Analysis

  • max time kernel
    130s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/06/2024, 13:22

General

  • Target

    2024-06-26_44d0e7753e5e40231be7c7902fc7657d_mafia.exe

  • Size

    14.1MB

  • MD5

    44d0e7753e5e40231be7c7902fc7657d

  • SHA1

    e755cf1d7d15883e2aaa598c0466c2b78cb6f968

  • SHA256

    c929abac70998995f0bcbbfe913a408c0b487e8c33c16199d269c232d3dda932

  • SHA512

    095e4c5ca659848eccf780e3d165c2b0d6b7c1d24f85dd6e779768a8bcb299d59cb8681708e0c270dd27c7b5d59844cac911d52f6d9e8c400d27f8cf0be46c7f

  • SSDEEP

    393216:Ax+I1pVEanRFM6fYGKWzQglJo6mZnKxr9Wwr4T:Ax+I17/M6fWIQmJHmdk1rw

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 30 IoCs
  • Drops file in System32 directory 2 IoCs
  • Detects Pyinstaller 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-26_44d0e7753e5e40231be7c7902fc7657d_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-26_44d0e7753e5e40231be7c7902fc7657d_mafia.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3344
    • C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe
      GRR.exe --install --config GRR.exe.yaml
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      PID:4104
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3468,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4108 /prefetch:8
    1⤵
      PID:3816

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe

      Filesize

      4.2MB

      MD5

      b17d3655a157899fd2904d991d02872c

      SHA1

      3f482357be09118a90864037596b05c8729b0681

      SHA256

      42baea9e58961737c95cefbd1fe30248bc508f9390b27cf39bff84819e5963e5

      SHA512

      c9cf68db26f508fa1a5a8c8d98211810fca2ca3494b91b474a99fe108c2a6446c6a2b94ee6e6926ec65a6898fd0e7c5596b793b7f80f07ce177c9651818bcfca

    • C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe.yaml

      Filesize

      2KB

      MD5

      4532472edcf3a07465f94e43ef4afe1d

      SHA1

      4b54318181d746c7f169edf5060ffed7299b07ef

      SHA256

      e905ffaefd78cec4fd0b282823d3c50eaa11292f59ac1297dc3c1e90ef838832

      SHA512

      a9d7369744191a6cbe690497f2cc98dab86a51b262f7bcc5a40dce0d7b1e59bff2b9b9bd6d17d244d19989adde888a9f5590ff6c429d0715c4fb1fa2418e07e8

    • C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\_cffi_backend.pyd

      Filesize

      128KB

      MD5

      891fb059049987c6cf148f4b93cda09f

      SHA1

      5a154ede87b7a72556f46e63cb65b794bc200f52

      SHA256

      dd673ed74e624384c8c9541a799844c0ba95e81c1f67c51971433c7223b6c616

      SHA512

      ff4cc9f33b38bd6af51141c93ee988bb139743e8d2e5be956b971b20b350b7248db9fdd3e83414a92ea5377d4abd8b77f362d7889bf3dc31185d76b90ac19807

    • C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\_ctypes.pyd

      Filesize

      89KB

      MD5

      9e6c48ec9508423d0ce6b6e4d4a10d90

      SHA1

      82548d0cfcd99bc11ecee670dc0c1c9538aa6ade

      SHA256

      b700441351b3a24a1ec392376984d3d95a541ea548c77f0df55d7af579ea9c1a

      SHA512

      37fc511610e5ab06a78f276bf0f4b7335a37d40fdf0158f674ecf1b029fe3298e0667230d3f8840258b8e5413108e1e6aeaaff090b3cca6eef007ca5a1f8d926

    • C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\_hashlib.pyd

      Filesize

      993KB

      MD5

      b1dbd52e5da083e5b5613a2b4c17a4ef

      SHA1

      0ed87f9e0b572f88e102739daab54db03fade416

      SHA256

      fa57bf3173f2d636984305401c06f1618b8119fea2c311d1173566ea236fa0c6

      SHA512

      dbe14802ff53e8fb9f35baa1c1bd0dc55c1073e0f96b59b5cc3783760e23c645cd453a39b2b4d0ab79ee871ba1cb81154a4cf5c54b67dde7ea14008d72dd2cae

