Malware Analysis Report

2025-03-15 00:18

Sample ID 240603-2aj82aca88
Target 2024-06-03_e663004a81348c99c4dffb352411fdca_mafia
SHA256 2e103871d889c34072f71de6763075addc8388252d143798db4acd543013ceb9
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2e103871d889c34072f71de6763075addc8388252d143798db4acd543013ceb9

Threat Level: Known bad

The file 2024-06-03_e663004a81348c99c4dffb352411fdca_mafia was found to be: Known bad.

Malicious Activity Summary

persistence

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Detects executables referencing many IR and analysis tools

Detects executables referencing many IR and analysis tools

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Drops file in Drivers directory

Executes dropped EXE

Loads dropped DLL

Modifies system executable filetype association

Uses Volume Shadow Copy WMI provider

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Modifies registry class

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 22:22

Signatures

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing many IR and analysis tools

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 22:22

Reported

2024-06-03 22:25

Platform

win10v2004-20240426-en

Max time kernel

78s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia.exe"

Signatures

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many IR and analysis tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\Notepad.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia.exe"

C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia.exe

C:\Windows\System32\Notepad.exe

Notepad.exe C:\Users\Admin\Desktop\Rkill.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/1276-0-0x0000000000570000-0x0000000000740000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe

MD5 ae368c10327fe7a8e5c875360e529b35
SHA1 d69fad67631f48f2eee9109a368eb176356da531
SHA256 797f0917162e74e64f556fd467cc13d10401e826309c3ed889574889a96b88c7
SHA512 e7e6e4d29dfdc537b21fdffc6c1ac0674b55fdf6c61e5fecfbdde1fa271903db1291c50bac3263bc9f4ee7797689542f29770e0d98b8180453c39bc6058a5c67

C:\Users\Admin\Desktop\Rkill.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/1276-12-0x0000000000570000-0x0000000000740000-memory.dmp

C:\Users\Admin\Desktop\Rkill.txt

MD5 5337a59ad686bfad387a31e3271459bd
SHA1 d016ebd9f94066d7af70e6127c351f76adf1ce54
SHA256 1b98256c1c65c9d23e5918400d5707c26f6b5e2270c24c59e4d159fcd4efd479
SHA512 0666a17cf5514f977dab94f288fe71e84c6894b9b3386828f8a8bbde45439945053ee59d014442ef88910a00d204d95044c7ea27e653c0061c9dc75a48ca59c8

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 22:22

Reported

2024-06-03 22:25

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia.exe"

