3fc011812617b08ccf79faccea5c3f2631c51d2e6123ff14e368d57a258aa8bf

Analysis

max time kernel
3s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 06:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-08_a3624e0e6974e90ba41ef1f54aac26d7_mafia.exe
Size

467KB
MD5

a3624e0e6974e90ba41ef1f54aac26d7
SHA1

f4c957de9b73eaf517d3e6365837e47e41002dce
SHA256

3fc011812617b08ccf79faccea5c3f2631c51d2e6123ff14e368d57a258aa8bf
SHA512

d5fb41e795ae0a7e069d0b65602289c0b536dce2ae7bd9c1b588c2c7eb7aa2a538e8f68d62f01c6cbeb27b29fb19edea66854ccf7cca6775d050b2d42e380cf3
SSDEEP

12288:Bb4bZudi79L/QHsizioszX76BAxd0yZcAk:Bb4bcdkLIJL8zoy4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2428	36BA.tmp

Loads dropped DLL 1 IoCs

pid	Process
2132	2024-01-08_a3624e0e6974e90ba41ef1f54aac26d7_mafia.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2428	36BA.tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2428	2132	2024-01-08_a3624e0e6974e90ba41ef1f54aac26d7_mafia.exe	15
PID 2132 wrote to memory of 2428	2132	2024-01-08_a3624e0e6974e90ba41ef1f54aac26d7_mafia.exe	15
PID 2132 wrote to memory of 2428	2132	2024-01-08_a3624e0e6974e90ba41ef1f54aac26d7_mafia.exe	15
PID 2132 wrote to memory of 2428	2132	2024-01-08_a3624e0e6974e90ba41ef1f54aac26d7_mafia.exe	15
PID 2428 wrote to memory of 2792	2428	36BA.tmp	29
PID 2428 wrote to memory of 2792	2428	36BA.tmp	29
PID 2428 wrote to memory of 2792	2428	36BA.tmp	29
PID 2428 wrote to memory of 2792	2428	36BA.tmp	29

C:\Users\Admin\AppData\Local\Temp\2024-01-08_a3624e0e6974e90ba41ef1f54aac26d7_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-08_a3624e0e6974e90ba41ef1f54aac26d7_mafia.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\36BA.tmp
  "C:\Users\Admin\AppData\Local\Temp\36BA.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-01-08_a3624e0e6974e90ba41ef1f54aac26d7_mafia.exe 96B3538F22AACDE213B7E3FA96081DC81420201CF5C46A893D605B62166456ED7587F58A6A40ECC941D7A11D6159DBCAAB02B1E6682FCE797B425FBAEA28D62C
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2024-01-08_a3624e0e6974e90ba41ef1f54aac26d7_mafia.doc"
    3⤵
    PID:2792
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024-01-08_a3624e0e6974e90ba41ef1f54aac26d7_mafia.doc

Filesize
1KB

MD5
aae290d42bbb5fd7b665f6a8ac59170d

SHA1
4764aff11fc4997e36898e1798e135c06bd4653b

SHA256
8ae9abc040699bd6261c4a838172412bda4dfd1881ec126a7332f33e4577ab1d

SHA512
41a9736498a308edbc6533e6eb7ca9a130e7322561cc197be2063a2ba428843ddda6c547539d323279482a20ed7f38bcc3c862ad3efdc6ebef7f0e39f0ac2dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\36BA.tmp

Filesize
6KB

MD5
fd3dda8c62330e7168f867dd31521847

SHA1
bab25d4d8410cc9dc809cbbf6664027cabeee2c6

SHA256
770345ec074a6d0786df6803bf0dc887d66fde41cca5e8fadd434508220285e4

SHA512
a899f6ed4162a45f95a68578b6f643b90600ccbc051485bf5ae3446d5dfd7236db8312994e7949a829feeed6b4bea3d8569650ef56e4846bd70ff4d172f7b138

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
1KB

MD5
a24b9787ce042d1756658e2a9fbe965d

SHA1
5642cb2a55f98386387990a4e470b562693824fc

SHA256
93e88b489b43a0d77b43c44cad748945b3dc5784833b2cad622d7e2a6c0b8033

SHA512
2bdecae60a2bbeab967a451878a6c4cecee8bcb90d5df46a833fe8004a7604b5849cf5ffbd4945dcdd565528e125ab2a346d5fa3bef223ffe4225d391bb7a117

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\36BA.tmp

Filesize
35KB

MD5
babbaae9d58cb4b441cf3d15204848fb

SHA1
0f8311ac5ab2c345b27df313b8054331cea30576

SHA256
5a97c5840196550ca6aa16862be2afe54a4fad3fbc016be441f5e853155869b3

SHA512
3cb7dab6415ce8a76681a2077388a8f7ad41db91a2f109d5345f9c075b93c679770a0d6e973cd64793cbb142bf6ff54cf09317d944e85beb3b2cc7195dc01f4b

Download Submit
memory/2792-7-0x000000002FE61000-0x000000002FE62000-memory.dmp

Filesize
4KB

Download
memory/2792-8-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2792-9-0x00000000718ED000-0x00000000718F8000-memory.dmp

Filesize
44KB

Download
memory/2792-28-0x00000000718ED000-0x00000000718F8000-memory.dmp

Filesize
44KB

Download
memory/2792-43-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download