Malware Analysis Report

2025-04-14 00:17

Sample ID 240602-hhxdsaee98
Target 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia
SHA256 438b77eb32f4c8c7ce480db8c6d97f4ad6b71cd109b3691ec60da1f2fba9679e
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

438b77eb32f4c8c7ce480db8c6d97f4ad6b71cd109b3691ec60da1f2fba9679e

Threat Level: Shows suspicious behavior

The file 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia was found to be: Shows suspicious behavior.

Malicious Activity Summary


Loads dropped DLL

Enumerates connected drives

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 06:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 06:44

Reported

2024-06-02 06:47

Platform

win7-20240221-en

Max time kernel

118s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2996 wrote to memory of 2532 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2996 wrote to memory of 2532 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2996 wrote to memory of 2532 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2996 wrote to memory of 2532 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2996 wrote to memory of 2532 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2996 wrote to memory of 2532 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2996 wrote to memory of 2532 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding B603511524C77017477D8932F491A552 C

Network

N/A

Files

memory/2508-0-0x00000000001A0000-0x00000000001A1000-memory.dmp

C:\Users\Admin\AppData\Roaming\NORMA Knowledge Management Systems S.R.L\NORMA K-Factor 5.1.2.312\install\KFACTOR_x86.msi

MD5 9c19e9fb26bc5f0a792fde112391d8de
SHA1 56beb813f80e8cb196d77797548d1dcb323bb4fc
SHA256 32fd3394209825a71498f94df5040d4ef623a2170b1a569436d467456a39fcb5
SHA512 5f2f4110c35ddb5f60751e6f854bd6fe21296c88f42e3645801893678b24e0f377582f759d3f84e68696aebb770180ddb4e6a65548e465213c708b9aeadeca21

\Users\Admin\AppData\Local\Temp\MSIA41C.tmp

MD5 4284e0adf522b8d84f0467cb269be963
SHA1 e76f5d60b8610799bdb71913dbff7a204eed1c05
SHA256 550961ffa04667ecf8e69be255cd73b514c02e76755de48bedecd74d8e46c73e
SHA512 2df47a0cfe5d735f877be3a6e08fc2df2985b9f868d2ab0a78a0e90b2645ed49b3eb45e51d283d62680f31e042f6f145b5909552bf9cdd81c627684baecef3eb

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2508\dialog.jpg

MD5 e144e2d92603c76d056c83985a8937d3
SHA1 6c69d26b7ee4d598d4ebcad36b3a440714552076
SHA256 6344d13c20f1650d4e5f630073141f2ec9f6b5fed77998d2e21cb14cdc5da461
SHA512 6720a22714e87176a049328c2de2125b3b9532bc3b53daaf33b1d9eb24f1f3c105932d505a1008eab264fd16a393fd97a3c5755b5c68962cc633db09b9492062

C:\Users\Admin\AppData\Local\Temp\MSIA91E.tmp

MD5 10452409b027f3083752314fb20eee9b
SHA1 ad0eefd9ec437200e185b932038821868b261a74
SHA256 09b7a1facafc789e4ab4f74700c66d815fa24496c69837e05073fc619ae9cdc0
SHA512 5812285df37629492b4be87e4db5c2b1765c1925ee37ce891198cb0e7782de590b3f7e5573cbcd7b22b1bada594eb5a34cc2c49c73d0141065597da821b6a5b8

memory/2508-56-0x00000000001A0000-0x00000000001A1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 06:44

Reported

2024-06-02 06:47

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3256 wrote to memory of 4924 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3256 wrote to memory of 4924 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3256 wrote to memory of 4924 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding C1982BEF04D941E4E3848AEEFEF222A5 C

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/3776-0-0x00000000024A0000-0x00000000024A1000-memory.dmp

C:\Users\Admin\AppData\Roaming\NORMA Knowledge Management Systems S.R.L\NORMA K-Factor 5.1.2.312\install\KFACTOR_x86.msi

MD5 9c19e9fb26bc5f0a792fde112391d8de
SHA1 56beb813f80e8cb196d77797548d1dcb323bb4fc
SHA256 32fd3394209825a71498f94df5040d4ef623a2170b1a569436d467456a39fcb5
SHA512 5f2f4110c35ddb5f60751e6f854bd6fe21296c88f42e3645801893678b24e0f377582f759d3f84e68696aebb770180ddb4e6a65548e465213c708b9aeadeca21

C:\Users\Admin\AppData\Local\Temp\MSI4B80.tmp

MD5 4284e0adf522b8d84f0467cb269be963
SHA1 e76f5d60b8610799bdb71913dbff7a204eed1c05
SHA256 550961ffa04667ecf8e69be255cd73b514c02e76755de48bedecd74d8e46c73e
SHA512 2df47a0cfe5d735f877be3a6e08fc2df2985b9f868d2ab0a78a0e90b2645ed49b3eb45e51d283d62680f31e042f6f145b5909552bf9cdd81c627684baecef3eb

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3776\dialog.jpg

MD5 e144e2d92603c76d056c83985a8937d3
SHA1 6c69d26b7ee4d598d4ebcad36b3a440714552076
SHA256 6344d13c20f1650d4e5f630073141f2ec9f6b5fed77998d2e21cb14cdc5da461
SHA512 6720a22714e87176a049328c2de2125b3b9532bc3b53daaf33b1d9eb24f1f3c105932d505a1008eab264fd16a393fd97a3c5755b5c68962cc633db09b9492062

C:\Users\Admin\AppData\Local\Temp\MSI4D67.tmp

MD5 10452409b027f3083752314fb20eee9b
SHA1 ad0eefd9ec437200e185b932038821868b261a74
SHA256 09b7a1facafc789e4ab4f74700c66d815fa24496c69837e05073fc619ae9cdc0
SHA512 5812285df37629492b4be87e4db5c2b1765c1925ee37ce891198cb0e7782de590b3f7e5573cbcd7b22b1bada594eb5a34cc2c49c73d0141065597da821b6a5b8

memory/3776-56-0x00000000024A0000-0x00000000024A1000-memory.dmp