3bc81424b09e111a2f62175e586206996d60bca652207d8ada9679eeeecade5a

General

Target

2024-01-08_899653ecf1ff01a716a0a45230613f7a_mafia.exe
Size

467KB
MD5

899653ecf1ff01a716a0a45230613f7a
SHA1

3c50ec68e5841804db11409c6e151d8dc8c4a853
SHA256

3bc81424b09e111a2f62175e586206996d60bca652207d8ada9679eeeecade5a
SHA512

6074a07457a9d71edf6c615459b036a0c2cfb6a0cf9a11477e8839f250d7dfb941a8e78912a27cea560497956e89bbf2ce5c904594478aceae6c8c1fa12d0059
SSDEEP

6144:jFrJxvldL4c5ONK1xgWbd1s79+iStKv1VCI2GYN0lQ5d4tNOYzRsq/xwosLV2eYx:Bb4bZudi79LddF2GmAbfRJgAUPPKAk

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	FAAC.tmp

Executes dropped EXE 1 IoCs

pid	Process
1920	FAAC.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings	FAAC.tmp

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
692	WINWORD.EXE
692	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1920	FAAC.tmp

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
692	WINWORD.EXE
692	WINWORD.EXE
692	WINWORD.EXE
692	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1920	1980	2024-01-08_899653ecf1ff01a716a0a45230613f7a_mafia.exe	64
PID 1980 wrote to memory of 1920	1980	2024-01-08_899653ecf1ff01a716a0a45230613f7a_mafia.exe	64
PID 1980 wrote to memory of 1920	1980	2024-01-08_899653ecf1ff01a716a0a45230613f7a_mafia.exe	64
PID 1920 wrote to memory of 692	1920	FAAC.tmp	94
PID 1920 wrote to memory of 692	1920	FAAC.tmp	94

C:\Users\Admin\AppData\Local\Temp\2024-01-08_899653ecf1ff01a716a0a45230613f7a_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-08_899653ecf1ff01a716a0a45230613f7a_mafia.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\FAAC.tmp
  "C:\Users\Admin\AppData\Local\Temp\FAAC.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-01-08_899653ecf1ff01a716a0a45230613f7a_mafia.exe FA44E331AD0858F277E2BA579ACAB51532BB098AC18D29E7EFC41755C1A6A0141AF99B4FC673830D51FC24B9F221856A543D00A0491171B3F74A7C8666262DD9
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2024-01-08_899653ecf1ff01a716a0a45230613f7a_mafia.doc" /o ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024-01-08_899653ecf1ff01a716a0a45230613f7a_mafia.doc

Filesize
35KB

MD5
a6b03fc9e5439b7504ba08010a960962

SHA1
e93a74f35ac1ed020158642eb1f2087fd31fc7c6

SHA256
b3b306a9618a08a003443e00e8ce2fcb14040775c3aeadc11cf120668e98dff1

SHA512
decbe4fa7eec0833a27acbde8b4de099124aa42e551f710fb615e6fc5aa0056ce9e44fc282e4930b1a669a1e012700b2c79cebc8a7b8ee4c66cfc29c800cddd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FAAC.tmp

Filesize
92KB

MD5
eee8c1bd7314fa99a6633b97fadcfa87

SHA1
26700da63365796e564d026cac29b64a8977f034

SHA256
034d6575d010c1624906f0a96f2bee905406f126b5fb23231f70f03aae499bc6

SHA512
e53841707271feea1579aff24fdac21b4e337dda66edd3bf7d8d823e0c443be0bb3ac39fb09e145d9c4dccdd719847ab2d10a1a9be66c8d852412b280bb4d2b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\FAAC.tmp

Filesize
133KB

MD5
f6c79ae3145cd47b1244d1be6cf4ae99

SHA1
7ccdfe40ed17ea20b106d87c02fa3c94e1668efe

SHA256
d23815cd8642cf44e2834980a0b241d5aed6ad77e8a92e824c1b830e9e84e281

SHA512
cdf54e70b6a0a4308274c7fdc291890334446c2acd5cb440988630d0affd82ffe74ddc715e328e9d5d61a53d810a96907aabbb75cae33b6bec35193d512279b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/692-26-0x00007FFF0F760000-0x00007FFF0F770000-memory.dmp

