Analysis
-
max time kernel
130s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26/06/2024, 13:22
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-26_44d0e7753e5e40231be7c7902fc7657d_mafia.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-06-26_44d0e7753e5e40231be7c7902fc7657d_mafia.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-26_44d0e7753e5e40231be7c7902fc7657d_mafia.exe
-
Size
14.1MB
-
MD5
44d0e7753e5e40231be7c7902fc7657d
-
SHA1
e755cf1d7d15883e2aaa598c0466c2b78cb6f968
-
SHA256
c929abac70998995f0bcbbfe913a408c0b487e8c33c16199d269c232d3dda932
-
SHA512
095e4c5ca659848eccf780e3d165c2b0d6b7c1d24f85dd6e779768a8bcb299d59cb8681708e0c270dd27c7b5d59844cac911d52f6d9e8c400d27f8cf0be46c7f
-
SSDEEP
393216:Ax+I1pVEanRFM6fYGKWzQglJo6mZnKxr9Wwr4T:Ax+I17/M6fWIQmJHmdk1rw
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4104 GRR.exe -
Loads dropped DLL 30 IoCs
pid Process 4104 GRR.exe 4104 GRR.exe 4104 GRR.exe 4104 GRR.exe 4104 GRR.exe 4104 GRR.exe 4104 GRR.exe 4104 GRR.exe 4104 GRR.exe 4104 GRR.exe 4104 GRR.exe 4104 GRR.exe 4104 GRR.exe 4104 GRR.exe 4104 GRR.exe 4104 GRR.exe 4104 GRR.exe 4104 GRR.exe 4104 GRR.exe 4104 GRR.exe 4104 GRR.exe 4104 GRR.exe 4104 GRR.exe 4104 GRR.exe 4104 GRR.exe 4104 GRR.exe 4104 GRR.exe 4104 GRR.exe 4104 GRR.exe 4104 GRR.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\logfiles\GRR.log GRR.exe File created C:\Windows\System32\logfiles\GRR_installer.txt GRR.exe -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral2/files/0x000800000002353d-147.dat pyinstaller -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4104 GRR.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3344 wrote to memory of 4104 3344 2024-06-26_44d0e7753e5e40231be7c7902fc7657d_mafia.exe 88 PID 3344 wrote to memory of 4104 3344 2024-06-26_44d0e7753e5e40231be7c7902fc7657d_mafia.exe 88 PID 3344 wrote to memory of 4104 3344 2024-06-26_44d0e7753e5e40231be7c7902fc7657d_mafia.exe 88 PID 3344 wrote to memory of 4104 3344 2024-06-26_44d0e7753e5e40231be7c7902fc7657d_mafia.exe 88 PID 3344 wrote to memory of 4104 3344 2024-06-26_44d0e7753e5e40231be7c7902fc7657d_mafia.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-26_44d0e7753e5e40231be7c7902fc7657d_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-26_44d0e7753e5e40231be7c7902fc7657d_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exeGRR.exe --install --config GRR.exe.yaml2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3468,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4108 /prefetch:81⤵PID:3816
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.2MB
MD5b17d3655a157899fd2904d991d02872c
SHA13f482357be09118a90864037596b05c8729b0681
SHA25642baea9e58961737c95cefbd1fe30248bc508f9390b27cf39bff84819e5963e5
SHA512c9cf68db26f508fa1a5a8c8d98211810fca2ca3494b91b474a99fe108c2a6446c6a2b94ee6e6926ec65a6898fd0e7c5596b793b7f80f07ce177c9651818bcfca
-
Filesize
2KB
MD54532472edcf3a07465f94e43ef4afe1d
SHA14b54318181d746c7f169edf5060ffed7299b07ef
SHA256e905ffaefd78cec4fd0b282823d3c50eaa11292f59ac1297dc3c1e90ef838832
