Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    26/06/2024, 13:22

General

  • Target

    2024-06-26_44d0e7753e5e40231be7c7902fc7657d_mafia.exe

  • Size

    14.1MB

  • MD5

    44d0e7753e5e40231be7c7902fc7657d

  • SHA1

    e755cf1d7d15883e2aaa598c0466c2b78cb6f968

  • SHA256

    c929abac70998995f0bcbbfe913a408c0b487e8c33c16199d269c232d3dda932

  • SHA512

    095e4c5ca659848eccf780e3d165c2b0d6b7c1d24f85dd6e779768a8bcb299d59cb8681708e0c270dd27c7b5d59844cac911d52f6d9e8c400d27f8cf0be46c7f

  • SSDEEP

    393216:Ax+I1pVEanRFM6fYGKWzQglJo6mZnKxr9Wwr4T:Ax+I17/M6fWIQmJHmdk1rw

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 30 IoCs
  • Drops file in System32 directory 2 IoCs
  • Detects Pyinstaller 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-26_44d0e7753e5e40231be7c7902fc7657d_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-26_44d0e7753e5e40231be7c7902fc7657d_mafia.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe
      GRR.exe --install --config GRR.exe.yaml
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2384

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe.yaml

    Filesize

    2KB

    MD5

    4532472edcf3a07465f94e43ef4afe1d

    SHA1

    4b54318181d746c7f169edf5060ffed7299b07ef

    SHA256

    e905ffaefd78cec4fd0b282823d3c50eaa11292f59ac1297dc3c1e90ef838832

    SHA512

    a9d7369744191a6cbe690497f2cc98dab86a51b262f7bcc5a40dce0d7b1e59bff2b9b9bd6d17d244d19989adde888a9f5590ff6c429d0715c4fb1fa2418e07e8

  • C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\MSVCP90.dll

    Filesize

    557KB

    MD5

    5433ee6ee9ad64b8d45729815221866b

    SHA1

    01e1edd421c8a4983c4d4d9650d379d0692df7aa

    SHA256

    664a55f1acae07aefc32eddfd20bcb3efd76df7f78743ecacdf9500a08f630fd

    SHA512

    0e06456fd749dc2ede8b2f76c40d7efc68f9d6d72d724e7e9f2723db0752ac9b0100e43d6f9442375d9f4f9c4fe8eaa78b86949a0a6bccd5e1cd24604aaca75e

  • C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\_cffi_backend.pyd

    Filesize

    128KB

    MD5

    891fb059049987c6cf148f4b93cda09f

    SHA1

    5a154ede87b7a72556f46e63cb65b794bc200f52

    SHA256

    dd673ed74e624384c8c9541a799844c0ba95e81c1f67c51971433c7223b6c616

    SHA512

    ff4cc9f33b38bd6af51141c93ee988bb139743e8d2e5be956b971b20b350b7248db9fdd3e83414a92ea5377d4abd8b77f362d7889bf3dc31185d76b90ac19807

  • C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\_ctypes.pyd

    Filesize

    89KB

    MD5

    9e6c48ec9508423d0ce6b6e4d4a10d90

    SHA1

    82548d0cfcd99bc11ecee670dc0c1c9538aa6ade

    SHA256

    b700441351b3a24a1ec392376984d3d95a541ea548c77f0df55d7af579ea9c1a

    SHA512

    37fc511610e5ab06a78f276bf0f4b7335a37d40fdf0158f674ecf1b029fe3298e0667230d3f8840258b8e5413108e1e6aeaaff090b3cca6eef007ca5a1f8d926

  • C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\_hashlib.pyd

    Filesize

    993KB

    MD5

    b1dbd52e5da083e5b5613a2b4c17a4ef

    SHA1

    0ed87f9e0b572f88e102739daab54db03fade416

    SHA256

    fa57bf3173f2d636984305401c06f1618b8119fea2c311d1173566ea236fa0c6

    SHA512

    dbe14802ff53e8fb9f35baa1c1bd0dc55c1073e0f96b59b5cc3783760e23c645cd453a39b2b4d0ab79ee871ba1cb81154a4cf5c54b67dde7ea14008d72dd2cae