Filesize
64KB

Download
memory/692-24-0x00007FFF51F90000-0x00007FFF52185000-memory.dmp

Filesize
2.0MB

Download
memory/692-22-0x00007FFF51F90000-0x00007FFF52185000-memory.dmp

Filesize
2.0MB

Download
memory/692-23-0x00007FFF51F90000-0x00007FFF52185000-memory.dmp

Filesize
2.0MB

Download
memory/692-25-0x00007FFF51F90000-0x00007FFF52185000-memory.dmp

Filesize
2.0MB

Download
memory/692-29-0x00007FFF51F90000-0x00007FFF52185000-memory.dmp

Filesize
2.0MB

Download
memory/692-31-0x00007FFF51F90000-0x00007FFF52185000-memory.dmp

Filesize
2.0MB

Download
memory/692-32-0x00007FFF51F90000-0x00007FFF52185000-memory.dmp

Filesize
2.0MB

Download
memory/692-33-0x00007FFF51F90000-0x00007FFF52185000-memory.dmp

Filesize
2.0MB

Download
memory/692-34-0x00007FFF51F90000-0x00007FFF52185000-memory.dmp

Filesize
2.0MB

Download
memory/692-30-0x00007FFF51F90000-0x00007FFF52185000-memory.dmp

Filesize
2.0MB

Download
memory/692-35-0x00007FFF0F760000-0x00007FFF0F770000-memory.dmp

Filesize
64KB

Download
memory/692-28-0x00007FFF51F90000-0x00007FFF52185000-memory.dmp

Filesize
2.0MB

Download
memory/692-27-0x00007FFF51F90000-0x00007FFF52185000-memory.dmp

Filesize
2.0MB

Download
memory/692-18-0x00007FFF12010000-0x00007FFF12020000-memory.dmp

Filesize
64KB

Download
memory/692-20-0x00007FFF51F90000-0x00007FFF52185000-memory.dmp

Filesize
2.0MB

Download
memory/692-21-0x00007FFF51F90000-0x00007FFF52185000-memory.dmp

Filesize
2.0MB

Download
memory/692-19-0x00007FFF51F90000-0x00007FFF52185000-memory.dmp

Filesize
2.0MB

Download
memory/692-16-0x00007FFF12010000-0x00007FFF12020000-memory.dmp

Filesize
64KB

Download
memory/692-15-0x00007FFF12010000-0x00007FFF12020000-memory.dmp

Filesize
64KB

Download
memory/692-14-0x00007FFF12010000-0x00007FFF12020000-memory.dmp

Filesize
64KB

Download
memory/692-13-0x00007FFF12010000-0x00007FFF12020000-memory.dmp

Filesize
64KB

Download
memory/692-17-0x00007FFF51F90000-0x00007FFF52185000-memory.dmp

Filesize
2.0MB

Download
memory/692-57-0x00007FFF51F90000-0x00007FFF52185000-memory.dmp

Filesize
2.0MB

Download
memory/692-58-0x00007FFF51F90000-0x00007FFF52185000-memory.dmp

Filesize
2.0MB

Download
memory/692-79-0x00007FFF12010000-0x00007FFF12020000-memory.dmp

Filesize
64KB

Download
memory/692-83-0x00007FFF51F90000-0x00007FFF52185000-memory.dmp

Filesize
2.0MB

Download
memory/692-82-0x00007FFF51F90000-0x00007FFF52185000-memory.dmp

Filesize
2.0MB

Download
memory/692-81-0x00007FFF51F90000-0x00007FFF52185000-memory.dmp

Filesize
2.0MB

Download
memory/692-80-0x00007FFF12010000-0x00007FFF12020000-memory.dmp

Filesize
64KB

Download
memory/692-78-0x00007FFF12010000-0x00007FFF12020000-memory.dmp

Filesize
64KB

Download
memory/692-77-0x00007FFF12010000-0x00007FFF12020000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads