4be9d28af7b857a8aa3efe24556736620fe6bd99433cd0027639358c67e77c4f

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-10-2024 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Size

1.4MB
MD5

903f523a006aa9320d83b30a9a69e699
SHA1

0539d0234bc5b86c03d0fca32656e53683301dbc
SHA256

4be9d28af7b857a8aa3efe24556736620fe6bd99433cd0027639358c67e77c4f
SHA512

d770377152153885ac144b0a2d2c6217b9f073555deaad2f32b04304de466b32ac4144c0f3977fadcc125558e47763800f1043c8ca9cc28a20dc8fc9b6e84e44
SSDEEP

24576:wbFjZNH3hYxNLwexaR8cKR5CkJJFJ3ShcD:WFrHRYxNLwex+8ck5Ckb3SyD

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
472	Process not Found
2976	alg.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe

Modifies registry class 52 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\ = "CphsSession Class"	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\ = "CphsSession Class"	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe\""	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\TypeLib	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\ = "IntelCpHeciSvcLib"	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}"	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}"	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ = "ICphsSession"	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ProgID	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\VersionIndependentProgID	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\FLAGS\ = "0"	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\CLSID\ = "{C41B1461-3F8C-4666-B512-6DF24DE566D1}"	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ProgID\ = "IntelCpHeciSvc.CphsSession.1"	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\AppID = "{11AC3232-E7D7-49CD-ABFE-501700100B3A}"	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\IntelCpHeciSvc.EXE	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CurVer\ = "IntelCpHeciSvc.CphsSession.1"	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ = "CphsSession Class"	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\FLAGS	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe"	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}"	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CLSID\ = "{C41B1461-3F8C-4666-B512-6DF24DE566D1}"	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\Programmable	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0\win32	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\HELPDIR	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\Version = "1.0"	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\ = "IntelCpHeciSvc"	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\LocalService = "cphs"	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\VersionIndependentProgID\ = "IntelCpHeciSvc.CphsSession"	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\IntelCpHeciSvc.EXE\AppID = "{11AC3232-E7D7-49CD-ABFE-501700100B3A}"	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\LaunchPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\CLSID	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CLSID	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CurVer	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ = "ICphsSession"	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\Version = "1.0"	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2404	2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-05_903f523a006aa9320d83b30a9a69e699_mafia.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
952e13c76b1c56538e6b277a8c5c146f

SHA1
3a503216797402c6916d7353f9db7a114a807c44

SHA256
f4876734f13385b33f85a3dac2f406934403398e6207f054d19ec7f40335b6cf

SHA512
1f4a7b2041cacf454e02146462df68160e0bdde13fd1a10ee645e95671feac475e05ebe47da2dc7f6685500a9af2b3940c3974c036064f922b30c9f053506d80

Download Submit
memory/2404-8-0x0000000000700000-0x0000000000767000-memory.dmp

Filesize
412KB

Download
memory/2404-7-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/2404-0-0x0000000000700000-0x0000000000767000-memory.dmp

Filesize
412KB

Download
memory/2404-16-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/2976-13-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2976-17-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download