9b511e467791536a121ebec9f28fae83d6635a63e26db4793cada871812b9105

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
03-07-2024 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe
Size

10.2MB
MD5

b50db8650c18fa75670f7b4b4e0c6385
SHA1

9416cfc30c042357542da667a07fd0f619f225aa
SHA256

9b511e467791536a121ebec9f28fae83d6635a63e26db4793cada871812b9105
SHA512

3359deb2e3044b38b5cb4c1ee1ae2ca4ba2ca685b70277b5cc30721286a7191e0931125d3e29823c2fb8ab8e8e122165d78cc45b78a7eae2e61c90828b840ede
SSDEEP

196608:KyEa4qmi4YP1pTqebZQbw3DOs7vsqozRNqPmzS3QlcSxCd/jU2:Kuh4SHTaVZRk+eQmbU2

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Runner.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Runner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Runner.exe

Executes dropped EXE 1 IoCs

pid	Process
2904	Runner.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine	Runner.exe

Loads dropped DLL 4 IoCs

pid	Process
2172	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe
2904	Runner.exe
2904	Runner.exe
2904	Runner.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\RNA20E56AA7517B0F5078CDC0A97790E07E42321D55C80D3F96165B85FA4CABFB9B7ABCC4071153487C6E80A00FEADC044965C9F77A477BE4CD6C79EC0DAD8DBF441E516CE6480EFA12CFC8696BC81515E97E22015C20DEB68 = "8747E76F996AE043"	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Ver = "b567947e"	Runner.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ = "QMDispatch.QMVBSRoutine"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ = "QMDispatch.QMLibrary"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ThreadingModel = "Apartment"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID\ = "QMDispatch.QMVBSRoutine"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID\ = "QMDispatch.QMRoutine"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID\ = "{EBEB87A6-E151-4054-AB45-A6E094C5334B}"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ThreadingModel = "Apartment"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InprocServer32	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\ = "QMDispatch.QMVBSRoutine"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID\ = "{C07DB6A3-34FC-4084-BE2E-76BB9203B049}"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID\ = "QMDispatch.QMLibrary"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InprocServer32	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID\ = "{241D7F03-9232-4024-8373-149860BE27C0}"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ = "QMDispatch.QMRoutine"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\ = "QMDispatch.QMLibrary"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ThreadingModel = "Apartment"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\ = "QMDispatch.QMRoutine"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InprocServer32	Runner.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2076	PING.EXE
2004	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2172	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2172	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe
2172	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2172	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe
2172	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
2172	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe
2172	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe
2172	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe
2172	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe
2172	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe
2172	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe
2904	Runner.exe
2904	Runner.exe
2904	Runner.exe
2904	Runner.exe
2904	Runner.exe
2904	Runner.exe
2904	Runner.exe
2904	Runner.exe
2904	Runner.exe
2904	Runner.exe
2904	Runner.exe
2904	Runner.exe
2904	Runner.exe
2904	Runner.exe
2904	Runner.exe
2904	Runner.exe
2172	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe
2172	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe
2904	Runner.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2904	2172	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe	29
PID 2172 wrote to memory of 2904	2172	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe	29
PID 2172 wrote to memory of 2904	2172	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe	29
PID 2172 wrote to memory of 2904	2172	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe	29
PID 2172 wrote to memory of 2004	2172	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe	30
PID 2172 wrote to memory of 2004	2172	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe	30
PID 2172 wrote to memory of 2004	2172	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe	30
PID 2172 wrote to memory of 2004	2172	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe	30
PID 2172 wrote to memory of 2076	2172	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe	32
PID 2172 wrote to memory of 2076	2172	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe	32
PID 2172 wrote to memory of 2076	2172	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe	32
PID 2172 wrote to memory of 2076	2172	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe	32

C:\Users\Admin\AppData\Local\Temp\2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Roaming\MyMacro\Runner.exe
  --host_id 3 --verify_key O7ri6bd74XZR --product "C:\Users\Admin\AppData\Local\Temp\2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe" --version 2014.03.16480
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2904
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" www.baidu.com -n 2
  2⤵
  - Runs ping.exe
  PID:2004
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" www.baidu.com -n 2
  2⤵
  - Runs ping.exe
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QMLog\20240703.log

Filesize
274B

MD5
a94c0ae8415ac9089935c264fda4766f

SHA1
864fca0427690cdd28b82289c08d30024ab3e339

SHA256
002cdb1bf808c8e7ffe4339baa34f26052d34521a2d891839ea43de65544412b

SHA512
03e647dec2bce8cc39f41103fa3253f9299846a8fca5e82148fb04c8ce4048cf4efa140ac41cb9339bd69e78f24f0489d88ed21049a0650233c7b2a3fb3a6d15

Download Submit
C:\Users\Admin\AppData\Local\Temp\mac1822.tmp

Filesize
1KB

MD5
ef5a1bee0c7f828c207757b79399aefe

SHA1
08e45a878e612f546678d5ab1f9a86e9e6d597c7

SHA256
0a458b5459bde68fd34ac138013e990bc9e32a7dab0f88f826f461f298a64a26

SHA512
2d14e2a03952cdf565d1c401fb1ba69f97bd1a08384f0eadf64f044d9ec487da2aebe579d93fb13b8adda00c2f57e0769ec26cd0dcdaa617faf2aaf9db877837

Download Submit
\Users\Admin\AppData\Roaming\MyMacro\Runner.exe

Filesize
7.2MB

MD5
173936aec3c088c48a8d47baf1b347da

SHA1
3178b945f8a294843df79cb5338f5ca1e1ef2b26

SHA256
4bfe3e268702a0e83420b272409aea03809c0902b2de3b81dd0b5dc26a806615

SHA512
73476fef88084b8b755ebce889adc154f4ec33772dad11544ee6b0e5acfdfb9225845a5e2a2bc7d2b318654824def990e57b03772169d02370b5a6cd2fce14fb

Download Submit
\Users\Admin\AppData\Roaming\MyMacro\cfgdll.dll

Filesize
59KB

MD5
b35416c2b3e818894df95608b76934f7

SHA1
bbdd1c0f49e9ce54e9312f5edfead76d343c21cf

SHA256
8147481d1c93da5ce5de7ff7a72a45756d45ea1f27d27bb8c9944642f42549a3

SHA512
92382562761b36b4ed2ec0bba832c66c8f720e190630596ff830a047a498889e7a0f3628d1a3ffac066b06ccd8c2d3840e82b4304b636e1b1ee434910c6f0bdf

Download Submit
\Users\Admin\AppData\Roaming\MyMacro\qdisp.dll

Filesize
303KB

MD5
014c01cd6522778e1e15be0e696dfe0c

SHA1
c908376fcc4525ec5c4b35d289ef1361ea5cb2d9

SHA256
259eaf1ddc9bf610d11a22413853b3d4386fc5a8412c6e602c74eb43f1a32d46

SHA512
3b8d040b4a6e879ecf3bafba336b2fc8d793d4f6931902faf87e8f64faf6eca7f1f21485794cffe16c7d0ea907b9f6db93df0b4bae8cb3684733e95608523fd9

Download Submit
memory/2172-55-0x0000000004F60000-0x000000000569A000-memory.dmp

Filesize
7.2MB

Download
memory/2904-56-0x0000000000400000-0x0000000000B3A000-memory.dmp

Filesize
7.2MB

Download
memory/2904-57-0x0000000000401000-0x0000000000923000-memory.dmp

Filesize
5.1MB

Download
memory/2904-80-0x0000000000400000-0x0000000000B3A000-memory.dmp

Filesize
7.2MB

Download
memory/2904-84-0x0000000000400000-0x0000000000B3A000-memory.dmp

Filesize
7.2MB

Download
memory/2904-85-0x0000000000401000-0x0000000000923000-memory.dmp

Filesize
5.1MB

Download