Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19/01/2025, 03:06
Static task
static1
Behavioral task
behavioral1
Sample
2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe
Resource
win10v2004-20241007-en
General
-
Target
2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe
-
Size
225KB
-
MD5
f9b9fca8d0582074c127358a01079b93
-
SHA1
b8e4f0e7b4389ab5aff7f89444f915c6b59f65fd
-
SHA256
650d7baf827dcb92f8209d003892b068f1cbf615e5149b9c27da88166b6f44e3
-
SHA512
bab1f20ef5199986966d0d55e5c91a213c595a060f8b0b7ae359163b3a72253da7cd434efd91300353e38b40a72ff6e6c4638c7d4a0e1ad66d4b8e449d05e520
-
SSDEEP
3072:9kR7Gqi0YCmfua54i3Yk44qpW6FNplXFbP6BBNzN9nGb08z8E2oySq3SpZ5+JC+:9kl0Ga5uk41pW6Nl1Gn5ngV2fS+Sp2B
Malware Config
Extracted
F:\$RECYCLE.BIN\KRAB-DECRYPT.txt
http://gandcrabmfe6mnef.onion/53af8216ff661482
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Gandcrab family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (269) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\KRAB-DECRYPT.txt 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\ff66136eff66148571b.lock 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened (read-only) \??\O: 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened (read-only) \??\Q: 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened (read-only) \??\A: 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened (read-only) \??\B: 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened (read-only) \??\H: 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened (read-only) \??\I: 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened (read-only) \??\J: 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened (read-only) \??\U: 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened (read-only) \??\X: 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened (read-only) \??\Z: 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened (read-only) \??\E: 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened (read-only) \??\P: 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened (read-only) \??\S: 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened (read-only) \??\W: 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened (read-only) \??\N: 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened (read-only) \??\R: 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened (read-only) \??\Y: 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened (read-only) \??\G: 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened (read-only) \??\L: 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened (read-only) \??\M: 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened (read-only) \??\T: 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened (read-only) \??\V: 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe -
Drops file in Program Files directory 28 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\ff66136eff66148571b.lock 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\ff66136eff66148571b.lock 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened for modification C:\Program Files\DenyRegister.wmf 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened for modification C:\Program Files\PublishMount.ex_ 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened for modification C:\Program Files\UninstallMount.hta 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\KRAB-DECRYPT.txt 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\ff66136eff66148571b.lock 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\KRAB-DECRYPT.txt 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File created C:\Program Files\ff66136eff66148571b.lock 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened for modification C:\Program Files\ReceiveSend.pcx 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened for modification C:\Program Files\ResetSend.rle 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened for modification C:\Program Files\StopConnect.jpeg 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File created C:\Program Files (x86)\KRAB-DECRYPT.txt 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened for modification C:\Program Files\AssertUndo.pps 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened for modification C:\Program Files\InstallRemove.aiff 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened for modification C:\Program Files\TraceSkip.edrwx 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\KRAB-DECRYPT.txt 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened for modification C:\Program Files\FindSkip.zip 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened for modification C:\Program Files\MountBlock.ram 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened for modification C:\Program Files\MountCompare.txt 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened for modification C:\Program Files\NewExit.wpl 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened for modification C:\Program Files\UnpublishApprove.ttf 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File created C:\Program Files (x86)\ff66136eff66148571b.lock 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened for modification C:\Program Files\OpenUse.rle 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File created C:\Program Files\KRAB-DECRYPT.txt 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened for modification C:\Program Files\RepairStart.mpg 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened for modification C:\Program Files\SubmitGet.xlsx 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe File opened for modification C:\Program Files\MountSearch.php 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2760 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe 2760 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2620 wmic.exe Token: SeSecurityPrivilege 2620 wmic.exe Token: SeTakeOwnershipPrivilege 2620 wmic.exe Token: SeLoadDriverPrivilege 2620 wmic.exe Token: SeSystemProfilePrivilege 2620 wmic.exe Token: SeSystemtimePrivilege 2620 wmic.exe Token: SeProfSingleProcessPrivilege 2620 wmic.exe Token: SeIncBasePriorityPrivilege 2620 wmic.exe Token: SeCreatePagefilePrivilege 2620 wmic.exe Token: SeBackupPrivilege 2620 wmic.exe Token: SeRestorePrivilege 2620 wmic.exe Token: SeShutdownPrivilege 2620 wmic.exe Token: SeDebugPrivilege 2620 wmic.exe Token: SeSystemEnvironmentPrivilege 2620 wmic.exe Token: SeRemoteShutdownPrivilege 2620 wmic.exe Token: SeUndockPrivilege 2620 wmic.exe Token: SeManageVolumePrivilege 2620 wmic.exe Token: 33 2620 wmic.exe Token: 34 2620 wmic.exe Token: 35 2620 wmic.exe Token: SeIncreaseQuotaPrivilege 2620 wmic.exe Token: SeSecurityPrivilege 2620 wmic.exe Token: SeTakeOwnershipPrivilege 2620 wmic.exe Token: SeLoadDriverPrivilege 2620 wmic.exe Token: SeSystemProfilePrivilege 2620 wmic.exe Token: SeSystemtimePrivilege 2620 wmic.exe Token: SeProfSingleProcessPrivilege 2620 wmic.exe Token: SeIncBasePriorityPrivilege 2620 wmic.exe Token: SeCreatePagefilePrivilege 2620 wmic.exe Token: SeBackupPrivilege 2620 wmic.exe Token: SeRestorePrivilege 2620 wmic.exe Token: SeShutdownPrivilege 2620 wmic.exe Token: SeDebugPrivilege 2620 wmic.exe Token: SeSystemEnvironmentPrivilege 2620 wmic.exe Token: SeRemoteShutdownPrivilege 2620 wmic.exe Token: SeUndockPrivilege 2620 wmic.exe Token: SeManageVolumePrivilege 2620 wmic.exe Token: 33 2620 wmic.exe Token: 34 2620 wmic.exe Token: 35 2620 wmic.exe Token: SeBackupPrivilege 1680 vssvc.exe Token: SeRestorePrivilege 1680 vssvc.exe Token: SeAuditPrivilege 1680 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2760 wrote to memory of 2620 2760 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe 32 PID 2760 wrote to memory of 2620 2760 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe 32 PID 2760 wrote to memory of 2620 2760 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe 32 PID 2760 wrote to memory of 2620 2760 2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe 32 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe"1⤵
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Indicator Removal
1File Deletion
1Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
7KB
MD5c61f175302049629648ec1d24ac76590
SHA10ddb923a1702f8205a64554eafc695ace9065ab2
SHA2562d90da06de30660db40837a7df7ff8a2c3d89d9c41d76b5093e11676ac82a3e7
SHA512ec93002b8bd5e5132f87c4ac3f9e0d92300c467dd1624fd0c349f3a0e5f04cbd9fec45d298d35e3add9cc6493efe33403648f283d142eb745c1130a2b0fdd3ec