2b4b67331f91dfe4516336b5ca5868cb774e359d4647abad88131eb9c30fa0b3

General

Target

2024-01-08_e008f6de1c33acafea60d513c90cc527_mafia.exe
Size

486KB
MD5

e008f6de1c33acafea60d513c90cc527
SHA1

08cee0c7e1103cc7a69d857b76e1bd37b6e2454f
SHA256

2b4b67331f91dfe4516336b5ca5868cb774e359d4647abad88131eb9c30fa0b3
SHA512

eed6b8c5950379bfb554033502bd92ec384d10822b7b1e493a1bab133e7a21218de068267f7b1f4f0b8d4c6e90642a1e12331ac37560e897e6a8513a7b7e022e
SSDEEP

6144:fpzhInoFPRsVmVE600C978/1ZkycpBQEJIbxWeow9b51YIJNpltL33fOcMsHpeUg:frF2600C977x5w9b51tJTltr32c1JeUg

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	B9AB.tmp

Executes dropped EXE 1 IoCs

pid	Process
4872	B9AB.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings	B9AB.tmp

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3020	WINWORD.EXE
3020	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4872	B9AB.tmp

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3020	WINWORD.EXE
3020	WINWORD.EXE
3020	WINWORD.EXE
3020	WINWORD.EXE
3020	WINWORD.EXE
3020	WINWORD.EXE
3020	WINWORD.EXE
3020	WINWORD.EXE
3020	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 4872	2424	2024-01-08_e008f6de1c33acafea60d513c90cc527_mafia.exe	90
PID 2424 wrote to memory of 4872	2424	2024-01-08_e008f6de1c33acafea60d513c90cc527_mafia.exe	90
PID 2424 wrote to memory of 4872	2424	2024-01-08_e008f6de1c33acafea60d513c90cc527_mafia.exe	90
PID 4872 wrote to memory of 3020	4872	B9AB.tmp	92
PID 4872 wrote to memory of 3020	4872	B9AB.tmp	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-08_e008f6de1c33acafea60d513c90cc527_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-08_e008f6de1c33acafea60d513c90cc527_mafia.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\Temp\B9AB.tmp
  "C:\Users\Admin\AppData\Local\Temp\B9AB.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-01-08_e008f6de1c33acafea60d513c90cc527_mafia.exe 09915774D22DB986B4B5860206B32357891CE127D593FDE7B3157D92A7E3F41798793D4A40BA65138061EDB9B2C214CD42CF0E18D3EB2B1620E0DA59B310346F
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2024-01-08_e008f6de1c33acafea60d513c90cc527_mafia.docx" /o ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024-01-08_e008f6de1c33acafea60d513c90cc527_mafia.docx

Filesize
125KB

MD5
f5cf4b1e9f4cca92ae51496d67d2f3e1

SHA1
ded5b618c8c9790f47e84d3e0d981976b1808d30

SHA256
f5384d0f3d3525b6ac0614fcc16a77a63bc091f8b069d7c030e1c5a4fa8d87c6

SHA512
45ce86d7c90a3f707702f690973523176a8a8703dedd5f81d7251aa0787329a394347340da7d19cb82360b74e76fab4df70e7090c9a40d516ecce4525ab4dbe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-01-08_e008f6de1c33acafea60d513c90cc527_mafia.docx

Filesize
50KB

MD5
ea63f834f3c9732c655fa899d9586d6c

SHA1
b52807ea6e6bdd8ea66a650025f089fcc4e061ec

SHA256
274531ace5ca390d696b3cf2024f973877120da1c19e4722917844183af432a2

SHA512
40f0960577674614daa2e5e03dbe7b411801fe27b85a83a2df4cbd869d4b8162558b144767452f3464065e36e562735662997e27097d78602fe1076652489120

Download Submit
C:\Users\Admin\AppData\Local\Temp\B9AB.tmp

Filesize
486KB

MD5
b8abeb8847707651cd2a10d902c33785

SHA1
1b391226320c5ea0916ae70fe1e8d1d4e00357b8

SHA256
b479be32a0584fd80dc922ec774c1f582feaab2b3e0c80cf725d67ba83065d3b

SHA512
d534fd8173c6cd52447261c9cd5fedeb2f26dc3bd00b5d4998f102f615b4c6e654a340edc240c422a4d115c9785b7b47be6c7fb9c82ff696e8102e90556aa26e

Download Submit
memory/3020-30-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/3020-32-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/3020-16-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/3020-17-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/3020-18-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/3020-20-0x00007FFABF400000-0x00007FFABF410000-memory.dmp

Filesize
64KB

Download
memory/3020-24-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/3020-25-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/3020-26-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/3020-28-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/3020-29-0x00007FFABF400000-0x00007FFABF410000-memory.dmp

Filesize
64KB

Download
memory/3020-13-0x00007FFAC1D10000-0x00007FFAC1D20000-memory.dmp

Filesize
64KB

Download
memory/3020-31-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/3020-15-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/3020-27-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/3020-23-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/3020-22-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/3020-21-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/3020-19-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/3020-12-0x00007FFAC1D10000-0x00007FFAC1D20000-memory.dmp

Filesize
64KB

Download
memory/3020-11-0x00007FFAC1D10000-0x00007FFAC1D20000-memory.dmp

Filesize
64KB

Download
memory/3020-10-0x00007FFAC1D10000-0x00007FFAC1D20000-memory.dmp

Filesize
64KB

Download
memory/3020-9-0x00007FFAC1D10000-0x00007FFAC1D20000-memory.dmp

Filesize
64KB

Download
memory/3020-14-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/3020-45-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads