Analysis
-
max time kernel
146s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 20:12
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-27_79107b8f2a87e29fe22233956a06ca34_mafia.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
2024-06-27_79107b8f2a87e29fe22233956a06ca34_mafia.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-27_79107b8f2a87e29fe22233956a06ca34_mafia.exe
-
Size
10.9MB
-
MD5
79107b8f2a87e29fe22233956a06ca34
-
SHA1
4fd98cd60afecb84cf75907aafc319e5675f469b
-
SHA256
4a8d24d9016364ce702217b56eb1e7699ffb7e7f574083f480b016fc36f655aa
-
SHA512
34709fc5dd038640b9cc38bfb46c79d8df5f1ee093734592606257ebeaaa9fe1a1aceb7c99c79664ac7fdbac7e3f3a1384009b6478a58f872d2be179b4055c0e
-
SSDEEP
6144:b+rWO2zeSPDjMXMH7Ll4aFpWVqIwUAP97GEwHrG2+e1x2:b+r1IeSXMXc7LlxWV4Ug97GZ+ej
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\kfactdfe = "0" svchost.exe -
Creates new service(s) 2 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2592 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\kfactdfe\ImagePath = "C:\\Windows\\SysWOW64\\kfactdfe\\vmfipcon.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2300 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
vmfipcon.exepid process 2724 vmfipcon.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vmfipcon.exedescription pid process target process PID 2724 set thread context of 2300 2724 vmfipcon.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2684 sc.exe 2688 sc.exe 2936 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
2024-06-27_79107b8f2a87e29fe22233956a06ca34_mafia.exevmfipcon.exedescription pid process target process PID 2164 wrote to memory of 2924 2164 2024-06-27_79107b8f2a87e29fe22233956a06ca34_mafia.exe cmd.exe PID 2164 wrote to memory of 2924 2164 2024-06-27_79107b8f2a87e29fe22233956a06ca34_mafia.exe cmd.exe PID 2164 wrote to memory of 2924 2164 2024-06-27_79107b8f2a87e29fe22233956a06ca34_mafia.exe cmd.exe PID 2164 wrote to memory of 2924 2164 2024-06-27_79107b8f2a87e29fe22233956a06ca34_mafia.exe cmd.exe PID 2164 wrote to memory of 2632 2164 2024-06-27_79107b8f2a87e29fe22233956a06ca34_mafia.exe cmd.exe PID 2164 wrote to memory of 2632 2164 2024-06-27_79107b8f2a87e29fe22233956a06ca34_mafia.exe cmd.exe PID 2164 wrote to memory of 2632 2164 2024-06-27_79107b8f2a87e29fe22233956a06ca34_mafia.exe cmd.exe PID 2164 wrote to memory of 2632 2164 2024-06-27_79107b8f2a87e29fe22233956a06ca34_mafia.exe cmd.exe PID 2164 wrote to memory of 2684 2164 2024-06-27_79107b8f2a87e29fe22233956a06ca34_mafia.exe sc.exe PID 2164 wrote to memory of 2684 2164 2024-06-27_79107b8f2a87e29fe22233956a06ca34_mafia.exe sc.exe PID 2164 wrote to memory of 2684 2164 2024-06-27_79107b8f2a87e29fe22233956a06ca34_mafia.exe sc.exe PID 2164 wrote to memory of 2684 2164 2024-06-27_79107b8f2a87e29fe22233956a06ca34_mafia.exe sc.exe PID 2164 wrote to memory of 2688 2164 2024-06-27_79107b8f2a87e29fe22233956a06ca34_mafia.exe sc.exe PID 2164 wrote to memory of 2688 2164 2024-06-27_79107b8f2a87e29fe22233956a06ca34_mafia.exe sc.exe PID 2164 wrote to memory of 2688 2164 2024-06-27_79107b8f2a87e29fe22233956a06ca34_mafia.exe sc.exe PID 2164 wrote to memory of 2688 2164 2024-06-27_79107b8f2a87e29fe22233956a06ca34_mafia.exe sc.exe PID 2164 wrote to memory of 2936 2164 2024-06-27_79107b8f2a87e29fe22233956a06ca34_mafia.exe sc.exe PID 2164 wrote to memory of 2936 2164 2024-06-27_79107b8f2a87e29fe22233956a06ca34_mafia.exe sc.exe PID 2164 wrote to memory of 2936 2164 2024-06-27_79107b8f2a87e29fe22233956a06ca34_mafia.exe sc.exe PID 2164 wrote to memory of 2936 2164 2024-06-27_79107b8f2a87e29fe22233956a06ca34_mafia.exe sc.exe PID 2724 wrote to memory of 2300 2724 vmfipcon.exe svchost.exe PID 2724 wrote to memory of 2300 2724 vmfipcon.exe svchost.exe PID 2724 wrote to memory of 2300 2724 vmfipcon.exe svchost.exe PID 2724 wrote to memory of 2300 2724 vmfipcon.exe svchost.exe PID 2724 wrote to memory of 2300 2724 vmfipcon.exe svchost.exe PID 2724 wrote to memory of 2300 2724 vmfipcon.exe svchost.exe PID 2164 wrote to memory of 2592 2164 2024-06-27_79107b8f2a87e29fe22233956a06ca34_mafia.exe netsh.exe PID 2164 wrote to memory of 2592 2164 2024-06-27_79107b8f2a87e29fe22233956a06ca34_mafia.exe netsh.exe PID 2164 wrote to memory of 2592 2164 2024-06-27_79107b8f2a87e29fe22233956a06ca34_mafia.exe netsh.exe PID 2164 wrote to memory of 2592 2164 2024-06-27_79107b8f2a87e29fe22233956a06ca34_mafia.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-27_79107b8f2a87e29fe22233956a06ca34_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-27_79107b8f2a87e29fe22233956a06ca34_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kfactdfe\2⤵PID:2924
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vmfipcon.exe" C:\Windows\SysWOW64\kfactdfe\2⤵PID:2632
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create kfactdfe binPath= "C:\Windows\SysWOW64\kfactdfe\vmfipcon.exe /d\"C:\Users\Admin\AppData\Local\Temp\2024-06-27_79107b8f2a87e29fe22233956a06ca34_mafia.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2684 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description kfactdfe "wifi internet conection"2⤵
- Launches sc.exe
PID:2688 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start kfactdfe2⤵
- Launches sc.exe
PID:2936 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2592
-
C:\Windows\SysWOW64\kfactdfe\vmfipcon.exeC:\Windows\SysWOW64\kfactdfe\vmfipcon.exe /d"C:\Users\Admin\AppData\Local\Temp\2024-06-27_79107b8f2a87e29fe22233956a06ca34_mafia.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:2300
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\vmfipcon.exeFilesize
12.5MB
MD5f7be204dbf642a2f941919e2b4a848bd
SHA1fb8d491e289ade656b8cf8df5d6a5d37315f1e85
SHA2561a1d04df45b475a2eb017dbf36a273faa561ef379185d7764c696157142c4a63
SHA5126e64281a73083da6bbbcbc901d2753826f680e60d58d08cf687aa3dbe440756c35794e333f7e72ce75c2bd9c5399edc8da317bef354ece192ea23d0cc811017a
-
memory/2164-2-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/2164-1-0x0000000000660000-0x0000000000760000-memory.dmpFilesize
1024KB
-
memory/2164-13-0x0000000000400000-0x000000000051A000-memory.dmpFilesize
1.1MB
-
memory/2164-14-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/2300-7-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2300-10-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2300-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2300-15-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2300-16-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2724-11-0x0000000000400000-0x000000000051A000-memory.dmpFilesize
1.1MB