Analysis
-
max time kernel
0s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
30-06-2024 19:57
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-30_7d693e888c68bc619f8a1a8ad54c5047_mafia.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-06-30_7d693e888c68bc619f8a1a8ad54c5047_mafia.exe
Resource
win10v2004-20240611-en
General
-
Target
2024-06-30_7d693e888c68bc619f8a1a8ad54c5047_mafia.exe
-
Size
14.7MB
-
MD5
7d693e888c68bc619f8a1a8ad54c5047
-
SHA1
2b2c4bc19afe94bddddc96c552092a0fb91e7d4c
-
SHA256
51849ac5d43fc8106dc522583520818363452d02faf0d3dac8ddd86c53d9c328
-
SHA512
1ce61b0efdeea672bfdf24cc9d084f5e19f72d31ff194ebad428813911154a89edc94f6af695b364f23a2739ef3fbe98cf400422e6925ead1befe39f21b3c885
-
SSDEEP
6144:x+rWO2zeSPDjMXMH7Ll4aFpWVqIwUAP97GEwHrG2+e1x2:x+r1IeSXMXc7LlxWV4Ug97GZ+ej
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 2 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2652 netsh.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2640 sc.exe 2608 sc.exe 2816 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2024-06-30_7d693e888c68bc619f8a1a8ad54c5047_mafia.exedescription pid process target process PID 2980 wrote to memory of 1756 2980 2024-06-30_7d693e888c68bc619f8a1a8ad54c5047_mafia.exe cmd.exe PID 2980 wrote to memory of 1756 2980 2024-06-30_7d693e888c68bc619f8a1a8ad54c5047_mafia.exe cmd.exe PID 2980 wrote to memory of 1756 2980 2024-06-30_7d693e888c68bc619f8a1a8ad54c5047_mafia.exe cmd.exe PID 2980 wrote to memory of 1756 2980 2024-06-30_7d693e888c68bc619f8a1a8ad54c5047_mafia.exe cmd.exe PID 2980 wrote to memory of 2836 2980 2024-06-30_7d693e888c68bc619f8a1a8ad54c5047_mafia.exe cmd.exe PID 2980 wrote to memory of 2836 2980 2024-06-30_7d693e888c68bc619f8a1a8ad54c5047_mafia.exe cmd.exe PID 2980 wrote to memory of 2836 2980 2024-06-30_7d693e888c68bc619f8a1a8ad54c5047_mafia.exe cmd.exe PID 2980 wrote to memory of 2836 2980 2024-06-30_7d693e888c68bc619f8a1a8ad54c5047_mafia.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-30_7d693e888c68bc619f8a1a8ad54c5047_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-30_7d693e888c68bc619f8a1a8ad54c5047_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ztfjqlwn\2⤵PID:1756
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jiyubxc.exe" C:\Windows\SysWOW64\ztfjqlwn\2⤵PID:2836
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ztfjqlwn binPath= "C:\Windows\SysWOW64\ztfjqlwn\jiyubxc.exe /d\"C:\Users\Admin\AppData\Local\Temp\2024-06-30_7d693e888c68bc619f8a1a8ad54c5047_mafia.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2608 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ztfjqlwn "wifi internet conection"2⤵
- Launches sc.exe
PID:2816 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ztfjqlwn2⤵
- Launches sc.exe
PID:2640 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2652
-
C:\Windows\SysWOW64\ztfjqlwn\jiyubxc.exeC:\Windows\SysWOW64\ztfjqlwn\jiyubxc.exe /d"C:\Users\Admin\AppData\Local\Temp\2024-06-30_7d693e888c68bc619f8a1a8ad54c5047_mafia.exe"1⤵PID:1928
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:2100
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jiyubxc.exeFilesize
12.3MB
MD5a908bcab1a29a94273119e97187b02af
SHA1c12a238f232299e9d343dbedc34e68d585d41901
SHA256ac75c12068f418f737d4d99b43b6c93ae04aed33cff0992e6f9bbc331a5fdcbd
SHA5123a4d5fbdc56a0428bbef85f4c10ed6c59648ed51ed462be1066c9cfa45bc1fc11c7834a4d2ca092bfa0f7ba6541b58254fcb6a152333b926a7cfd6091802b8bd
-
C:\Windows\SysWOW64\ztfjqlwn\jiyubxc.exeFilesize
11.9MB
MD5b35a460e181601f23c5b6e73f3e8ea44
SHA151c91c160367df777341f9858af17cb2506ca571
SHA2569ef6b9a2e9312adacb0c766bdcf6c1173449adc83e4d15dd40410363d8f4cc15
SHA512384c1da69abd3a6077f0f822bc9c9ea6c7483692ece8ed575b1015e136b6f395041fdc98d74efb08f57db1cb46b91d604ba1ac842be0d76285360032c1af6898
-
memory/1928-12-0x0000000000400000-0x000000000051A000-memory.dmpFilesize
1.1MB
-
memory/2100-7-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2100-10-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2100-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2100-16-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2100-17-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2980-1-0x0000000000660000-0x0000000000760000-memory.dmpFilesize
1024KB
-
memory/2980-15-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/2980-14-0x0000000000660000-0x0000000000760000-memory.dmpFilesize
1024KB
-
memory/2980-13-0x0000000000400000-0x000000000051A000-memory.dmpFilesize
1.1MB
-
memory/2980-2-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB