File name:

2025-01-10_a60ac9f9f8401b075313d1ea5ed38a3d_mafia

Full analysis: https://app.any.run/tasks/8826fd6d-7b2f-494f-a470-712145dd06d8
Verdict: Malicious activity
Analysis date: January 10, 2025, 17:56:38
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
tofsee
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

A60AC9F9F8401B075313D1EA5ED38A3D

SHA1:

A399AE72488052B9A5B629B0BC9D5C47E4B503E3

SHA256:

48CD6C50CEFF5D85C03B03B9864B6631983BF8B5A0B2A599857B924AAD773DA0

SSDEEP:

24576:MaMJJY2FdVvMwjKSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSC:MaMfY2FdVvMwj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • TOFSEE has been detected (YARA)

      • svchost.exe (PID: 3680)

    • Changes the autorun value in the registry

      • 2025-01-10_a60ac9f9f8401b075313d1ea5ed38a3d_mafia.exe (PID: 4684)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-01-10_a60ac9f9f8401b075313d1ea5ed38a3d_mafia.exe (PID: 4684)

    • Executes application which crashes

      • kbjhrmth.exe (PID: 372)
      • 2025-01-10_a60ac9f9f8401b075313d1ea5ed38a3d_mafia.exe (PID: 4684)

    • Connects to SMTP port

      • svchost.exe (PID: 3680)

    • Detected use of alternative data streams (AltDS)

      • svchost.exe (PID: 3680)

    • Executable content was dropped or overwritten

      • 2025-01-10_a60ac9f9f8401b075313d1ea5ed38a3d_mafia.exe (PID: 4684)

  • INFO

    • Checks supported languages

      • kbjhrmth.exe (PID: 372)
      • 2025-01-10_a60ac9f9f8401b075313d1ea5ed38a3d_mafia.exe (PID: 4684)

    • Process checks computer location settings

      • 2025-01-10_a60ac9f9f8401b075313d1ea5ed38a3d_mafia.exe (PID: 4684)

    • Create files in a temporary directory

      • 2025-01-10_a60ac9f9f8401b075313d1ea5ed38a3d_mafia.exe (PID: 4684)

    • Reads the computer name

      • 2025-01-10_a60ac9f9f8401b075313d1ea5ed38a3d_mafia.exe (PID: 4684)
      • kbjhrmth.exe (PID: 372)

    • The process uses the downloaded file

      • 2025-01-10_a60ac9f9f8401b075313d1ea5ed38a3d_mafia.exe (PID: 4684)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:03:20 13:44:40+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 168448
InitializedDataSize: 138240
UninitializedDataSize: -
EntryPoint: 0x40b3
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-01-10_a60ac9f9f8401b075313d1ea5ed38a3d_mafia.exe wusa.exe no specs wusa.exe kbjhrmth.exe werfault.exe no specs #TOFSEE svchost.exe werfault.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4684"C:\Users\admin\Desktop\2025-01-10_a60ac9f9f8401b075313d1ea5ed38a3d_mafia.exe" C:\Users\admin\Desktop\2025-01-10_a60ac9f9f8401b075313d1ea5ed38a3d_mafia.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\2025-01-10_a60ac9f9f8401b075313d1ea5ed38a3d_mafia.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5696"C:\Windows\System32\wusa.exe" C:\Windows\SysWOW64\wusa.exe2025-01-10_a60ac9f9f8401b075313d1ea5ed38a3d_mafia.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Update Standalone Installer
Exit code:
3221226540
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1064"C:\WINDOWS\SysWOW64\wusa.exe" C:\Windows\SysWOW64\wusa.exe
2025-01-10_a60ac9f9f8401b075313d1ea5ed38a3d_mafia.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Update Standalone Installer
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
372"C:\Users\admin\kbjhrmth.exe" /d"C:\Users\admin\Desktop\2025-01-10_a60ac9f9f8401b075313d1ea5ed38a3d_mafia.exe" /e550302100000007FC:\Users\admin\kbjhrmth.exe
2025-01-10_a60ac9f9f8401b075313d1ea5ed38a3d_mafia.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\kbjhrmth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
440C:\WINDOWS\SysWOW64\WerFault.exe -u -p 4684 -s 1236C:\Windows\SysWOW64\WerFault.exe2025-01-10_a60ac9f9f8401b075313d1ea5ed38a3d_mafia.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
3680svchost.exeC:\Windows\SysWOW64\svchost.exe
kbjhrmth.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
1804C:\WINDOWS\SysWOW64\WerFault.exe -u -p 372 -s 588C:\Windows\SysWOW64\WerFault.exekbjhrmth.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
1 341
Read events
1 340
Write events
1
Delete events
0

Modification events

(PID) Process:(4684) 2025-01-10_a60ac9f9f8401b075313d1ea5ed38a3d_mafia.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:zajiykct
Value:
"C:\Users\admin\kbjhrmth.exe"
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
46842025-01-10_a60ac9f9f8401b075313d1ea5ed38a3d_mafia.exeC:\Users\admin\AppData\Local\Temp\iewwtihv.exeexecutable
MD5:20CC2A40BEE06B567BA637756EFB04F2
SHA256:7CD70AC0E43941DF9A883049F32DA972FE1804D9BB603E3B1A85CE0ECBFED9D5
46842025-01-10_a60ac9f9f8401b075313d1ea5ed38a3d_mafia.exeC:\Users\admin\kbjhrmth.exeexecutable
MD5:3560121018029FD49F0D95745D2B5875
SHA256:5E8E1918CBB84A8A1BCB7BA04AA10F01CD6F52EC313DCCCEC966AA618A49BE99
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
20
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5848
RUXIMICS.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5848
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1596
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1596
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5848
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1596
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5848
RUXIMICS.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1596
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5848
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1596
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.153
  • 23.48.23.142
  • 23.48.23.139
  • 23.48.23.157
  • 23.48.23.147
  • 23.48.23.140
  • 23.48.23.195
  • 23.48.23.141
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
microsoft.com
  • 20.236.44.162
  • 20.76.201.171
  • 20.231.239.246
  • 20.70.246.20
  • 20.112.250.133
whitelisted
microsoft-com.mail.protection.outlook.com
  • 52.101.11.0
  • 52.101.40.26
  • 52.101.8.49
  • 52.101.42.0
whitelisted
self.events.data.microsoft.com
  • 104.208.16.89
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-01-10_a60ac9f9f8401b075313d1ea5ed38a3d_mafia