4f4c6e08474205d29d6f93e77afcc0fc3cde8c9f945de3d26b0b5d8b2c95d9cd

Analysis

max time kernel
151s
max time network
192s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12-10-2023 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
Size

2.9MB
MD5

251a75aed4158fe3093ed4aba9eb091b
SHA1

d54c669d5e1515677b06a6a177dd884dd9b8a393
SHA256

4f4c6e08474205d29d6f93e77afcc0fc3cde8c9f945de3d26b0b5d8b2c95d9cd
SHA512

73851230c8bf575e1d69df23481fc11c89d299c6f50fa7da981469cdaead3ca428791c127c19fc25b5ecfd0676cd3a57ee402749cf132b3dbc1517355266d6c2
SSDEEP

49152:fWnAteSAYvPsqD2AQLRgcTPC4YEeZB92k0Z/6b9HC8ds1mqklFC76g4WRA0DayzZ:7teSAYvPt2AQRTPCKez970Z/6b9HC8dg

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2704	Terms.exe
2660	Terms.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
File opened (read-only)	\??\M:	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
File opened (read-only)	\??\G:	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
File opened (read-only)	\??\H:	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
File opened (read-only)	\??\N:	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
File opened (read-only)	\??\S:	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
File opened (read-only)	\??\W:	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
File opened (read-only)	\??\Z:	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
File opened (read-only)	\??\B:	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
File opened (read-only)	\??\E:	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
File opened (read-only)	\??\K:	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
File opened (read-only)	\??\O:	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
File opened (read-only)	\??\P:	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
File opened (read-only)	\??\Q:	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
File opened (read-only)	\??\R:	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
File opened (read-only)	\??\T:	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
File opened (read-only)	\??\U:	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
File opened (read-only)	\??\I:	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
File opened (read-only)	\??\L:	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
File opened (read-only)	\??\Y:	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
File opened (read-only)	\??\V:	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
File opened (read-only)	\??\X:	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Terms.exe	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
File opened for modification	C:\Program Files (x86)\Terms.exe	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2748	2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
2704	Terms.exe
2660	Terms.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2660	2704	Terms.exe	31
PID 2704 wrote to memory of 2660	2704	Terms.exe	31
PID 2704 wrote to memory of 2660	2704	Terms.exe	31
PID 2704 wrote to memory of 2660	2704	Terms.exe	31

C:\Users\Admin\AppData\Local\Temp\2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_251a75aed4158fe3093ed4aba9eb091b_mafia_JC.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:2748

C:\Program Files (x86)\Terms.exe
"C:\Program Files (x86)\Terms.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Program Files (x86)\Terms.exe
  "C:\Program Files (x86)\Terms.exe" Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Terms.exe

Filesize
2.9MB

MD5
251a75aed4158fe3093ed4aba9eb091b

SHA1
d54c669d5e1515677b06a6a177dd884dd9b8a393

SHA256
4f4c6e08474205d29d6f93e77afcc0fc3cde8c9f945de3d26b0b5d8b2c95d9cd

SHA512
73851230c8bf575e1d69df23481fc11c89d299c6f50fa7da981469cdaead3ca428791c127c19fc25b5ecfd0676cd3a57ee402749cf132b3dbc1517355266d6c2

Download Submit
C:\Program Files (x86)\Terms.exe

Filesize
2.9MB

MD5
251a75aed4158fe3093ed4aba9eb091b

SHA1
d54c669d5e1515677b06a6a177dd884dd9b8a393

SHA256
4f4c6e08474205d29d6f93e77afcc0fc3cde8c9f945de3d26b0b5d8b2c95d9cd

SHA512
73851230c8bf575e1d69df23481fc11c89d299c6f50fa7da981469cdaead3ca428791c127c19fc25b5ecfd0676cd3a57ee402749cf132b3dbc1517355266d6c2

Download Submit
C:\Program Files (x86)\Terms.exe

Filesize
2.9MB

MD5
251a75aed4158fe3093ed4aba9eb091b

SHA1
d54c669d5e1515677b06a6a177dd884dd9b8a393

SHA256
4f4c6e08474205d29d6f93e77afcc0fc3cde8c9f945de3d26b0b5d8b2c95d9cd

SHA512
73851230c8bf575e1d69df23481fc11c89d299c6f50fa7da981469cdaead3ca428791c127c19fc25b5ecfd0676cd3a57ee402749cf132b3dbc1517355266d6c2

Download Submit
C:\Users\Public\Documents\pass.txt

Filesize
8B

MD5
71d864b6b132a9235400af39917131b3

SHA1
b79d02acde8be0d57bedef9bd3edeab0a5a066f3

SHA256
f4392ea35b8bafc5813b48055be473c4eceb72f11936a67a92cd9086efc2492e

SHA512
f331a1c933e016667682d3339784e57f4518305954a7e02643b4deab5ff8ded663232f38190d535457f4351d506f642cea961ea09dc3182c7917f8e483dbd0d3

Download Submit
C:\Users\Public\Documents\pass.txt

Filesize
8B

MD5
71d864b6b132a9235400af39917131b3

SHA1
b79d02acde8be0d57bedef9bd3edeab0a5a066f3

SHA256
f4392ea35b8bafc5813b48055be473c4eceb72f11936a67a92cd9086efc2492e

SHA512
f331a1c933e016667682d3339784e57f4518305954a7e02643b4deab5ff8ded663232f38190d535457f4351d506f642cea961ea09dc3182c7917f8e483dbd0d3

Download Submit
C:\Users\Public\Documents\pass.txt

Filesize
8B

MD5
71d864b6b132a9235400af39917131b3

SHA1
b79d02acde8be0d57bedef9bd3edeab0a5a066f3

SHA256
f4392ea35b8bafc5813b48055be473c4eceb72f11936a67a92cd9086efc2492e

SHA512
f331a1c933e016667682d3339784e57f4518305954a7e02643b4deab5ff8ded663232f38190d535457f4351d506f642cea961ea09dc3182c7917f8e483dbd0d3

Download Submit
memory/2748-2-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download