  • C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\_multiprocessing.pyd

    Filesize

    27KB

    MD5

    06c8615f66abdd6c2d986d40339d1410

    SHA1

    5db9e634bff65d33ff0ee6aa95182f8291b5afcc

    SHA256

    df9fe9289d591f0891f321f8aae5b7ba7e7c4e8b0ffd5db9766ce90934a202cf

    SHA512

    fc085f5db97f41b0d62bd584d24c68e57e508f225ad55839b0680bb10398b3d6364c88dcc925cb4427e311d9d2631d5d21836419e4a02f3c7d2e9c33e59d6e97

  • C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\_socket.pyd

    Filesize

    45KB

    MD5

    600de8a82e2204e88df27714687f88b9

    SHA1

    dac20e0bf5482a6f09648648bc4d38562473c89e

    SHA256

    a24422d519e5a9283a0887d4be09be2ac89797886d8f45151cab5e9fef8db1e1

    SHA512

    3d82eb600bd358a019dcde1f4a337d87f29c9a22937989dddfe697c433f58ba9e4a836752998a542e7df179adafa8c89c99aa18b51b100f7a57aa5b47a456460

  • C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\_sqlite3.pyd

    Filesize

    49KB

    MD5

    961525a34aa5c6dee1d3d14d112a699c

    SHA1

    874f2b08555803711d4f5176812baf160eae8c5c

    SHA256

    547b23fc7c82cf95f013223f2164b553e494f7fbb41c0e317069b2fe79d81057

    SHA512

    ae09946b42f7b72e959c5b47b13a6158a955fe194f4145b7569df7c0c47a32024c4f0ab6ee943b34a4b8a2fad2ae65ce3baa852306d09ef4f52ec439d51016d1

  • C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\_ssl.pyd

    Filesize

    1.3MB

    MD5

    9b59be1fa8427368c4e0e763f578d74c

    SHA1

    7287fe431a0a67aa41e9952906759746ddcffad1

    SHA256

    4ba198e7f53a37b3a825ff2ce4d3e6ca00ad96e62852f0127a46c57a9a4a3026

    SHA512

    6905c5f80ff723ff79863332dd8d20d4cbbe224d355ba9b824a6f29ead62ebec16fa96ec664bdb56a2688847881a53c34459311c156f35aa887b2a808a6e9032

  • C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\_yaml.pyd

    Filesize

    216KB

    MD5

    5c78e849e57910f9c9c3aa7dd30407fc

    SHA1

    21a4a2db35ccfcd5efcb5b0912c776238a2940d6

    SHA256

    e00f3b812b7d67d86b8eed34abd5b86adfcd08904b2a1c59ec9b516205be63a8

    SHA512

    442c091fe2d259c2de42c1922cc2fb4e11c1317a10a68d06b0781878cb6c1beaa616a96b0f5ed06a05b8f5d5ff71a2291eff3ed23720a1b3e8bdef08626b7817

  • C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\build.yaml

    Filesize

    387B

    MD5

    6c200db311716cc01e9affaf1698b2e3

    SHA1

    458a0b48439407b973a6b378dd296c5d768a0ce4

    SHA256

    c6d7ab6f03f19d5c05cbd5a21bd37d1537147b3d040e7f0cd934c067e97f0144

    SHA512

    f2eb13a554a98d4b94c86d3924650895ae5c881f6da44414f69fcb9f5d317692782763ba15cd48a226d0e288ac47bb2734d9a7f54ad8f0d8128ef6860f9a4fb2

  • C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\cryptography.hazmat.bindings._openssl.pyd

    Filesize

    2.2MB

    MD5

    1f30b7cc98dfcfe314c570d1fe8a0b1a

    SHA1

    9ad798c634679150ff14995c1deeb658cc9abf53

    SHA256

    0b602cca491f17f3d55cc1b760bb1ebe48d96e4ca68cb6769c46960add08b67c

    SHA512

    f6cd07c59df110c95ff699dbc3ef0c1ad14a7edfa64b5534228bc0587898cf7866d9ebba0c5dc2759e187f90b50cdfa706f633a2e32f1d460c652cb7a84a560d

  • C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\lib2to3\Grammar2.7.16.final.0.pickle

    Filesize

    39KB

    MD5

    b7883beb25b0e80e8d6dd9c26a097176

    SHA1

    31c08ec757ae27bbe0983fff0ef11da5c6d521f9

    SHA256

    ae5bdfddedf6924ed453e07d2a5ab7cb9d1dc7cc550ab355cb0de061705c9951

    SHA512

    a26fadabac0872a43b747358621316b246db51ca833fa48ad6b16c232535928f311666952ce27f5f37f157e6d0df22675d2d3aa4c5d18820297057c09e73961c