SHA512a9d7369744191a6cbe690497f2cc98dab86a51b262f7bcc5a40dce0d7b1e59bff2b9b9bd6d17d244d19989adde888a9f5590ff6c429d0715c4fb1fa2418e07e8
-
Filesize
128KB
MD5891fb059049987c6cf148f4b93cda09f
SHA15a154ede87b7a72556f46e63cb65b794bc200f52
SHA256dd673ed74e624384c8c9541a799844c0ba95e81c1f67c51971433c7223b6c616
SHA512ff4cc9f33b38bd6af51141c93ee988bb139743e8d2e5be956b971b20b350b7248db9fdd3e83414a92ea5377d4abd8b77f362d7889bf3dc31185d76b90ac19807
-
Filesize
89KB
MD59e6c48ec9508423d0ce6b6e4d4a10d90
SHA182548d0cfcd99bc11ecee670dc0c1c9538aa6ade
SHA256b700441351b3a24a1ec392376984d3d95a541ea548c77f0df55d7af579ea9c1a
SHA51237fc511610e5ab06a78f276bf0f4b7335a37d40fdf0158f674ecf1b029fe3298e0667230d3f8840258b8e5413108e1e6aeaaff090b3cca6eef007ca5a1f8d926
-
Filesize
993KB
MD5b1dbd52e5da083e5b5613a2b4c17a4ef
SHA10ed87f9e0b572f88e102739daab54db03fade416
SHA256fa57bf3173f2d636984305401c06f1618b8119fea2c311d1173566ea236fa0c6
SHA512dbe14802ff53e8fb9f35baa1c1bd0dc55c1073e0f96b59b5cc3783760e23c645cd453a39b2b4d0ab79ee871ba1cb81154a4cf5c54b67dde7ea14008d72dd2cae
-
Filesize
27KB
MD506c8615f66abdd6c2d986d40339d1410
SHA15db9e634bff65d33ff0ee6aa95182f8291b5afcc
SHA256df9fe9289d591f0891f321f8aae5b7ba7e7c4e8b0ffd5db9766ce90934a202cf
SHA512fc085f5db97f41b0d62bd584d24c68e57e508f225ad55839b0680bb10398b3d6364c88dcc925cb4427e311d9d2631d5d21836419e4a02f3c7d2e9c33e59d6e97
-
Filesize
45KB
MD5600de8a82e2204e88df27714687f88b9
SHA1dac20e0bf5482a6f09648648bc4d38562473c89e
SHA256a24422d519e5a9283a0887d4be09be2ac89797886d8f45151cab5e9fef8db1e1
SHA5123d82eb600bd358a019dcde1f4a337d87f29c9a22937989dddfe697c433f58ba9e4a836752998a542e7df179adafa8c89c99aa18b51b100f7a57aa5b47a456460
-
Filesize
49KB
MD5961525a34aa5c6dee1d3d14d112a699c
SHA1874f2b08555803711d4f5176812baf160eae8c5c
SHA256547b23fc7c82cf95f013223f2164b553e494f7fbb41c0e317069b2fe79d81057
SHA512ae09946b42f7b72e959c5b47b13a6158a955fe194f4145b7569df7c0c47a32024c4f0ab6ee943b34a4b8a2fad2ae65ce3baa852306d09ef4f52ec439d51016d1
-
Filesize
1.3MB
MD59b59be1fa8427368c4e0e763f578d74c
SHA17287fe431a0a67aa41e9952906759746ddcffad1
SHA2564ba198e7f53a37b3a825ff2ce4d3e6ca00ad96e62852f0127a46c57a9a4a3026
SHA5126905c5f80ff723ff79863332dd8d20d4cbbe224d355ba9b824a6f29ead62ebec16fa96ec664bdb56a2688847881a53c34459311c156f35aa887b2a808a6e9032
-
Filesize
216KB
MD55c78e849e57910f9c9c3aa7dd30407fc
SHA121a4a2db35ccfcd5efcb5b0912c776238a2940d6
SHA256e00f3b812b7d67d86b8eed34abd5b86adfcd08904b2a1c59ec9b516205be63a8
SHA512442c091fe2d259c2de42c1922cc2fb4e11c1317a10a68d06b0781878cb6c1beaa616a96b0f5ed06a05b8f5d5ff71a2291eff3ed23720a1b3e8bdef08626b7817
-
Filesize
387B
MD56c200db311716cc01e9affaf1698b2e3
SHA1458a0b48439407b973a6b378dd296c5d768a0ce4
SHA256c6d7ab6f03f19d5c05cbd5a21bd37d1537147b3d040e7f0cd934c067e97f0144
SHA512f2eb13a554a98d4b94c86d3924650895ae5c881f6da44414f69fcb9f5d317692782763ba15cd48a226d0e288ac47bb2734d9a7f54ad8f0d8128ef6860f9a4fb2
-
Filesize
7KB
MD51fccc08819ac663d36e1c567e34e8451
SHA19218d2a68454828e1fe5f06faf3a14139bd3f494
SHA2567318b66e5ea1348e6875b1e0217e450e22c3fb9c96739d746be19c01be69073d
SHA512e744708102cc6bb57dd65e28fa29471c75784dbbb64b1d29ff06ef4ae1d1b84d62abc3da9bec6645f079b4900ee95981755d3e2b9cdf1bb005c589877478a7c9
-
Filesize
2.2MB
MD51f30b7cc98dfcfe314c570d1fe8a0b1a
SHA19ad798c634679150ff14995c1deeb658cc9abf53
SHA2560b602cca491f17f3d55cc1b760bb1ebe48d96e4ca68cb6769c46960add08b67c
SHA512f6cd07c59df110c95ff699dbc3ef0c1ad14a7edfa64b5534228bc0587898cf7866d9ebba0c5dc2759e187f90b50cdfa706f633a2e32f1d460c652cb7a84a560d
-
Filesize
7KB
MD57db9c7461c4f2f5883f86af789f81413
SHA1e71b8a9266a82c28219ae2ab6eb2144ad1731fb6
SHA25611e625062add39e8ea1386fd28965cd4f2e52fcb6825f7bd1607db576a09f7ca
SHA5120421952ad1365486147e9232fb966b62d2551d098568579bd103a9df4a7c0a04ad2c889e6c7e9d6318a7a7215a08af89449ea645373f07ec9041865f82d49ba4
-
Filesize
39KB
MD5b7883beb25b0e80e8d6dd9c26a097176
SHA131c08ec757ae27bbe0983fff0ef11da5c6d521f9
SHA256ae5bdfddedf6924ed453e07d2a5ab7cb9d1dc7cc550ab355cb0de061705c9951
SHA512a26fadabac0872a43b747358621316b246db51ca833fa48ad6b16c232535928f311666952ce27f5f37f157e6d0df22675d2d3aa4c5d18820297057c09e73961c
-
Filesize
2KB
MD553349ff0e74e480ccb368417e0e97688
SHA198991a25e0e0bf4f72e9d117caef6382554e5e75
SHA256ba3648277040cbefd390d06d3c49e630c480d48f42edd98e66b3247260d9cf6a
SHA5127b712d14c8c1774465e63ac4a15d6443c4ee88f95b9797894881973e7411de2799c4e600a5739d1fcda8b5c76b7329274055046eda505c51f9e3e12e49159b50
-
Filesize
52KB
MD58bbb1c5fd910a301ba470730a86796f1
SHA1d4e5a20e275c13bf14b080e75f8ed3ffc901fa90
SHA256b884b18c4842963e476f4f8c8dcd4408d600e3ba411d17ccbeedb1739f6eef31
SHA5122ea4d341ce86f7b5aab513687e7dc9b667b0be2d9c6cdb3047344bb510db02a21bb78e88e7e0b3da5f92286316ef3262580b124a1fd0529d21412cd540e39586
-
Filesize
2.5MB
MD5038882449b3b9e60f126e690a4a7bb20
SHA19671b9de5a0b2d52bd425476cdb76e1d8f830ce0
SHA2561a138f57f163b61dda4c4e162351c6b29d64be774555bf734fa5c4ab064ea4a9
SHA512f64dff3d3b6ae063ffc547e61ecfdb8d5f9d53997ef9b1076f81ec10a6ae8a068dad13c80776df0e649f972e802c7864a8004a67b873b3cf11ddfdceecee7537
-
Filesize
388KB
MD501c89fb05232c8310f6a8b4975297963
SHA1e03d1c9df87e0e6f98f16aae5ebd9fa51d696e35
SHA256dbec592da6dd2a4d653def499e22865246f1f6441172fadf1a15db498f11781a
SHA512c5df838814f4747f3ba192e39265fadf83295762d3a1f5cf37fcad22c88b0157297a5bd3b5667c394d534f22ca1b680780ff1be12c443d2265dfc674ccdc4b42
-
Filesize
1.3MB
MD58caa66fd7f2ec899f84a8d53a9504fb5
SHA193990d481c6daf1b868be0a2dc2a097227022138
SHA2565bb18adf33b709e919fceb167d3380be9df9080e5187d5b77ce0ddd2223c4cf3
SHA512938c62586a8af258a0e3567df3763f053429a927d3a3bbf7c074b38f2ced90d695829507d822a0cd8a29b56a8559af0286bd1f678042e5143b7bf13cb653718d
-
Filesize
108KB
MD51ec8d89e992d8f04cb0042e2122ca95c
SHA1e26c4b2e038d85cc979b1278e918619f95ad3613
SHA25625b66cefd9a6c8b401c10451668516adc5f11eab9246a19780f59554f12f43c5
SHA5128a52fc4aa73ba2b7e05a8404a9a7c8892829074540374d5c5c6aee3776ab1d2d52cab92fd8fe7572d68d3acd3899ea4fd2504e60f412bbb85a6fcea915da1821
-
Filesize
10KB
MD5efb6435cb9fb6462132181738c729885
SHA10931e3aa2682fdf676b9b6009e8ca8f92f014e7e
SHA256039981e17c2eb88cb2d08e50f2d323027e27683a7b3b3bc042e76fba40d34ab2
SHA5126d7ad34390579e98cba75dfdbd3ace5af26ddf7f62675e33a29322911e94d1382ea84c8483265644866384ead64ffa55a1a0dd7c6d0787524fa972735f44f015
-
Filesize
538KB
MD5f5bcd111686505634bbabe8296ec90b0
SHA16a04860c586807f9f0ae46db837f96b5af6b0023
SHA2560175346fd25c6cc528fe7e74bf8d0c742eaa2ccada519d1e37f00e8e8d5951f5
SHA5125b1f8f39174e88c54456f8752d98361fcc616608e3b18b7bdf8613e4d2195b3189de3a1ecf901f9a40694ff73f9f46fc37561f31344f6bdb369979e07955c108
-
Filesize
671KB
MD5a13020f231b588d46aaf82fe9314efdc
SHA1fa43858266fbfa564e98fba78f7e8634659f2dfe
SHA256426d241e6480cecaf55a23ac686311a362548377edcfbfc920ac4cfbe3ea479c
SHA512ed759afde4cf4960f059162b945c5de0e8270780004309c85093684ebfba93cfbb6e642e9db667ed852e8ceaa8c7c4386ff303db08713af4b31a4eeee45955f0
-
Filesize
158B
MD54ec3c6681b6d291b4bc3be02e4a03d1c
SHA17282cd03e6d067f6c72276616587ead46e7474b2
SHA2561a56961c193467380707879716021826f59d8e3385b2e1dc4b33e292d6b4d8c7
SHA512a8b270827009db3aed65d8395039c40a2dcc5bb48e5b7bb55896c77e127206d406c7d63c16de3a746eb2e2c4800a9d3ee5acfd17e32ee51c2b56b7bd3fa0e2a0
-
Filesize
98KB
MD5f4612401995a7c88c278716bf9440b44
SHA133af801b819ac279831836ad9cc706ba4ebad186
SHA256196115722d774a84c84fa51cc1f1bdffabeee3cd1c6c1e33822d88fe4d4bea37
SHA51260d1ff88017c5b7279aef894a0f56dc8d6c20bca1c96cdaf1a1ba2dc953a62d52ccf0084d4fe62b88fca530361343725ffd61fbefa7052f8d92bc4563b7a7daf
-
Filesize
48KB
MD5e5dc7f98f0019fe551eb1a12c95601f5
SHA19d2e34688311f77349dacb748f811500865236c7
SHA25667c7926e596fb521e0f0fd8e9119c5b354ce754903f15cee64d32a214e32bf84
SHA512d664456904ad8cc8e1b47d11aeea0adf4e72e9818d244e3cc72cb2328a093329eeb1d4680c48111e1d0efd588306a7c1d42335e26853be639afb4e94745526a9
-
Filesize
117KB
MD511d8deea5b29cc172f04bc746edae3bc
SHA12825675d0aca5bcb1c22873b042195094480842f
SHA2564214600d7beb51376a0dbc60c2b77f589368e5ef46ca401fe43b62f7342fdaa5
SHA512c870f7f49fbb027e72d1a1827b99452ed6f2ddf914ac7f1505554379b6f2c815549ef570d4e834fab0ee4f0686903359f1d8982b87768fd5189f4e15ad7805ed
-
Filesize
36KB
MD5f80982c6045a71bb289955a63c2cab28
SHA19b1193d5c43f55726ce6b195ca12c00e36a0a159
SHA256a30a13aed206b0090545a509ee0a1d5470650c849f28e22b7d97cccc0e42c3e8
SHA512966b1c4305b50703e775d961710654daabd08e26bae9e4ebba39f38450802dc6df899b8b7ea481cdf5da33e40b728318de3138aeb5a87429b8c9d0df78868b68
-
Filesize
106KB
MD5cf1a15ceadd7622af49253ce824df047
SHA1d95323410495cfd425ad30750ea58cfd95df11a7
SHA256e170fa57c18fe6f244265e3adf4df0fbe332da7ba25285ac8692843a57af0c79
SHA5128117a2692ff97f6cd85a33d4839f4ec65ebd11c87eeb9ef6b70f75e7db29906cc6d10cc8a8e5c68a9129f49fcf0464d58e19cf4d886f84d385bfe4738aa5349c
-
Filesize
41KB
MD53352fc767f212d8ef1a19bc0d7ab0bef
SHA15db7fb6cfa4cdb43c345b83d2fbb0bd046affba5
SHA25647030c14ced591b9e410c0f62e58872d041635c4dcbe15762e95505a52eb6113
SHA512786f89e46273b2548e3ecf7ce247244f92c3cced269867dd9077c916a4cc154b6b43167ab4f67f354bb7c150fe7ac2e21427cbd9e04e4ff3683304ba2ab81ddd
-
Filesize
1.2MB
MD59832a3353831eb90bd2e84cff5553cde
SHA1cc95073dc09cb89400a6503032649d6ea2caee29
SHA2560c1f24d87a4c2b84dd0c020677285819e02b1e1a504f754f1d0748463ef938c8
SHA5121653f9c7ad78232f9e031bc2b307020eee45aed1fe86c1b66779bd64af2f72bb704518efa8ad1b7a6f59d6080d6409f9774a65764549f48f1f479863b3877f16