3bc81424b09e111a2f62175e586206996d60bca652207d8ada9679eeeecade5a

General

Target

2024-01-08_899653ecf1ff01a716a0a45230613f7a_mafia.exe
Size

467KB
MD5

899653ecf1ff01a716a0a45230613f7a
SHA1

3c50ec68e5841804db11409c6e151d8dc8c4a853
SHA256

3bc81424b09e111a2f62175e586206996d60bca652207d8ada9679eeeecade5a
SHA512

6074a07457a9d71edf6c615459b036a0c2cfb6a0cf9a11477e8839f250d7dfb941a8e78912a27cea560497956e89bbf2ce5c904594478aceae6c8c1fa12d0059
SSDEEP

6144:jFrJxvldL4c5ONK1xgWbd1s79+iStKv1VCI2GYN0lQ5d4tNOYzRsq/xwosLV2eYx:Bb4bZudi79LddF2GmAbfRJgAUPPKAk

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2932	BF2.tmp

Loads dropped DLL 1 IoCs

pid	Process
2864	2024-01-08_899653ecf1ff01a716a0a45230613f7a_mafia.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2932	BF2.tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2932	2864	2024-01-08_899653ecf1ff01a716a0a45230613f7a_mafia.exe	16
PID 2864 wrote to memory of 2932	2864	2024-01-08_899653ecf1ff01a716a0a45230613f7a_mafia.exe	16
PID 2864 wrote to memory of 2932	2864	2024-01-08_899653ecf1ff01a716a0a45230613f7a_mafia.exe	16
PID 2864 wrote to memory of 2932	2864	2024-01-08_899653ecf1ff01a716a0a45230613f7a_mafia.exe	16
PID 2932 wrote to memory of 3048	2932	BF2.tmp	29
PID 2932 wrote to memory of 3048	2932	BF2.tmp	29
PID 2932 wrote to memory of 3048	2932	BF2.tmp	29
PID 2932 wrote to memory of 3048	2932	BF2.tmp	29

C:\Users\Admin\AppData\Local\Temp\2024-01-08_899653ecf1ff01a716a0a45230613f7a_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-08_899653ecf1ff01a716a0a45230613f7a_mafia.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Local\Temp\BF2.tmp
  "C:\Users\Admin\AppData\Local\Temp\BF2.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-01-08_899653ecf1ff01a716a0a45230613f7a_mafia.exe 61F51A41D320D4F41116D396A6EB6DD05C783EF76A406217627C1F46C749BC81DC8F119178C6FDB921ACFD32AD625525E2662970D7A771BF5A54C9479B52EA71
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2024-01-08_899653ecf1ff01a716a0a45230613f7a_mafia.doc"
    3⤵
    PID:3048
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024-01-08_899653ecf1ff01a716a0a45230613f7a_mafia.doc

Filesize
7KB

MD5
622b045e4eab36ffcd3fc05b0a636241

SHA1
b8758fc7f8501a7d3c5c91f05dc880375e84a31c

SHA256
c33f0b3bb28555aae6cf104e3aecd1b2419f7c5ecc94f7ff1adba10425838bcf

SHA512
57dcae1d76cc983c98505b3d24fee2de24c3832bc09f2b2cf8381c50708438be1682c24930a3d396f88771dec8c65292aab8dcb73451a55c663b1414e60c59cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\BF2.tmp

Filesize
30KB

MD5
3a30b0bf75fe9a4801face192cabcceb

SHA1
da23e608b5b0816349087dd6b1d53456db08cd1e

SHA256
43d81cfb61e0ccd77bf55478e04568d83dd311dbf00b9662f93be9d0ae7b4738

SHA512
03fd8e47bda6fde0dde7b9a7fec2981129e3575b84727dabe82908f387d26971bddad514136d8c412834a666f794877b21f96417754e2847cac74464dd572d70

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
7e9602b040b8931e8d2b15ea8537b566

SHA1
9988711bbdc059a49599ae0bafc69b2c11110407

SHA256
58fc520d74d5b83cf4cac4beb5f0a6736dc0aac215ebb872061fc9981670ca69

SHA512
802f89273c92dc55ebcf4c391803cac9dea4cba349d0754cfcdf83da0ee32fd981bf6909c208551ce95c479da85a288f3cc4c18d3cfc488198aa9eb1d89e8d38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\BF2.tmp

Filesize
33KB

MD5
cea62786963969510ae8189cb33bedf0

SHA1
ac5f4a766ec5e63a6fbad2b4439eab3f5d1ecb46

SHA256
151cd4d3988078e7e610cfefb4f792f55507474cc55eecd13f4ae9ff4b7469f5

SHA512
5e21377415509d469e1ef8dbf3de579e692a04677cd8137b9223b387707473f9c43a8600fe66474472c4735c1068d76593fccbb11bafb30d8dcfd48b8878ced8

Download Submit
memory/3048-7-0x000000002F281000-0x000000002F282000-memory.dmp

Filesize
4KB

Download
memory/3048-9-0x0000000070B6D000-0x0000000070B78000-memory.dmp

Filesize
44KB

Download
memory/3048-8-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3048-28-0x0000000070B6D000-0x0000000070B78000-memory.dmp

Filesize
44KB

Download
memory/3048-43-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing