9b511e467791536a121ebec9f28fae83d6635a63e26db4793cada871812b9105

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 19:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe
Size

10.2MB
MD5

b50db8650c18fa75670f7b4b4e0c6385
SHA1

9416cfc30c042357542da667a07fd0f619f225aa
SHA256

9b511e467791536a121ebec9f28fae83d6635a63e26db4793cada871812b9105
SHA512

3359deb2e3044b38b5cb4c1ee1ae2ca4ba2ca685b70277b5cc30721286a7191e0931125d3e29823c2fb8ab8e8e122165d78cc45b78a7eae2e61c90828b840ede
SSDEEP

196608:KyEa4qmi4YP1pTqebZQbw3DOs7vsqozRNqPmzS3QlcSxCd/jU2:Kuh4SHTaVZRk+eQmbU2

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Runner.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Runner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Runner.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe

Executes dropped EXE 1 IoCs

pid	Process
5028	Runner.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	Runner.exe

Loads dropped DLL 3 IoCs

pid	Process
5028	Runner.exe
5028	Runner.exe
5028	Runner.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Ver = "57cc9cfa"	Runner.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\ = "QMDispatch.QMVBSRoutine"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\ = "QMDispatch.QMLibrary"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID\ = "{241D7F03-9232-4024-8373-149860BE27C0}"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID\ = "QMDispatch.QMRoutine"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InprocServer32	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ = "QMDispatch.QMVBSRoutine"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ = "QMDispatch.QMLibrary"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID\ = "{C07DB6A3-34FC-4084-BE2E-76BB9203B049}"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID\ = "QMDispatch.QMLibrary"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ThreadingModel = "Apartment"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ThreadingModel = "Apartment"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\ = "QMDispatch.QMRoutine"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ = "QMDispatch.QMRoutine"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID\ = "{EBEB87A6-E151-4054-AB45-A6E094C5334B}"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InprocServer32	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InprocServer32	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ThreadingModel = "Apartment"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID\ = "QMDispatch.QMVBSRoutine"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID	Runner.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4216	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1944	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe
1944	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1944	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1944	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
1944	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe
1944	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe
1944	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe
1944	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe
1944	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe
1944	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe
5028	Runner.exe
5028	Runner.exe
5028	Runner.exe
5028	Runner.exe
5028	Runner.exe
5028	Runner.exe
5028	Runner.exe
5028	Runner.exe
5028	Runner.exe
5028	Runner.exe
5028	Runner.exe
5028	Runner.exe
5028	Runner.exe
5028	Runner.exe
5028	Runner.exe
5028	Runner.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 5028	1944	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe	88
PID 1944 wrote to memory of 5028	1944	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe	88
PID 1944 wrote to memory of 5028	1944	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe	88
PID 1944 wrote to memory of 4216	1944	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe	89
PID 1944 wrote to memory of 4216	1944	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe	89
PID 1944 wrote to memory of 4216	1944	2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe	89

C:\Users\Admin\AppData\Local\Temp\2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Users\Admin\AppData\Roaming\MyMacro\Runner.exe
  --host_id 3 --verify_key wydGBHynv_IK --product "C:\Users\Admin\AppData\Local\Temp\2024-07-03_b50db8650c18fa75670f7b4b4e0c6385_mafia.exe" --version 2014.03.16480
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:5028
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" www.baidu.com -n 2
  2⤵
  - Runs ping.exe
  PID:4216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\boost_interprocess\DqtFXpOVuS47

Filesize
256KB

MD5
1250312e08cf3af8d957b5d006adb417

SHA1
b81fdcaa04318e287ac2cbba47b9eb366e710b0a

SHA256
9f2987005f35615ff23fa5e8134c90ceaf9a3a7c105206079b058dca4761d64b

SHA512
86b73eaebaf2653f927e6f59664e2b6eb4d62375b17298545c96c73fd18e0b692ab0f5466ee359a4a565ba6281123f2be3d3bf95ec0fe9a9f36948097eedbb91

Download Submit
C:\ProgramData\boost_interprocess\JjKDg63qtKtv

Filesize
2.0MB

MD5
7ab7189ff28bcfd9afbb463be32f1c39

SHA1
fcd8a49fa815c80f5cb58829cc8ab2005a93288b

SHA256
52488b736a5fba39c09c3661501b93cb141f4a3927c0f8841daa268a1a040593

SHA512
17beedc9ace5ac2398766cbf57322735ca8ad3c24ec042b14ea23ea66b581d8e38174cbbacc484834762dc84aed1ed43f0d41115f5cdf5d1c95d9e34a71e7ab2

Download Submit
C:\ProgramData\boost_interprocess\Wj6BklpALVa

Filesize
258B

MD5
e64606702b4231757ebfc8ce4b3c3d40

SHA1
d660c6e5dd4306a27b77b833932d87d301ff0e40

SHA256
43e0f675cc37e4b059d5c51f2aeaa53c971e19fb75e6da6d17f9c1007fb8fb47

SHA512
07c96b1b4940346f66c9eb037263ff47f5d547ac7f776beb11c7861271e67820e198bb4ba97207245664624a9dcfcd637566a7ab0520392f7414f63fc11010bc

Download Submit
C:\ProgramData\boost_interprocess\Wj6BklpALVaW

Filesize
256KB

MD5
71f94d392b84005edab7c348c84ac21d

SHA1
f79332f4aff7764521e06d91f62d3c7731453cdf

SHA256
ba037800af0768d34fb771297c46bbee98f77abfd7d123f8e3b2759d6107da06

SHA512
15cc0826e3267c052089b7d16e8705d45f47d60ffb0859727001b1324c20d620765a28d523bf4470a2e572f096ab1f13b7b8049734559178881c1edfbb2cf288

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMLog\20240703.log

Filesize
274B

MD5
7dacf6c723118b1089ace68d175be030

SHA1
944ffc2e22d91bbe2f44a089a4528780243a6e5c

SHA256
5f6e0eb6bd11640873ab6b7fa0dff1d6e1d30798ae391d246f596550863eef93

SHA512
1de1022c8911bfa6a3f1ddaa44259bed5dc0925c719f2bd212e0b7448c6eec19c2b71c5f65f7b9824e68ba7f0dc6d12e967448ea5b98bcb7124cd7a311ac6d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\mac4CF7.tmp

Filesize
1KB

MD5
ef5a1bee0c7f828c207757b79399aefe

SHA1
08e45a878e612f546678d5ab1f9a86e9e6d597c7

SHA256
0a458b5459bde68fd34ac138013e990bc9e32a7dab0f88f826f461f298a64a26

SHA512
2d14e2a03952cdf565d1c401fb1ba69f97bd1a08384f0eadf64f044d9ec487da2aebe579d93fb13b8adda00c2f57e0769ec26cd0dcdaa617faf2aaf9db877837

Download Submit
C:\Users\Admin\AppData\Roaming\MyMacro\Runner.exe

Filesize
7.2MB

MD5
173936aec3c088c48a8d47baf1b347da

SHA1
3178b945f8a294843df79cb5338f5ca1e1ef2b26

SHA256
4bfe3e268702a0e83420b272409aea03809c0902b2de3b81dd0b5dc26a806615

SHA512
73476fef88084b8b755ebce889adc154f4ec33772dad11544ee6b0e5acfdfb9225845a5e2a2bc7d2b318654824def990e57b03772169d02370b5a6cd2fce14fb

Download Submit
C:\Users\Admin\AppData\Roaming\MyMacro\cfgdll.dll

Filesize
59KB

MD5
b35416c2b3e818894df95608b76934f7

SHA1
bbdd1c0f49e9ce54e9312f5edfead76d343c21cf

SHA256
8147481d1c93da5ce5de7ff7a72a45756d45ea1f27d27bb8c9944642f42549a3

SHA512
92382562761b36b4ed2ec0bba832c66c8f720e190630596ff830a047a498889e7a0f3628d1a3ffac066b06ccd8c2d3840e82b4304b636e1b1ee434910c6f0bdf

Download Submit
C:\Users\Admin\AppData\Roaming\MyMacro\qdisp.dll

Filesize
303KB

MD5
014c01cd6522778e1e15be0e696dfe0c

SHA1
c908376fcc4525ec5c4b35d289ef1361ea5cb2d9

SHA256
259eaf1ddc9bf610d11a22413853b3d4386fc5a8412c6e602c74eb43f1a32d46

SHA512
3b8d040b4a6e879ecf3bafba336b2fc8d793d4f6931902faf87e8f64faf6eca7f1f21485794cffe16c7d0ea907b9f6db93df0b4bae8cb3684733e95608523fd9

Download Submit
memory/5028-80-0x0000000000400000-0x0000000000B3A000-memory.dmp

Filesize
7.2MB

Download
memory/5028-84-0x0000000000400000-0x0000000000B3A000-memory.dmp

Filesize
7.2MB

Download
memory/5028-79-0x0000000000400000-0x0000000000B3A000-memory.dmp

Filesize
7.2MB

Download
memory/5028-54-0x0000000000400000-0x0000000000B3A000-memory.dmp

Filesize
7.2MB

Download
memory/5028-81-0x0000000000400000-0x0000000000B3A000-memory.dmp

Filesize
7.2MB

Download
memory/5028-82-0x0000000000401000-0x0000000000923000-memory.dmp

Filesize
5.1MB

Download
memory/5028-83-0x0000000000400000-0x0000000000B3A000-memory.dmp

Filesize
7.2MB

Download
memory/5028-63-0x0000000000401000-0x0000000000923000-memory.dmp

Filesize
5.1MB

Download
memory/5028-85-0x0000000000400000-0x0000000000B3A000-memory.dmp

Filesize
7.2MB

Download
memory/5028-86-0x0000000000400000-0x0000000000B3A000-memory.dmp

Filesize
7.2MB

Download
memory/5028-87-0x0000000000400000-0x0000000000B3A000-memory.dmp

Filesize
7.2MB

Download
memory/5028-88-0x0000000000400000-0x0000000000B3A000-memory.dmp

Filesize
7.2MB

Download
memory/5028-89-0x0000000000400000-0x0000000000B3A000-memory.dmp

Filesize
7.2MB

Download
memory/5028-90-0x0000000000400000-0x0000000000B3A000-memory.dmp

Filesize
7.2MB

Download
memory/5028-91-0x0000000000400000-0x0000000000B3A000-memory.dmp

Filesize
7.2MB

Download
memory/5028-92-0x0000000000400000-0x0000000000B3A000-memory.dmp

Filesize
7.2MB

Download