2745edac69feacbd147de30429158d6b6c30ad11fbed3a39c75e1794f9273704

Analysis

max time kernel
2s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-08_b230fffb0f676fa2ac59bb2f09f8b002_mafia.exe
Size

467KB
MD5

b230fffb0f676fa2ac59bb2f09f8b002
SHA1

2daeeefeab170353758d87a2bb43194ecbedfbce
SHA256

2745edac69feacbd147de30429158d6b6c30ad11fbed3a39c75e1794f9273704
SHA512

d739eb5c9327646ad167088b6b40438ed290f0cd13b4e91e38305c8a17da004598fe69a0b26c369a1e6fe756c6e0f34b6a00851551669fb0941799a95c465516
SSDEEP

12288:Bb4bZudi79LEl7d63j/P5SVzSnqNMVgY2Ak:Bb4bcdkLEFwDoVzneS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3000	1278.tmp

Loads dropped DLL 1 IoCs

pid	Process
2928	2024-01-08_b230fffb0f676fa2ac59bb2f09f8b002_mafia.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3000	1278.tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 3000	2928	2024-01-08_b230fffb0f676fa2ac59bb2f09f8b002_mafia.exe	16
PID 2928 wrote to memory of 3000	2928	2024-01-08_b230fffb0f676fa2ac59bb2f09f8b002_mafia.exe	16
PID 2928 wrote to memory of 3000	2928	2024-01-08_b230fffb0f676fa2ac59bb2f09f8b002_mafia.exe	16
PID 2928 wrote to memory of 3000	2928	2024-01-08_b230fffb0f676fa2ac59bb2f09f8b002_mafia.exe	16
PID 3000 wrote to memory of 2044	3000	1278.tmp	29
PID 3000 wrote to memory of 2044	3000	1278.tmp	29
PID 3000 wrote to memory of 2044	3000	1278.tmp	29
PID 3000 wrote to memory of 2044	3000	1278.tmp	29

C:\Users\Admin\AppData\Local\Temp\2024-01-08_b230fffb0f676fa2ac59bb2f09f8b002_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-08_b230fffb0f676fa2ac59bb2f09f8b002_mafia.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Users\Admin\AppData\Local\Temp\1278.tmp
  "C:\Users\Admin\AppData\Local\Temp\1278.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-01-08_b230fffb0f676fa2ac59bb2f09f8b002_mafia.exe C67593FB0A06CA7FB1B3C1DC20EE58EF7AE76FFA3890581E5A2CE29C5B81DDEC532528261D87540CC131CA47A6B281E5FD7BA7705861FA2EBC1171A296DD33C5
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2024-01-08_b230fffb0f676fa2ac59bb2f09f8b002_mafia.doc"
    3⤵
    PID:2044
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1278.tmp

Filesize
33KB

MD5
42ca543719df9cbc4271bf0ac6956eb1

SHA1
ab3a410db2104415430a77fb3567bd48c4c3786f

SHA256
15a295ca4c61ea73589b449976edd1160dee3c834b76da0388514bf1608c5473

SHA512
fc7fbbe35317ac85f14aaccc54d392e82ca8b9ff2d0c921b85ed6a30fa751e5194042a39b9e799a1885a54f9f1d5d8b253f7eeadcc8a1aa79e9057927058a65a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-01-08_b230fffb0f676fa2ac59bb2f09f8b002_mafia.doc

Filesize
2KB

MD5
aab896a0419270780ecefa4cd3e7eded

SHA1
f665b94b7c4ed9d1238c72c3bb3c4f2c3b4f0978

SHA256
86b25d36bd43ffb400b0063ace6f436bc6ad8861bbc2aefac2acfd700010d23f

SHA512
e4f180e9110da19136883b55f83cce969960ade195823a39ee5ad91717ef59b1d800c728313e3cbcd2f8ecdac4e9196c1548d1bc5d3c6e23fadf1bfb100cdcf7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
5a941297f6e81bdcc3c5db418dd1e22a

SHA1
5dcd4a6c9f409d62fff764f72494a28c59ef3add

SHA256
c1a4486e5087682ad55ae46769a64a3d9be6d48b7de2336f72481165f5119018

SHA512
d354f9d0771a32a9df26a8741545b0a92083cf8c6c28b80b14b9185d2eca2339cb9042b795a74074cf0c03eebebf5322406f7c1c2087eec4afb4b41e40be41b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2044-7-0x000000002F301000-0x000000002F302000-memory.dmp

Filesize
4KB

Download
memory/2044-8-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2044-9-0x0000000070F0D000-0x0000000070F18000-memory.dmp

Filesize
44KB

Download
memory/2044-28-0x0000000070F0D000-0x0000000070F18000-memory.dmp

Filesize
44KB

Download
memory/2044-43-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download