    • C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\_multiprocessing.pyd

      Filesize

      27KB

      MD5

      06c8615f66abdd6c2d986d40339d1410

      SHA1

      5db9e634bff65d33ff0ee6aa95182f8291b5afcc

      SHA256

      df9fe9289d591f0891f321f8aae5b7ba7e7c4e8b0ffd5db9766ce90934a202cf

      SHA512

      fc085f5db97f41b0d62bd584d24c68e57e508f225ad55839b0680bb10398b3d6364c88dcc925cb4427e311d9d2631d5d21836419e4a02f3c7d2e9c33e59d6e97

    • C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\_socket.pyd

      Filesize

      45KB

      MD5

      600de8a82e2204e88df27714687f88b9

      SHA1

      dac20e0bf5482a6f09648648bc4d38562473c89e

      SHA256

      a24422d519e5a9283a0887d4be09be2ac89797886d8f45151cab5e9fef8db1e1

      SHA512

      3d82eb600bd358a019dcde1f4a337d87f29c9a22937989dddfe697c433f58ba9e4a836752998a542e7df179adafa8c89c99aa18b51b100f7a57aa5b47a456460

    • C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\_sqlite3.pyd

      Filesize

      49KB

      MD5

      961525a34aa5c6dee1d3d14d112a699c

      SHA1

      874f2b08555803711d4f5176812baf160eae8c5c

      SHA256

      547b23fc7c82cf95f013223f2164b553e494f7fbb41c0e317069b2fe79d81057

      SHA512

      ae09946b42f7b72e959c5b47b13a6158a955fe194f4145b7569df7c0c47a32024c4f0ab6ee943b34a4b8a2fad2ae65ce3baa852306d09ef4f52ec439d51016d1

    • C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\_ssl.pyd

      Filesize

      1.3MB

      MD5

      9b59be1fa8427368c4e0e763f578d74c

      SHA1

      7287fe431a0a67aa41e9952906759746ddcffad1

      SHA256

      4ba198e7f53a37b3a825ff2ce4d3e6ca00ad96e62852f0127a46c57a9a4a3026

      SHA512

      6905c5f80ff723ff79863332dd8d20d4cbbe224d355ba9b824a6f29ead62ebec16fa96ec664bdb56a2688847881a53c34459311c156f35aa887b2a808a6e9032

    • C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\_yaml.pyd

      Filesize

      216KB

      MD5

      5c78e849e57910f9c9c3aa7dd30407fc

      SHA1

      21a4a2db35ccfcd5efcb5b0912c776238a2940d6

      SHA256

      e00f3b812b7d67d86b8eed34abd5b86adfcd08904b2a1c59ec9b516205be63a8

      SHA512

      442c091fe2d259c2de42c1922cc2fb4e11c1317a10a68d06b0781878cb6c1beaa616a96b0f5ed06a05b8f5d5ff71a2291eff3ed23720a1b3e8bdef08626b7817

    • C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\build.yaml

      Filesize

      387B

      MD5

      6c200db311716cc01e9affaf1698b2e3

      SHA1

      458a0b48439407b973a6b378dd296c5d768a0ce4

      SHA256

      c6d7ab6f03f19d5c05cbd5a21bd37d1537147b3d040e7f0cd934c067e97f0144

      SHA512

      f2eb13a554a98d4b94c86d3924650895ae5c881f6da44414f69fcb9f5d317692782763ba15cd48a226d0e288ac47bb2734d9a7f54ad8f0d8128ef6860f9a4fb2

    • C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\cryptography.hazmat.bindings._constant_time.pyd

      Filesize

      7KB

      MD5

      1fccc08819ac663d36e1c567e34e8451

      SHA1

      9218d2a68454828e1fe5f06faf3a14139bd3f494

      SHA256

      7318b66e5ea1348e6875b1e0217e450e22c3fb9c96739d746be19c01be69073d

      SHA512

      e744708102cc6bb57dd65e28fa29471c75784dbbb64b1d29ff06ef4ae1d1b84d62abc3da9bec6645f079b4900ee95981755d3e2b9cdf1bb005c589877478a7c9