  • C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\lib2to3\PatternGrammar2.7.16.final.0.pickle

    Filesize

    2KB

    MD5

    53349ff0e74e480ccb368417e0e97688

    SHA1

    98991a25e0e0bf4f72e9d117caef6382554e5e75

    SHA256

    ba3648277040cbefd390d06d3c49e630c480d48f42edd98e66b3247260d9cf6a

    SHA512

    7b712d14c8c1774465e63ac4a15d6443c4ee88f95b9797894881973e7411de2799c4e600a5739d1fcda8b5c76b7329274055046eda505c51f9e3e12e49159b50

  • C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\psutil._psutil_windows.pyd

    Filesize

    52KB

    MD5

    8bbb1c5fd910a301ba470730a86796f1

    SHA1

    d4e5a20e275c13bf14b080e75f8ed3ffc901fa90

    SHA256

    b884b18c4842963e476f4f8c8dcd4408d600e3ba411d17ccbeedb1739f6eef31

    SHA512

    2ea4d341ce86f7b5aab513687e7dc9b667b0be2d9c6cdb3047344bb510db02a21bb78e88e7e0b3da5f92286316ef3262580b124a1fd0529d21412cd540e39586

  • C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\python27.dll

    Filesize

    2.5MB

    MD5

    038882449b3b9e60f126e690a4a7bb20

    SHA1

    9671b9de5a0b2d52bd425476cdb76e1d8f830ce0

    SHA256

    1a138f57f163b61dda4c4e162351c6b29d64be774555bf734fa5c4ab064ea4a9

    SHA512

    f64dff3d3b6ae063ffc547e61ecfdb8d5f9d53997ef9b1076f81ec10a6ae8a068dad13c80776df0e649f972e802c7864a8004a67b873b3cf11ddfdceecee7537

  • C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\pytsk3.pyd

    Filesize

    1.3MB

    MD5

    8caa66fd7f2ec899f84a8d53a9504fb5

    SHA1

    93990d481c6daf1b868be0a2dc2a097227022138

    SHA256

    5bb18adf33b709e919fceb167d3380be9df9080e5187d5b77ce0ddd2223c4cf3

    SHA512

    938c62586a8af258a0e3567df3763f053429a927d3a3bbf7c074b38f2ced90d695829507d822a0cd8a29b56a8559af0286bd1f678042e5143b7bf13cb653718d

  • C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\pywintypes27.dll

    Filesize

    108KB

    MD5

    1ec8d89e992d8f04cb0042e2122ca95c

    SHA1

    e26c4b2e038d85cc979b1278e918619f95ad3613

    SHA256

    25b66cefd9a6c8b401c10451668516adc5f11eab9246a19780f59554f12f43c5

    SHA512

    8a52fc4aa73ba2b7e05a8404a9a7c8892829074540374d5c5c6aee3776ab1d2d52cab92fd8fe7572d68d3acd3899ea4fd2504e60f412bbb85a6fcea915da1821

  • C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\select.pyd

    Filesize

    10KB

    MD5

    efb6435cb9fb6462132181738c729885

    SHA1

    0931e3aa2682fdf676b9b6009e8ca8f92f014e7e

    SHA256

    039981e17c2eb88cb2d08e50f2d323027e27683a7b3b3bc042e76fba40d34ab2

    SHA512

    6d7ad34390579e98cba75dfdbd3ace5af26ddf7f62675e33a29322911e94d1382ea84c8483265644866384ead64ffa55a1a0dd7c6d0787524fa972735f44f015

  • C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\sqlite3.dll

    Filesize

    538KB

    MD5

    f5bcd111686505634bbabe8296ec90b0

    SHA1

    6a04860c586807f9f0ae46db837f96b5af6b0023

    SHA256

    0175346fd25c6cc528fe7e74bf8d0c742eaa2ccada519d1e37f00e8e8d5951f5

    SHA512

    5b1f8f39174e88c54456f8752d98361fcc616608e3b18b7bdf8613e4d2195b3189de3a1ecf901f9a40694ff73f9f46fc37561f31344f6bdb369979e07955c108

