Analysis Overview
SHA256
438b77eb32f4c8c7ce480db8c6d97f4ad6b71cd109b3691ec60da1f2fba9679e
Threat Level: Shows suspicious behavior
The file 2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Enumerates connected drives
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-02 06:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 06:44
Reported
2024-06-02 06:47
Platform
win7-20240221-en
Max time kernel
118s
Max time network
125s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Enumerates connected drives
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2996 wrote to memory of 2532 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 2996 wrote to memory of 2532 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 2996 wrote to memory of 2532 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 2996 wrote to memory of 2532 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 2996 wrote to memory of 2532 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 2996 wrote to memory of 2532 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 2996 wrote to memory of 2532 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B603511524C77017477D8932F491A552 C
Network
Files
memory/2508-0-0x00000000001A0000-0x00000000001A1000-memory.dmp
C:\Users\Admin\AppData\Roaming\NORMA Knowledge Management Systems S.R.L\NORMA K-Factor 5.1.2.312\install\KFACTOR_x86.msi
| MD5 | 9c19e9fb26bc5f0a792fde112391d8de |
| SHA1 | 56beb813f80e8cb196d77797548d1dcb323bb4fc |
| SHA256 | 32fd3394209825a71498f94df5040d4ef623a2170b1a569436d467456a39fcb5 |
| SHA512 | 5f2f4110c35ddb5f60751e6f854bd6fe21296c88f42e3645801893678b24e0f377582f759d3f84e68696aebb770180ddb4e6a65548e465213c708b9aeadeca21 |
\Users\Admin\AppData\Local\Temp\MSIA41C.tmp
| MD5 | 4284e0adf522b8d84f0467cb269be963 |
| SHA1 | e76f5d60b8610799bdb71913dbff7a204eed1c05 |
| SHA256 | 550961ffa04667ecf8e69be255cd73b514c02e76755de48bedecd74d8e46c73e |
| SHA512 | 2df47a0cfe5d735f877be3a6e08fc2df2985b9f868d2ab0a78a0e90b2645ed49b3eb45e51d283d62680f31e042f6f145b5909552bf9cdd81c627684baecef3eb |
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2508\dialog.jpg
| MD5 | e144e2d92603c76d056c83985a8937d3 |
| SHA1 | 6c69d26b7ee4d598d4ebcad36b3a440714552076 |
| SHA256 | 6344d13c20f1650d4e5f630073141f2ec9f6b5fed77998d2e21cb14cdc5da461 |
| SHA512 | 6720a22714e87176a049328c2de2125b3b9532bc3b53daaf33b1d9eb24f1f3c105932d505a1008eab264fd16a393fd97a3c5755b5c68962cc633db09b9492062 |
C:\Users\Admin\AppData\Local\Temp\MSIA91E.tmp
| MD5 | 10452409b027f3083752314fb20eee9b |
| SHA1 | ad0eefd9ec437200e185b932038821868b261a74 |
| SHA256 | 09b7a1facafc789e4ab4f74700c66d815fa24496c69837e05073fc619ae9cdc0 |
| SHA512 | 5812285df37629492b4be87e4db5c2b1765c1925ee37ce891198cb0e7782de590b3f7e5573cbcd7b22b1bada594eb5a34cc2c49c73d0141065597da821b6a5b8 |
memory/2508-56-0x00000000001A0000-0x00000000001A1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 06:44
Reported
2024-06-02 06:47
Platform
win10v2004-20240508-en
Max time kernel
134s
Max time network
151s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Enumerates connected drives
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3256 wrote to memory of 4924 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 3256 wrote to memory of 4924 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 3256 wrote to memory of 4924 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_3e2449e9237f6d59a6d1da1925405355_mafia.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C1982BEF04D941E4E3848AEEFEF222A5 C
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/3776-0-0x00000000024A0000-0x00000000024A1000-memory.dmp
C:\Users\Admin\AppData\Roaming\NORMA Knowledge Management Systems S.R.L\NORMA K-Factor 5.1.2.312\install\KFACTOR_x86.msi
| MD5 | 9c19e9fb26bc5f0a792fde112391d8de |
| SHA1 | 56beb813f80e8cb196d77797548d1dcb323bb4fc |
| SHA256 | 32fd3394209825a71498f94df5040d4ef623a2170b1a569436d467456a39fcb5 |
| SHA512 | 5f2f4110c35ddb5f60751e6f854bd6fe21296c88f42e3645801893678b24e0f377582f759d3f84e68696aebb770180ddb4e6a65548e465213c708b9aeadeca21 |
C:\Users\Admin\AppData\Local\Temp\MSI4B80.tmp
| MD5 | 4284e0adf522b8d84f0467cb269be963 |
| SHA1 | e76f5d60b8610799bdb71913dbff7a204eed1c05 |
| SHA256 | 550961ffa04667ecf8e69be255cd73b514c02e76755de48bedecd74d8e46c73e |
| SHA512 | 2df47a0cfe5d735f877be3a6e08fc2df2985b9f868d2ab0a78a0e90b2645ed49b3eb45e51d283d62680f31e042f6f145b5909552bf9cdd81c627684baecef3eb |
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3776\dialog.jpg
| MD5 | e144e2d92603c76d056c83985a8937d3 |
| SHA1 | 6c69d26b7ee4d598d4ebcad36b3a440714552076 |
| SHA256 | 6344d13c20f1650d4e5f630073141f2ec9f6b5fed77998d2e21cb14cdc5da461 |
| SHA512 | 6720a22714e87176a049328c2de2125b3b9532bc3b53daaf33b1d9eb24f1f3c105932d505a1008eab264fd16a393fd97a3c5755b5c68962cc633db09b9492062 |
C:\Users\Admin\AppData\Local\Temp\MSI4D67.tmp
| MD5 | 10452409b027f3083752314fb20eee9b |
| SHA1 | ad0eefd9ec437200e185b932038821868b261a74 |
| SHA256 | 09b7a1facafc789e4ab4f74700c66d815fa24496c69837e05073fc619ae9cdc0 |
| SHA512 | 5812285df37629492b4be87e4db5c2b1765c1925ee37ce891198cb0e7782de590b3f7e5573cbcd7b22b1bada594eb5a34cc2c49c73d0141065597da821b6a5b8 |
memory/3776-56-0x00000000024A0000-0x00000000024A1000-memory.dmp