Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
02/09/2023, 15:32
Static task
static1
Behavioral task
behavioral1
Sample
2023-08-22_2b2a8c039a67d33ac608fe5660540063_mafia_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
2023-08-22_2b2a8c039a67d33ac608fe5660540063_mafia_JC.exe
Resource
win10v2004-20230831-en
General
-
Target
2023-08-22_2b2a8c039a67d33ac608fe5660540063_mafia_JC.exe
-
Size
190KB
-
MD5
2b2a8c039a67d33ac608fe5660540063
-
SHA1
71088b9594deb4296b74e0c5d340b425934c366e
-
SHA256
11bd912c5454ced0323488a0844a9c413463c759443d465e7cda28f73db75382
-
SHA512
2b6167ecd95c7a6bf018e836f72614e784bb4db127f1d053c4b959f6cb378c1cb6e2d6f48e3ff2fbbd8f1538580ca9eb6286935538b2ef388b00f4157b8e0f3b
-
SSDEEP
3072:bD/LRRwelzjlJlBbZpz9lZoVCVBxuH1KKMuoZvVTDz4CxcUTnEv55bAe8:P/Lgep51PzCAuLyvJDMCNnA55A
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation 2023-08-22_2b2a8c039a67d33ac608fe5660540063_mafia_JC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings 2023-08-22_2b2a8c039a67d33ac608fe5660540063_mafia_JC.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4248 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1120 2023-08-22_2b2a8c039a67d33ac608fe5660540063_mafia_JC.exe 1120 2023-08-22_2b2a8c039a67d33ac608fe5660540063_mafia_JC.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1120 wrote to memory of 4248 1120 2023-08-22_2b2a8c039a67d33ac608fe5660540063_mafia_JC.exe 86 PID 1120 wrote to memory of 4248 1120 2023-08-22_2b2a8c039a67d33ac608fe5660540063_mafia_JC.exe 86 PID 1120 wrote to memory of 4248 1120 2023-08-22_2b2a8c039a67d33ac608fe5660540063_mafia_JC.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\2023-08-22_2b2a8c039a67d33ac608fe5660540063_mafia_JC.exe"C:\Users\Admin\AppData\Local\Temp\2023-08-22_2b2a8c039a67d33ac608fe5660540063_mafia_JC.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\HWID.txt2⤵
- Opens file in notepad (likely ransom note)
PID:4248
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271B
MD5d12694db7bb5e8b3acb5f4980c6a7db2
SHA171aac29bc82c43c66427533c460ad03481f1ba9f
SHA25687ced392234ec453b4943489c7988d324bdcbbaa3e5758d5c2dadcce2e63be8c
SHA51215fe140287db8a322ed9a8d29998ab5daf43471f9060198405a39fc75e3f03ddeae69a6a4a9d4cb042b45b87ff02b22273c763b6527382e0c449390adc482e21