  • C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\unicodedata.pyd

    Filesize

    671KB

    MD5

    a13020f231b588d46aaf82fe9314efdc

    SHA1

    fa43858266fbfa564e98fba78f7e8634659f2dfe

    SHA256

    426d241e6480cecaf55a23ac686311a362548377edcfbfc920ac4cfbe3ea479c

    SHA512

    ed759afde4cf4960f059162b945c5de0e8270780004309c85093684ebfba93cfbb6e642e9db667ed852e8ceaa8c7c4386ff303db08713af4b31a4eeee45955f0

  • C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\version.ini

    Filesize

    158B

    MD5

    4ec3c6681b6d291b4bc3be02e4a03d1c

    SHA1

    7282cd03e6d067f6c72276616587ead46e7474b2

    SHA256

    1a56961c193467380707879716021826f59d8e3385b2e1dc4b33e292d6b4d8c7

    SHA512

    a8b270827009db3aed65d8395039c40a2dcc5bb48e5b7bb55896c77e127206d406c7d63c16de3a746eb2e2c4800a9d3ee5acfd17e32ee51c2b56b7bd3fa0e2a0

  • C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\win32evtlog.pyd

    Filesize

    48KB

    MD5

    e5dc7f98f0019fe551eb1a12c95601f5

    SHA1

    9d2e34688311f77349dacb748f811500865236c7

    SHA256

    67c7926e596fb521e0f0fd8e9119c5b354ce754903f15cee64d32a214e32bf84

    SHA512

    d664456904ad8cc8e1b47d11aeea0adf4e72e9818d244e3cc72cb2328a093329eeb1d4680c48111e1d0efd588306a7c1d42335e26853be639afb4e94745526a9

  • C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\win32file.pyd

    Filesize

    117KB

    MD5

    11d8deea5b29cc172f04bc746edae3bc

    SHA1

    2825675d0aca5bcb1c22873b042195094480842f

    SHA256

    4214600d7beb51376a0dbc60c2b77f589368e5ef46ca401fe43b62f7342fdaa5

    SHA512

    c870f7f49fbb027e72d1a1827b99452ed6f2ddf914ac7f1505554379b6f2c815549ef570d4e834fab0ee4f0686903359f1d8982b87768fd5189f4e15ad7805ed

  • C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\win32process.pyd

    Filesize

    36KB

    MD5

    f80982c6045a71bb289955a63c2cab28

    SHA1

    9b1193d5c43f55726ce6b195ca12c00e36a0a159

    SHA256

    a30a13aed206b0090545a509ee0a1d5470650c849f28e22b7d97cccc0e42c3e8

    SHA512

    966b1c4305b50703e775d961710654daabd08e26bae9e4ebba39f38450802dc6df899b8b7ea481cdf5da33e40b728318de3138aeb5a87429b8c9d0df78868b68

  • C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\win32security.pyd

    Filesize

    106KB

    MD5

    cf1a15ceadd7622af49253ce824df047

    SHA1

    d95323410495cfd425ad30750ea58cfd95df11a7

    SHA256

    e170fa57c18fe6f244265e3adf4df0fbe332da7ba25285ac8692843a57af0c79

    SHA512

    8117a2692ff97f6cd85a33d4839f4ec65ebd11c87eeb9ef6b70f75e7db29906cc6d10cc8a8e5c68a9129f49fcf0464d58e19cf4d886f84d385bfe4738aa5349c

  • C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\win32service.pyd

    Filesize

    41KB

    MD5

    3352fc767f212d8ef1a19bc0d7ab0bef

    SHA1

    5db7fb6cfa4cdb43c345b83d2fbb0bd046affba5

    SHA256

    47030c14ced591b9e410c0f62e58872d041635c4dcbe15762e95505a52eb6113

    SHA512

    786f89e46273b2548e3ecf7ce247244f92c3cced269867dd9077c916a4cc154b6b43167ab4f67f354bb7c150fe7ac2e21427cbd9e04e4ff3683304ba2ab81ddd

  • C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\yara.pyd

    Filesize

    1.2MB

    MD5

    9832a3353831eb90bd2e84cff5553cde

    SHA1

    cc95073dc09cb89400a6503032649d6ea2caee29

    SHA256

    0c1f24d87a4c2b84dd0c020677285819e02b1e1a504f754f1d0748463ef938c8

    SHA512

    1653f9c7ad78232f9e031bc2b307020eee45aed1fe86c1b66779bd64af2f72bb704518efa8ad1b7a6f59d6080d6409f9774a65764549f48f1f479863b3877f16

  • \Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe

    Filesize

    4.2MB

    MD5

    b17d3655a157899fd2904d991d02872c

    SHA1

    3f482357be09118a90864037596b05c8729b0681

    SHA256

    42baea9e58961737c95cefbd1fe30248bc508f9390b27cf39bff84819e5963e5

    SHA512

    c9cf68db26f508fa1a5a8c8d98211810fca2ca3494b91b474a99fe108c2a6446c6a2b94ee6e6926ec65a6898fd0e7c5596b793b7f80f07ce177c9651818bcfca

  • \Users\Admin\AppData\Local\Temp\TMP6C4.tmp\cryptography.hazmat.bindings._constant_time.pyd

    Filesize

    7KB

    MD5

    1fccc08819ac663d36e1c567e34e8451

    SHA1

    9218d2a68454828e1fe5f06faf3a14139bd3f494

    SHA256

    7318b66e5ea1348e6875b1e0217e450e22c3fb9c96739d746be19c01be69073d

    SHA512

    e744708102cc6bb57dd65e28fa29471c75784dbbb64b1d29ff06ef4ae1d1b84d62abc3da9bec6645f079b4900ee95981755d3e2b9cdf1bb005c589877478a7c9

  • \Users\Admin\AppData\Local\Temp\TMP6C4.tmp\cryptography.hazmat.bindings._padding.pyd

    Filesize

    7KB

    MD5

    7db9c7461c4f2f5883f86af789f81413

    SHA1

    e71b8a9266a82c28219ae2ab6eb2144ad1731fb6

    SHA256

    11e625062add39e8ea1386fd28965cd4f2e52fcb6825f7bd1607db576a09f7ca

    SHA512

    0421952ad1365486147e9232fb966b62d2551d098568579bd103a9df4a7c0a04ad2c889e6c7e9d6318a7a7215a08af89449ea645373f07ec9041865f82d49ba4

  • \Users\Admin\AppData\Local\Temp\TMP6C4.tmp\msvcr90.dll

    Filesize

    638KB

    MD5

    31d858c6f1c453af516343758a4b2c69

    SHA1

    ec9fafdb7333df42e3a8fb25f6f0f30ffe36b795

    SHA256

    12abcf99dd28bf35b3c224accfe2587ba5f4199d163224b344cdc770eed36130

    SHA512

    92923ca2f4be8fab82a5104cbc39ce84ce60000d4e825b5ccc0b44ba7f7090f7967b491350adf2f0c4ef9ce63ba93241030245e730f1a77c055b0257e64cbc45

  • \Users\Admin\AppData\Local\Temp\TMP6C4.tmp\pythoncom27.dll

    Filesize

    388KB

    MD5

    01c89fb05232c8310f6a8b4975297963

    SHA1

    e03d1c9df87e0e6f98f16aae5ebd9fa51d696e35

    SHA256

    dbec592da6dd2a4d653def499e22865246f1f6441172fadf1a15db498f11781a

    SHA512

    c5df838814f4747f3ba192e39265fadf83295762d3a1f5cf37fcad22c88b0157297a5bd3b5667c394d534f22ca1b680780ff1be12c443d2265dfc674ccdc4b42

  • \Users\Admin\AppData\Local\Temp\TMP6C4.tmp\win32api.pyd

    Filesize

    98KB

    MD5

    f4612401995a7c88c278716bf9440b44

    SHA1

    33af801b819ac279831836ad9cc706ba4ebad186

    SHA256

    196115722d774a84c84fa51cc1f1bdffabeee3cd1c6c1e33822d88fe4d4bea37

    SHA512

    60d1ff88017c5b7279aef894a0f56dc8d6c20bca1c96cdaf1a1ba2dc953a62d52ccf0084d4fe62b88fca530361343725ffd61fbefa7052f8d92bc4563b7a7daf

  • memory/2384-182-0x0000000000280000-0x00000000002B8000-memory.dmp

    Filesize

    224KB

  • memory/2384-191-0x0000000000360000-0x0000000000383000-memory.dmp

    Filesize

    140KB