7bc059f4a6477f3e1599088733e9483f5b597618e01d6ba950f5f481d2f55ef3

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14-06-2024 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Size

11.2MB
MD5

4958939e2fdf025d4e0d87015c53da01
SHA1

6d2525fec6fd4722f0ea3ab892ef6d02d23d316b
SHA256

7bc059f4a6477f3e1599088733e9483f5b597618e01d6ba950f5f481d2f55ef3
SHA512

7152612abcc460d241a266c6590d0d5744ba62adb47921751deda38aa54e038787a8493cc3481e3a852e7472ddba908c63d0ce72573188d922bcd36a45ef096b
SSDEEP

196608:h9Gr9GJn0hFy8zVE1Z9xwvg004RJXMki/jFMhkRwi3rhUiJpzBRU+e9kW:bG5GOLy8O/rwvg0VfX3GjahkRwYKiXdq

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
2652	MsiExec.exe
2652	MsiExec.exe
2652	MsiExec.exe
2652	MsiExec.exe
2652	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
File opened (read-only)	\??\S:	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
File opened (read-only)	\??\I:	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
File opened (read-only)	\??\U:	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
File opened (read-only)	\??\L:	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
File opened (read-only)	\??\Q:	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
File opened (read-only)	\??\X:	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
File opened (read-only)	\??\J:	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
File opened (read-only)	\??\O:	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
File opened (read-only)	\??\Y:	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
File opened (read-only)	\??\W:	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
File opened (read-only)	\??\P:	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
File opened (read-only)	\??\K:	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
File opened (read-only)	\??\T:	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
File opened (read-only)	\??\Z:	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
File opened (read-only)	\??\M:	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3068	msiexec.exe
Token: SeTakeOwnershipPrivilege	3068	msiexec.exe
Token: SeSecurityPrivilege	3068	msiexec.exe
Token: SeCreateTokenPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeAssignPrimaryTokenPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeLockMemoryPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeIncreaseQuotaPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeMachineAccountPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeTcbPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeSecurityPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeTakeOwnershipPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeLoadDriverPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeSystemProfilePrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeSystemtimePrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeProfSingleProcessPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeIncBasePriorityPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeCreatePagefilePrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeCreatePermanentPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeBackupPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeRestorePrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeShutdownPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeDebugPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeAuditPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeSystemEnvironmentPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeChangeNotifyPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeRemoteShutdownPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeUndockPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeSyncAgentPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeEnableDelegationPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeManageVolumePrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeImpersonatePrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeCreateGlobalPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeCreateTokenPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeAssignPrimaryTokenPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeLockMemoryPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeIncreaseQuotaPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeMachineAccountPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeTcbPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeSecurityPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeTakeOwnershipPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeLoadDriverPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeSystemProfilePrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeSystemtimePrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeProfSingleProcessPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeIncBasePriorityPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeCreatePagefilePrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeCreatePermanentPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeBackupPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeRestorePrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeShutdownPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeDebugPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeAuditPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeSystemEnvironmentPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeChangeNotifyPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeRemoteShutdownPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeUndockPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeSyncAgentPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeEnableDelegationPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeManageVolumePrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeImpersonatePrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeCreateGlobalPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeCreateTokenPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeAssignPrimaryTokenPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
Token: SeLockMemoryPrivilege	1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1244	2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2652	3068	msiexec.exe	29
PID 3068 wrote to memory of 2652	3068	msiexec.exe	29
PID 3068 wrote to memory of 2652	3068	msiexec.exe	29
PID 3068 wrote to memory of 2652	3068	msiexec.exe	29
PID 3068 wrote to memory of 2652	3068	msiexec.exe	29
PID 3068 wrote to memory of 2652	3068	msiexec.exe	29
PID 3068 wrote to memory of 2652	3068	msiexec.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-14_4958939e2fdf025d4e0d87015c53da01_mafia.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1244

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 24A0ADADD9A1C7A522810332D051DEB2 C
  2⤵
  - Loads dropped DLL
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1244\PrepareDlgProgress.gif

Filesize
24KB

MD5
f550f449baed1315c7965bd826c2510b

SHA1
772e6e82765dcfda319a68380981d77b83a3ab1b

SHA256
0ee7650c7faf97126ddbc7d21812e093af4f2317f3edcff16d2d6137d3c0544d

SHA512
7608140bc2d83f509a2afdaacd394d0aa5a6f7816e96c11f4218e815c3aaabf9fc95dd3b3a44b165334772ebdab7dfa585833850db09442743e56b8e505f6a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1244\backbutton

Filesize
404B

MD5
50e27244df2b1690728e8252088a253c

SHA1
b84ad02fd0ed3cb933ffbd123614a2495810442b

SHA256
71836c56ec4765d858dc756541123e44680f98da255faf1ece7b83d79809b1c3

SHA512
ba3d3535bfd2f17919e1a99e89fdb1c9a83507ff3c2846c62770e210a50aee1281445d510858d247cc9619861089aaf20f45b0b7c39f15c0ea039ac5498fa03e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1244\background

Filesize
134B

MD5
a0efb0e7b9cee25b09e09a1a64e96ba6

SHA1
0c1e18f6f5e6e5e6953e9fb99ca60fdec35d6e39

SHA256
f044f542bc46464054084c63596877f06c6e2c215c0e954c4ace9787ced82787

SHA512
7e53f9f564aaa529b3b15035671957c2923ec98ddee93758ea7a4c8645ee9058962078771b853e3490290fde1f57030dff5092d40d69418776ffee89f79c8a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1244\browsebutton

