackupPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeRestorePrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeShutdownPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeDebugPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeAuditPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeSystemEnvironmentPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeChangeNotifyPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeRemoteShutdownPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeUndockPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeSyncAgentPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeEnableDelegationPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeManageVolumePrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeImpersonatePrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe Token: SeCreateGlobalPrivilege 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3776 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3256 wrote to memory of 4924 3256 msiexec.exe 87 PID 3256 wrote to memory of 4924 3256 msiexec.exe 87 PID 3256 wrote to memory of 4924 3256 msiexec.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3776
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C1982BEF04D941E4E3848AEEFEF222A5 C2⤵
- Loads dropped DLL
PID:4924
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5e144e2d92603c76d056c83985a8937d3
SHA16c69d26b7ee4d598d4ebcad36b3a440714552076
SHA2566344d13c20f1650d4e5f630073141f2ec9f6b5fed77998d2e21cb14cdc5da461
SHA5126720a22714e87176a049328c2de2125b3b9532bc3b53daaf33b1d9eb24f1f3c105932d505a1008eab264fd16a393fd97a3c5755b5c68962cc633db09b9492062
-
Filesize
85KB
MD54284e0adf522b8d84f0467cb269be963
SHA1e76f5d60b8610799bdb71913dbff7a204eed1c05
SHA256550961ffa04667ecf8e69be255cd73b514c02e76755de48bedecd74d8e46c73e
SHA5122df47a0cfe5d735f877be3a6e08fc2df2985b9f868d2ab0a78a0e90b2645ed49b3eb45e51d283d62680f31e042f6f145b5909552bf9cdd81c627684baecef3eb
-
Filesize
293KB
MD510452409b027f3083752314fb20eee9b
SHA1ad0eefd9ec437200e185b932038821868b261a74
SHA25609b7a1facafc789e4ab4f74700c66d815fa24496c69837e05073fc619ae9cdc0
SHA5125812285df37629492b4be87e4db5c2b1765c1925ee37ce891198cb0e7782de590b3f7e5573cbcd7b22b1bada594eb5a34cc2c49c73d0141065597da821b6a5b8
-
C:\Users\Admin\AppData\Roaming\NORMA Knowledge Management Systems S.R.L\NORMA K-Factor 5.1.2.312\install\KFACTOR_x86.msi
Filesize7.1MB
MD59c19e9fb26bc5f0a792fde112391d8de
SHA156beb813f80e8cb196d77797548d1dcb323bb4fc
SHA25632fd3394209825a71498f94df5040d4ef623a2170b1a569436d467456a39fcb5
SHA5125f2f4110c35ddb5f60751e6f854bd6fe21296c88f42e3645801893678b24e0f377582f759d3f84e68696aebb770180ddb4e6a65548e465213c708b9aeadeca21