Signatures

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many IR and analysis tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "Application" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\HasLUAShield C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\ = "@shell32.dll,-50944" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\SuppressionPolicyEx = "{F211AA05-D4DF-4370-A2A0-9F19C09756A7}" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\EditFlags = 38070000 C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility\ = "{1d27f844-3a1f-4410-85ac-14651078412d}" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers\Compatibility\ = "{1d27f844-3a1f-4410-85ac-14651078412d}" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shellex\DropHandler C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\EditFlags = 30000000 C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\comfile\shellex\DropHandler C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\EditFlags = 30040000 C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\FriendlyTypeName = "@%SystemRoot%\\System32\\acppage.dll,-6002" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shell\print\command C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shellex\ContextMenuHandlers C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shellex\PropertySheetHandlers\ShimLayer Property Page C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\SuppressionPolicyEx = "{F211AA05-D4DF-4370-A2A0-9F19C09756A7}" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\FriendlyTypeName = "@%SystemRoot%\\System32\\shell32.dll,-8464" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\comfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\runasuser C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler\ = "{86C86720-42A0-1069-A2E8-08002B30309D}" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\Extended C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shell\runasuser C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f} C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ = "Windows Batch File" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}\ = "{1531d583-8375-4d3f-b5fb-d23bbd169f22}" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\EditFlags = 00000000 C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command\DelegateExecute = "{ea72d00e-4960-42fa-ba92-7792a7944c1d}" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shellex\DropHandler C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler\ = "{86C86720-42A0-1069-A2E8-08002B30309D}" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers\ = "Compatibility" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\EditFlags = "0" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon\ = "%SystemRoot%\\System32\\shell32.dll,2" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shellex\ContextMenuHandlers C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shell\runas C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\HasLUAShield C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\FriendlyTypeName = "@%SystemRoot%\\System32\\shell32.dll,-10156" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "%1" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\ = "Compatibility" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\DropHandler\ = "{86C86720-42A0-1069-A2E8-08002B30309D}" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\comfile\shell\open C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\runas C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\PropertySheetHandlers C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\PropertySheetHandlers\ShimLayer Property Page C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\EditFlags = 00000000 C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-68" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\ = "@shell32.dll,-50944" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shellex\ContextMenuHandlers\Compatibility C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shellex\ContextMenuHandlers\Compatibility C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shell\edit\command C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shell\runasuser\command C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\ = "MS-DOS Application" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\runasuser\command C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\Extended C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shellex\ContextMenuHandlers C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shell\runas C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\ = "@shell32.dll,-50944" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\PropertySheetHandlers\ShimLayer Property Page C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.exe C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\PropertySheetHandlers C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "%1" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.bat\PersistentHandler\ C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shellex\ContextMenuHandlers\Compatibility C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ = "Windows Batch File" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\FriendlyTypeName = "@%SystemRoot%\\System32\\acppage.dll,-6002" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler\ = "{86C86720-42A0-1069-A2E8-08002B30309D}" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\PersistentHandler\ = "{098f2470-bae0-11cd-b579-08002b30bfeb}" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers\ = "Compatibility" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\ = "MS-DOS Application" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers\Compatibility\ = "{1d27f844-3a1f-4410-85ac-14651078412d}" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.exe\PersistentHandler C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "Application" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\Extended C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shell\print\command C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command\DelegateExecute = "{ea72d00e-4960-42fa-ba92-7792a7944c1d}" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shellex\ContextMenuHandlers\Compatibility C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.com\PersistentHandler\ = "{098f2470-bae0-11cd-b579-08002b30bfeb}" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\EditFlags = 00000000 C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\runas C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-68" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\HasLUAShield C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\runasuser\command C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.bat C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\EditFlags = 00000000 C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.com\PersistentHandler\ C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shell\runasuser C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\SuppressionPolicyEx = "{F211AA05-D4DF-4370-A2A0-9F19C09756A7}" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shellex\ContextMenuHandlers C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\EditFlags = 38070000 C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\FriendlyTypeName = "@%SystemRoot%\\System32\\shell32.dll,-10156" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shell\edit\command C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\comfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\comfile\shellex\DropHandler C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}\ = "{1531d583-8375-4d3f-b5fb-d23bbd169f22}" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shellex\DropHandler C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\SuppressionPolicyEx = "{F211AA05-D4DF-4370-A2A0-9F19C09756A7}" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\DropHandler\ = "{86C86720-42A0-1069-A2E8-08002B30309D}" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\EditFlags = 30000000 C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\EditFlags = "0" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\FriendlyTypeName = "@%SystemRoot%\\System32\\shell32.dll,-8464" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command\DelegateExecute = "{ea72d00e-4960-42fa-ba92-7792a7944c1d}" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shell\runasuser\command C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\Extended C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f} C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\Content Type = "application/x-msdownload" C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\Notepad.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia.exe"

C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia.exe

C:\Windows\System32\Notepad.exe

Notepad.exe C:\Users\Admin\Desktop\Rkill.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 crl.microsoft.com udp
BE 2.17.107.81:80 crl.microsoft.com tcp

Files

memory/1232-0-0x0000000000930000-0x0000000000B00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe

MD5 ae368c10327fe7a8e5c875360e529b35
SHA1 d69fad67631f48f2eee9109a368eb176356da531
SHA256 797f0917162e74e64f556fd467cc13d10401e826309c3ed889574889a96b88c7
SHA512 e7e6e4d29dfdc537b21fdffc6c1ac0674b55fdf6c61e5fecfbdde1fa271903db1291c50bac3263bc9f4ee7797689542f29770e0d98b8180453c39bc6058a5c67

C:\Users\Admin\Desktop\Rkill.txt

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\Desktop\Rkill.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/1232-25-0x0000000000930000-0x0000000000B00000-memory.dmp

C:\Users\Admin\Desktop\Rkill.txt

MD5 571be6f6313fb4e904401155ac1a7317
SHA1 7b4ba7e7306fc3a6b39e0b66998ea8f57cbc531a
SHA256 5e03ef2493fdf8903d89e2aa54c333b6ec0925f988fe1431eec1ae205f68533b
SHA512 429c2f61f375147cbbc9bdba583277842294d9057b12c1af7c2af47064dac44d68b0ce6105ecf7660e0653d349a19c1b0e631b44d0d7e6c26efd972ce594a31a