Filesize
253B

MD5
9554be0be090a59013222261971430ad

SHA1
9e307b13b4480d0e18cfb1c667f7cfe6c62cc97c

SHA256
f4302ee2090bc7d7a27c4bc970af6eb61c050f14f0876541a8d2f32bc41b9bab

SHA512
ac316f784994da4fed7deb43fe785258223aba5f43cc5532f3e7b874adc0bc6dbcd8e95e631703606dfaa2c40be2e2bb6fa5bc0a6217efe657e74531654ea71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1244\checkbox

Filesize
1KB

MD5
0b044ccde7aa9d86e02a94030d744ac2

SHA1
0594ebb3737536703907ba5672ccd351c6afb98a

SHA256
bce5b6de3a1c7af7ec14b6643da25f7c9e15bd5f1c4a38abfcddc70a5e93bdd3

SHA512
dbfba793722589f1a76dbc75c9a2f3646733e4a079a6b70003716a7f7b8fa1a6a2b234ec9132f5737e91d20d460db1e29826b2d7ac740f73136975f19e336cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1244\frame_bottom_right.bmp

Filesize
66B

MD5
1fb3755fe9676fca35b8d3c6a8e80b45

SHA1
7c60375472c2757650afbe045c1c97059ca66884

SHA256
384ebd5800becadf3bd9014686e6cc09344f75ce426e966d788eb5473b28aa21

SHA512
dee9db50320a27de65581c20d9e6cf429921ebee9d4e1190c044cc6063d217ca89f5667dc0d93faf7dcc2d931fe4e85c025c6f71c1651cbd2d12a43f915932c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1244\frame_top_left.bmp

Filesize
154B

MD5
1966f4308086a013b8837dddf88f67ad

SHA1
1b66c1b1ad519cad2a273e2e5b2cfd77b8e3a190

SHA256
17b5cd496d98db14e7c9757e38892883c7b378407e1f136889a9921abe040741

SHA512
ec50f92b77bca5117a9a262ba1951e37d6139b838099e1546ab2716c7bafb0fc542ce7f1993a19591c832384df01b722d87bb5a6a010091fc880de6e5cfa6c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1244\media_player.png

Filesize
16KB

MD5
ee937e77408fea3228dfdfa3716566d3

SHA1
8a3a5d0c2a32a075d60c0d25ad505e71f90b7c88

SHA256
bc2e8052568540f528d91a4df1c4bff098a8d76e4561a80d7e5ed52d4352bd86

SHA512
e9a29732332ae3507aa62d5330c2ae84d5d566ad378fd3583c30cb4659ef3e7c2eb41ad77ab0eb9f0a460cbc7c7dc71b961471057b14041780d1a254b605fc70

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1244\metroinstallbutton

Filesize
520B

MD5
70db38d656afa3778dcf6173d390e61b

SHA1
8b8674d6d70d67943d313d2b74222daa4bd1691d

SHA256
3a0a5b69f9da7cae9fc631326ed8aa97abbaaecf2bf15d0a73169a29f3381e83

SHA512
8888ab493c7342f69b33279eaec4f99c41a906929d65503c48c7059d199fbab267ba9ad6ef6e57a7a56d2a321c01e46008f770afe67fa99ec7b7676ec2376c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1244\nextcancelbuttons

Filesize
404B

MD5
583580e2c651f5c230fb3235b7ca0e3b

SHA1
a9bd6aeef43a6f4c0c00d1ecd98a585d7eb0aaa3

SHA256
65172283ee04f2fa18d0e57b21471be2e68017d1f61816aaaa6be070b446346f

SHA512
6c61e6c06c883113a7a0efbd352120354c070f5c17d770b6b821c42cb9d9ca895992842b29b51bd3e569b0c95e93709dd7c1c2a26bcff0ad425079f5302670ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1244\sys_close_normal.png

Filesize
225B

MD5
8ba33e929eb0c016036968b6f137c5fa

SHA1
b563d786bddd6f1c30924da25b71891696346e15

SHA256
bbcac1632131b21d40c80ff9e14156d36366d2e7bb05eed584e9d448497152d5

SHA512
ba3a70757bd0db308e689a56e2f359c4356c5a7dd9e2831f4162ea04381d4bbdbef6335d97a2c55f588c7172e1c2ebf7a3bd481d30871f05e61eea17246a958e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2636.tmp

Filesize
91KB

MD5
e82cfcfc5b1e271bb0ea368ee0697cc7

SHA1
d8904f05ae4447b6bbb23466d73186abc5ff4db0

SHA256
adee901de613487edd9c80d199340875bd1faed7b999eee452e6b136865bca28

SHA512
964738a62a85ef52e8cd16c54bfe85a8e24f614c26d4809ddc153276b2012de475e3011c98f59f5dd37e60f0f9e9da4c8b1df5c2c34224a9dc1bf714febd040c

Download Submit
C:\Users\Admin\AppData\Roaming\GameBot\Clash GameBot 4.1\install\CGBInstallerLight.msi

Filesize
1.2MB

MD5
4c18c7bf2f1e2546b7fe99a483ebea65

SHA1
8322cad60b4eab3eda901e003149454a33af4fc9

SHA256
60f43971b848a22763aeba1c7ef436009b52099c3d64bed3e99498ae16d9d679

SHA512
05e4fef084ccf18c7d09d845443ad9a1bb0bfede1f273f2477cd468684a5bf5dcd6a1689fef0f4877e0c0b6e254407f0e749f0e3e6da74651fb5f369ae3f2623

Download Submit
memory/1244-0-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1244-186-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download