00465a6a0df80b9136a40f295febb242ef3eb3a81c24c643aa6639aa79414f84

Analysis

max time kernel
157s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe
Size

1.0MB
MD5

4a0924c3e7079e44966246c1057de747
SHA1

9ae9a85cdcba274150a561590ceb709cc5ca4508
SHA256

00465a6a0df80b9136a40f295febb242ef3eb3a81c24c643aa6639aa79414f84
SHA512

4962f7caec157e7f6beaba4c0824b6012edab366bd6cf849bad2ed70645ed6db9fe015b1359ea68f201f1797c473c134958446c32949e62e3670c7389f89871b
SSDEEP

24576:HG2EgSiOmJK8f40qsis1fL+rwyf5OH/ItewTvBy81u8vLHII/GY:HGMSiiFs1aR5OH4nBynqII

Score

10^/10

evasion persistence privilege_escalation trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallDisableNotify = "1"	gpqnxnblma.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride = "1"	gpqnxnblma.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1"	gpqnxnblma.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride = "1"	gpqnxnblma.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3112	netsh.exe

Executes dropped EXE 5 IoCs

pid	Process
1556	cpynsh9f1iudadincutkxorw.exe
1616	gpqnxnblma.exe
488	hzknawajtiqz.exe
3780	gpqnxnblma.exe
3980	cpynsh9dl5dstdin.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride = "1"	gpqnxnblma.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallDisableNotify = "1"	gpqnxnblma.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride = "1"	gpqnxnblma.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1"	gpqnxnblma.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\xwseykagkku\lck	cpynsh9f1iudadincutkxorw.exe
File opened for modification	C:\Windows\gpqnxnblma.exe	cpynsh9f1iudadincutkxorw.exe
File opened for modification	C:\Windows\xwseykagkku\tst	gpqnxnblma.exe
File opened for modification	C:\Windows\xwseykagkku\lck	gpqnxnblma.exe
File created	C:\Windows\hzknawajtiqz.exe	gpqnxnblma.exe
File opened for modification	C:\Windows\xwseykagkku\	hzknawajtiqz.exe
File created	C:\Windows\xwseykagkku\run	gpqnxnblma.exe
File opened for modification	C:\Windows\xwseykagkku\tst	gpqnxnblma.exe
File created	C:\Windows\xwseykagkku\cfg	gpqnxnblma.exe
File opened for modification	C:\Windows\xwseykagkku\	gpqnxnblma.exe
File created	C:\Windows\xwseykagkku\lck	gpqnxnblma.exe
File opened for modification	C:\Windows\xwseykagkku\	2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe
File opened for modification	C:\Windows\xwseykagkku\tst	cpynsh9f1iudadincutkxorw.exe
File created	C:\Windows\gpqnxnblma.exe	cpynsh9f1iudadincutkxorw.exe
File opened for modification	C:\Windows\hzknawajtiqz.exe	gpqnxnblma.exe
File opened for modification	C:\Windows\xwseykagkku\tst	hzknawajtiqz.exe
File opened for modification	C:\Windows\xwseykagkku\rng	gpqnxnblma.exe
File created	C:\Windows\xwseykagkku\tst	2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe
File opened for modification	C:\Windows\xwseykagkku\	cpynsh9f1iudadincutkxorw.exe
File opened for modification	C:\Windows\xwseykagkku\	gpqnxnblma.exe
File created	C:\Windows\xwseykagkku\rng	gpqnxnblma.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1616	gpqnxnblma.exe
1616	gpqnxnblma.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe
488	hzknawajtiqz.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 1556	2104	2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe	90
PID 2104 wrote to memory of 1556	2104	2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe	90
PID 2104 wrote to memory of 1556	2104	2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe	90
PID 1616 wrote to memory of 488	1616	gpqnxnblma.exe	92
PID 1616 wrote to memory of 488	1616	gpqnxnblma.exe	92
PID 1616 wrote to memory of 488	1616	gpqnxnblma.exe	92
PID 1556 wrote to memory of 3780	1556	cpynsh9f1iudadincutkxorw.exe	93
PID 1556 wrote to memory of 3780	1556	cpynsh9f1iudadincutkxorw.exe	93
PID 1556 wrote to memory of 3780	1556	cpynsh9f1iudadincutkxorw.exe	93
PID 1616 wrote to memory of 3112	1616	gpqnxnblma.exe	94
PID 1616 wrote to memory of 3112	1616	gpqnxnblma.exe	94
PID 1616 wrote to memory of 3112	1616	gpqnxnblma.exe	94
PID 1616 wrote to memory of 3980	1616	gpqnxnblma.exe	96
PID 1616 wrote to memory of 3980	1616	gpqnxnblma.exe	96
PID 1616 wrote to memory of 3980	1616	gpqnxnblma.exe	96