    • C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\cryptography.hazmat.bindings._openssl.pyd

      Filesize

      2.2MB

      MD5

      1f30b7cc98dfcfe314c570d1fe8a0b1a

      SHA1

      9ad798c634679150ff14995c1deeb658cc9abf53

      SHA256

      0b602cca491f17f3d55cc1b760bb1ebe48d96e4ca68cb6769c46960add08b67c

      SHA512

      f6cd07c59df110c95ff699dbc3ef0c1ad14a7edfa64b5534228bc0587898cf7866d9ebba0c5dc2759e187f90b50cdfa706f633a2e32f1d460c652cb7a84a560d

    • C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\cryptography.hazmat.bindings._padding.pyd

      Filesize

      7KB

      MD5

      7db9c7461c4f2f5883f86af789f81413

      SHA1

      e71b8a9266a82c28219ae2ab6eb2144ad1731fb6

      SHA256

      11e625062add39e8ea1386fd28965cd4f2e52fcb6825f7bd1607db576a09f7ca

      SHA512

      0421952ad1365486147e9232fb966b62d2551d098568579bd103a9df4a7c0a04ad2c889e6c7e9d6318a7a7215a08af89449ea645373f07ec9041865f82d49ba4

    • C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\lib2to3\Grammar2.7.16.final.0.pickle

      Filesize

      39KB

      MD5

      b7883beb25b0e80e8d6dd9c26a097176

      SHA1

      31c08ec757ae27bbe0983fff0ef11da5c6d521f9

      SHA256

      ae5bdfddedf6924ed453e07d2a5ab7cb9d1dc7cc550ab355cb0de061705c9951

      SHA512

      a26fadabac0872a43b747358621316b246db51ca833fa48ad6b16c232535928f311666952ce27f5f37f157e6d0df22675d2d3aa4c5d18820297057c09e73961c

    • C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\lib2to3\PatternGrammar2.7.16.final.0.pickle

      Filesize

      2KB

      MD5

      53349ff0e74e480ccb368417e0e97688

      SHA1

      98991a25e0e0bf4f72e9d117caef6382554e5e75

      SHA256

      ba3648277040cbefd390d06d3c49e630c480d48f42edd98e66b3247260d9cf6a

      SHA512

      7b712d14c8c1774465e63ac4a15d6443c4ee88f95b9797894881973e7411de2799c4e600a5739d1fcda8b5c76b7329274055046eda505c51f9e3e12e49159b50

    • C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\psutil._psutil_windows.pyd

      Filesize

      52KB

      MD5

      8bbb1c5fd910a301ba470730a86796f1

      SHA1

      d4e5a20e275c13bf14b080e75f8ed3ffc901fa90

      SHA256

      b884b18c4842963e476f4f8c8dcd4408d600e3ba411d17ccbeedb1739f6eef31

      SHA512

      2ea4d341ce86f7b5aab513687e7dc9b667b0be2d9c6cdb3047344bb510db02a21bb78e88e7e0b3da5f92286316ef3262580b124a1fd0529d21412cd540e39586

    • C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\python27.dll

      Filesize

      2.5MB

      MD5

      038882449b3b9e60f126e690a4a7bb20

      SHA1

      9671b9de5a0b2d52bd425476cdb76e1d8f830ce0

      SHA256

      1a138f57f163b61dda4c4e162351c6b29d64be774555bf734fa5c4ab064ea4a9

      SHA512

      f64dff3d3b6ae063ffc547e61ecfdb8d5f9d53997ef9b1076f81ec10a6ae8a068dad13c80776df0e649f972e802c7864a8004a67b873b3cf11ddfdceecee7537

    • C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\pythoncom27.dll

      Filesize

      388KB

      MD5

      01c89fb05232c8310f6a8b4975297963

      SHA1

      e03d1c9df87e0e6f98f16aae5ebd9fa51d696e35

      SHA256

      dbec592da6dd2a4d653def499e22865246f1f6441172fadf1a15db498f11781a

      SHA512

      c5df838814f4747f3ba192e39265fadf83295762d3a1f5cf37fcad22c88b0157297a5bd3b5667c394d534f22ca1b680780ff1be12c443d2265dfc674ccdc4b42

    • C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\pytsk3.pyd

      Filesize

      1.3MB

      MD5

      8caa66fd7f2ec899f84a8d53a9504fb5

      SHA1

      93990d481c6daf1b868be0a2dc2a097227022138

      SHA256

      5bb18adf33b709e919fceb167d3380be9df9080e5187d5b77ce0ddd2223c4cf3

      SHA512

      938c62586a8af258a0e3567df3763f053429a927d3a3bbf7c074b38f2ced90d695829507d822a0cd8a29b56a8559af0286bd1f678042e5143b7bf13cb653718d

    • C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\pywintypes27.dll

      Filesize

      108KB

      MD5

      1ec8d89e992d8f04cb0042e2122ca95c

      SHA1

      e26c4b2e038d85cc979b1278e918619f95ad3613

      SHA256

      25b66cefd9a6c8b401c10451668516adc5f11eab9246a19780f59554f12f43c5

      SHA512

      8a52fc4aa73ba2b7e05a8404a9a7c8892829074540374d5c5c6aee3776ab1d2d52cab92fd8fe7572d68d3acd3899ea4fd2504e60f412bbb85a6fcea915da1821

    • C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\select.pyd

      Filesize

      10KB

      MD5

      efb6435cb9fb6462132181738c729885

      SHA1

      0931e3aa2682fdf676b9b6009e8ca8f92f014e7e

      SHA256

      039981e17c2eb88cb2d08e50f2d323027e27683a7b3b3bc042e76fba40d34ab2

      SHA512

      6d7ad34390579e98cba75dfdbd3ace5af26ddf7f62675e33a29322911e94d1382ea84c8483265644866384ead64ffa55a1a0dd7c6d0787524fa972735f44f015

    • C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\sqlite3.dll

      Filesize

      538KB

      MD5

      f5bcd111686505634bbabe8296ec90b0

      SHA1

      6a04860c586807f9f0ae46db837f96b5af6b0023

      SHA256

      0175346fd25c6cc528fe7e74bf8d0c742eaa2ccada519d1e37f00e8e8d5951f5

      SHA512

      5b1f8f39174e88c54456f8752d98361fcc616608e3b18b7bdf8613e4d2195b3189de3a1ecf901f9a40694ff73f9f46fc37561f31344f6bdb369979e07955c108

    • C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\unicodedata.pyd

      Filesize

      671KB

      MD5

      a13020f231b588d46aaf82fe9314efdc

      SHA1

      fa43858266fbfa564e98fba78f7e8634659f2dfe

      SHA256

      426d241e6480cecaf55a23ac686311a362548377edcfbfc920ac4cfbe3ea479c

      SHA512

      ed759afde4cf4960f059162b945c5de0e8270780004309c85093684ebfba93cfbb6e642e9db667ed852e8ceaa8c7c4386ff303db08713af4b31a4eeee45955f0

    • C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\version.ini

      Filesize

      158B

      MD5

      4ec3c6681b6d291b4bc3be02e4a03d1c

      SHA1

      7282cd03e6d067f6c72276616587ead46e7474b2

      SHA256

      1a56961c193467380707879716021826f59d8e3385b2e1dc4b33e292d6b4d8c7

      SHA512

      a8b270827009db3aed65d8395039c40a2dcc5bb48e5b7bb55896c77e127206d406c7d63c16de3a746eb2e2c4800a9d3ee5acfd17e32ee51c2b56b7bd3fa0e2a0

    • C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\win32api.pyd

      Filesize

      98KB

      MD5

      f4612401995a7c88c278716bf9440b44

      SHA1

      33af801b819ac279831836ad9cc706ba4ebad186

      SHA256

      196115722d774a84c84fa51cc1f1bdffabeee3cd1c6c1e33822d88fe4d4bea37

      SHA512

      60d1ff88017c5b7279aef894a0f56dc8d6c20bca1c96cdaf1a1ba2dc953a62d52ccf0084d4fe62b88fca530361343725ffd61fbefa7052f8d92bc4563b7a7daf

    • C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\win32evtlog.pyd

      Filesize

      48KB

      MD5

      e5dc7f98f0019fe551eb1a12c95601f5

      SHA1

      9d2e34688311f77349dacb748f811500865236c7

      SHA256

      67c7926e596fb521e0f0fd8e9119c5b354ce754903f15cee64d32a214e32bf84

      SHA512

      d664456904ad8cc8e1b47d11aeea0adf4e72e9818d244e3cc72cb2328a093329eeb1d4680c48111e1d0efd588306a7c1d42335e26853be639afb4e94745526a9

    • C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\win32file.pyd

      Filesize

      117KB

      MD5

      11d8deea5b29cc172f04bc746edae3bc

      SHA1

      2825675d0aca5bcb1c22873b042195094480842f

      SHA256

      4214600d7beb51376a0dbc60c2b77f589368e5ef46ca401fe43b62f7342fdaa5

      SHA512

      c870f7f49fbb027e72d1a1827b99452ed6f2ddf914ac7f1505554379b6f2c815549ef570d4e834fab0ee4f0686903359f1d8982b87768fd5189f4e15ad7805ed

    • C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\win32process.pyd

      Filesize

      36KB

      MD5

      f80982c6045a71bb289955a63c2cab28

      SHA1

      9b1193d5c43f55726ce6b195ca12c00e36a0a159

      SHA256

      a30a13aed206b0090545a509ee0a1d5470650c849f28e22b7d97cccc0e42c3e8

      SHA512

      966b1c4305b50703e775d961710654daabd08e26bae9e4ebba39f38450802dc6df899b8b7ea481cdf5da33e40b728318de3138aeb5a87429b8c9d0df78868b68

    • C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\win32security.pyd

      Filesize

      106KB

      MD5

      cf1a15ceadd7622af49253ce824df047

      SHA1

      d95323410495cfd425ad30750ea58cfd95df11a7

      SHA256

      e170fa57c18fe6f244265e3adf4df0fbe332da7ba25285ac8692843a57af0c79

      SHA512

      8117a2692ff97f6cd85a33d4839f4ec65ebd11c87eeb9ef6b70f75e7db29906cc6d10cc8a8e5c68a9129f49fcf0464d58e19cf4d886f84d385bfe4738aa5349c

    • C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\win32service.pyd

      Filesize

      41KB

      MD5

      3352fc767f212d8ef1a19bc0d7ab0bef

      SHA1

      5db7fb6cfa4cdb43c345b83d2fbb0bd046affba5

      SHA256

      47030c14ced591b9e410c0f62e58872d041635c4dcbe15762e95505a52eb6113

      SHA512

      786f89e46273b2548e3ecf7ce247244f92c3cced269867dd9077c916a4cc154b6b43167ab4f67f354bb7c150fe7ac2e21427cbd9e04e4ff3683304ba2ab81ddd

    • C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\yara.pyd

      Filesize

      1.2MB

      MD5

      9832a3353831eb90bd2e84cff5553cde

      SHA1

      cc95073dc09cb89400a6503032649d6ea2caee29

      SHA256

      0c1f24d87a4c2b84dd0c020677285819e02b1e1a504f754f1d0748463ef938c8

      SHA512

      1653f9c7ad78232f9e031bc2b307020eee45aed1fe86c1b66779bd64af2f72bb704518efa8ad1b7a6f59d6080d6409f9774a65764549f48f1f479863b3877f16

    • memory/4104-204-0x00000000051B0000-0x000000000530C000-memory.dmp

      Filesize

      1.4MB

    • memory/4104-176-0x0000000003560000-0x0000000003598000-memory.dmp

      Filesize

      224KB

    • memory/4104-186-0x00000000035A0000-0x00000000035C3000-memory.dmp

      Filesize

      140KB

    • memory/4104-198-0x0000000005070000-0x00000000051A4000-memory.dmp

      Filesize

      1.2MB