e1cb0c5c2492d3e92377ae48d124b65cc0724cde8f60e56fdb51a00d1428851a

Analysis

max time kernel
1s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2024, 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-08_7d50a8e99ec5b54185b26285dd8321f7_mafia.exe
Size

497KB
MD5

7d50a8e99ec5b54185b26285dd8321f7
SHA1

2d4ebe174dcac140380188dbcbc02fb2eddbd359
SHA256

e1cb0c5c2492d3e92377ae48d124b65cc0724cde8f60e56fdb51a00d1428851a
SHA512

8a40130cd6f97291b63de2cb69b022000b244051fdf28d76cfd6c09301092fac9dfc594e2d8ff4c5f38f2168ce3d32b49e0b4ae3e8495af28642259dde197f52
SSDEEP

6144:1tup22IB7gOBkdFOUzdYG0zmIMcxXPoFjdz5CpIrMFdQ20e8EfxuR7CsX1o5AsYq:1tinoUyQOU+jxZKrOxuJCsX1/cv

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2024-01-08_7d50a8e99ec5b54185b26285dd8321f7_mafia.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1296	4260	WerFault.exe	14

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	2024-01-08_7d50a8e99ec5b54185b26285dd8321f7_mafia.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	2024-01-08_7d50a8e99ec5b54185b26285dd8321f7_mafia.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4260	2024-01-08_7d50a8e99ec5b54185b26285dd8321f7_mafia.exe
4260	2024-01-08_7d50a8e99ec5b54185b26285dd8321f7_mafia.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-08_7d50a8e99ec5b54185b26285dd8321f7_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-08_7d50a8e99ec5b54185b26285dd8321f7_mafia.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:4260
- C:\Users\Admin\AppData\Local\Temp\n2636\s2636.exe
  "C:\Users\Admin\AppData\Local\Temp\n2636\s2636.exe" ins.exe /e 12248950 /u 50b892e5-d96c-476b-834e-555c5bc06f2f /v "C:\Users\Admin\AppData\Local\Temp\2024-01-08_7d50a8e99ec5b54185b26285dd8321f7_mafia.exe"
  2⤵
  PID:5060
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 4472
  2⤵
  - Program crash
  PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4260 -ip 4260
1⤵
PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\n2636\s2636.exe

Filesize
92KB

MD5
adf0d3ecb5da1477e59ad67533445eab

SHA1
91cfecc21685e1b834810755678737e2e86ffbe9

SHA256
3a90ce2564d407875449644396ae2e88c531672098dea472d84e0b2f146d1e77

SHA512
7c397bdf023fa8d2cb14e4d2d46dca207720bd4749e07a8708a724839ac4b20eed73b4c42e54166c5ab89b5ccdb01fecf22c7571fba378e5eb0397fe51b072ac

Download Submit
memory/5060-11-0x00007FFF497D0000-0x00007FFF4A171000-memory.dmp

Filesize
9.6MB

Download
memory/5060-12-0x00007FFF497D0000-0x00007FFF4A171000-memory.dmp

Filesize
9.6MB

Download
memory/5060-14-0x0000000000F10000-0x0000000000F20000-memory.dmp

Filesize
64KB

Download
memory/5060-17-0x000000001BDB0000-0x000000001C27E000-memory.dmp

Filesize
4.8MB

Download
memory/5060-18-0x000000001C320000-0x000000001C3BC000-memory.dmp

Filesize
624KB

Download
memory/5060-13-0x00000000012D0000-0x00000000012DA000-memory.dmp

Filesize
40KB

Download
memory/5060-19-0x00000000012C0000-0x00000000012C8000-memory.dmp

Filesize
32KB

Download
memory/5060-21-0x0000000000F10000-0x0000000000F20000-memory.dmp

Filesize
64KB

Download
memory/5060-20-0x0000000000F10000-0x0000000000F20000-memory.dmp

Filesize
64KB

Download
memory/5060-22-0x0000000000F10000-0x0000000000F20000-memory.dmp

Filesize
64KB

Download
memory/5060-23-0x0000000000F10000-0x0000000000F20000-memory.dmp

Filesize
64KB

Download
memory/5060-24-0x000000001D520000-0x000000001D582000-memory.dmp

Filesize
392KB

Download
memory/5060-25-0x000000001FF00000-0x000000002003C000-memory.dmp

Filesize
1.2MB

Download
memory/5060-26-0x0000000020550000-0x0000000020A5E000-memory.dmp

Filesize
5.1MB

Download
memory/5060-27-0x0000000020A60000-0x0000000020B60000-memory.dmp

Filesize
1024KB

Download
memory/5060-28-0x00007FFF497D0000-0x00007FFF4A171000-memory.dmp

Filesize
9.6MB

Download
memory/5060-29-0x00007FFF497D0000-0x00007FFF4A171000-memory.dmp

Filesize
9.6MB

Download
memory/5060-31-0x00007FFF497D0000-0x00007FFF4A171000-memory.dmp

Filesize
9.6MB

Download