C:\Users\Admin\AppData\Local\Temp\2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-28_4a0924c3e7079e44966246c1057de747_mafia.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Admin\AppData\Local\Temp\cpynsh9f1iudadincutkxorw.exe
  "C:\Users\Admin\AppData\Local\Temp\cpynsh9f1iudadincutkxorw.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Windows\gpqnxnblma.exe
    "C:\Windows\gpqnxnblma.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3780

C:\Windows\gpqnxnblma.exe
C:\Windows\gpqnxnblma.exe
1⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\hzknawajtiqz.exe
  WATCHDOGPROC "c:\windows\gpqnxnblma.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:488
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:3112
- C:\Windows\TEMP\cpynsh9dl5dstdin.exe
  C:\Windows\TEMP\cpynsh9dl5dstdin.exe -r 39500 tcp
  2⤵
  - Executes dropped EXE
  PID:3980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4204 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cpynsh9f1iudadincutkxorw.exe

Filesize
1.0MB

MD5
4a0924c3e7079e44966246c1057de747

SHA1
9ae9a85cdcba274150a561590ceb709cc5ca4508

SHA256
00465a6a0df80b9136a40f295febb242ef3eb3a81c24c643aa6639aa79414f84

SHA512
4962f7caec157e7f6beaba4c0824b6012edab366bd6cf849bad2ed70645ed6db9fe015b1359ea68f201f1797c473c134958446c32949e62e3670c7389f89871b

Download Submit
C:\Windows\Temp\cpynsh9dl5dstdin.exe

Filesize
34KB

MD5
476f447617f65eebf35c52d4fd3b3188

SHA1
179ee6e698803a45be916f107638f01d553d6e65

SHA256
a8c7fd29a25658f115213c3516dd8f77d44d42c40f9348996443e593d878dcf0

SHA512
37c51cb92a2adaa3fdb70ae41c95f5499e25cc772020d6c701ef9ce157320017ae207896dcc0e27b9841d0b7890a8b37440bff6dfa0468dc01f72275d4c820f9

Download Submit
C:\Windows\xwseykagkku\rng

Filesize
4B

MD5
40497c86020084c2bbf5445cd18d597a

SHA1
bd3e974b3c0619c84b98c0be0aabf91f4101bc64

SHA256
95289b2dda0e64fd15afd08d382f6af6a1cf08d74d1dc4e3b607d8ca89f23760

SHA512
b2d5bbd49a298259676b4ea9f0fa318f1286aac256ff69250d17a9ed96519ad564be1edd5d4f805e5f60d1fad1249c64f1491e9c2b1d19387220d646cf286779

Download Submit
C:\Windows\xwseykagkku\tst

Filesize
10B

MD5
d9e0d258df86c6859951b803fa0e539c

SHA1
d04df79fdffa92605bdc478f4247fa2b55fceb7f

SHA256
e71eb9e1b484bed5dc20e32acf079f979aec46863078331771912423e08b564e

SHA512
8c0dbe178f6769dac6573afea6ad1c4b3caa2443276abbcbe6cecc4698b88174963a83ad4952966526c25548b2f266dddb800d0b778b8f76327367aa7562537e

Download Submit
memory/3980-32-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download