cfc179787a2c853d906c0e301b5d3c456b8823230b03e0fed78030a705b34a76

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11-01-2024 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10_34c0044dee04253964e0d8ec3c9cd739_mafia.exe
Size

535KB
MD5

34c0044dee04253964e0d8ec3c9cd739
SHA1

a84e1c388b52801a1c16b85daef3e3b01ea5336a
SHA256

cfc179787a2c853d906c0e301b5d3c456b8823230b03e0fed78030a705b34a76
SHA512

88df2dfb899cdad27dfbef9abe17aeb0ab74438b850772860c55fb021796e9b0907ba0ebb5e5350d3e59a7b9d6cbba1727c3b27766e916ff65723c07ba8d0f78
SSDEEP

12288:si4g+yU+0pAiv+CrxR5C07Y0HeqFuK8mWxUlvjosTdcG93Dn:si4gXn0pD+axR5NY0Hea8UlvjRhFJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2364	588C.tmp
2852	2024-01-10_34c0044dee04253964e0d8ec3c9cd739_mafia.exe

Loads dropped DLL 2 IoCs

pid	Process
2184	2024-01-10_34c0044dee04253964e0d8ec3c9cd739_mafia.exe
2364	588C.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2364	588C.tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2364	2184	2024-01-10_34c0044dee04253964e0d8ec3c9cd739_mafia.exe	28
PID 2184 wrote to memory of 2364	2184	2024-01-10_34c0044dee04253964e0d8ec3c9cd739_mafia.exe	28
PID 2184 wrote to memory of 2364	2184	2024-01-10_34c0044dee04253964e0d8ec3c9cd739_mafia.exe	28
PID 2184 wrote to memory of 2364	2184	2024-01-10_34c0044dee04253964e0d8ec3c9cd739_mafia.exe	28
PID 2364 wrote to memory of 2852	2364	588C.tmp	29
PID 2364 wrote to memory of 2852	2364	588C.tmp	29
PID 2364 wrote to memory of 2852	2364	588C.tmp	29
PID 2364 wrote to memory of 2852	2364	588C.tmp	29

C:\Users\Admin\AppData\Local\Temp\2024-01-10_34c0044dee04253964e0d8ec3c9cd739_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10_34c0044dee04253964e0d8ec3c9cd739_mafia.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\588C.tmp
  "C:\Users\Admin\AppData\Local\Temp\588C.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-01-10_34c0044dee04253964e0d8ec3c9cd739_mafia.exe FBAD12BCD948AE750285A80FDEE4DD28F39E1BDE9B7AFA6D29AA27EB5659179B5B4E9DB623F4DFCC0307E55B47CE884DD134275B57C5E037D1578FBBF78234A3
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Users\Admin\AppData\Local\Temp\2024-01-10_34c0044dee04253964e0d8ec3c9cd739_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-10_34c0044dee04253964e0d8ec3c9cd739_mafia.exe"
    3⤵
    - Executes dropped EXE
    PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\2024-01-10_34c0044dee04253964e0d8ec3c9cd739_mafia.exe

Filesize
255KB

MD5
b7fd76103054f562a11ce616d50a0611

SHA1
7473656e5a33b9ecc401985f917f65054bcbd16c

SHA256
aba5c0bff0442597ff8743b4fe7d28de945b78be01eb88fc4a95cadd1fbee409

SHA512
2a2996476dbfdcd50c39c08dc91a179eff4f016013707c9c0972c6e7a0e179b9da4fcff5e2d4d4883a31312bfefdb9a88d1490e1baaa4728a516c5c7f7bdfbd2

Download Submit
\Users\Admin\AppData\Local\Temp\588C.tmp

Filesize
535KB

MD5
76c6b1cd08e41516f0e86893b4f5eb10

SHA1
30a78f1babf325ad7c53bb0555a292d31404f01c

SHA256
2ef82f2e3ccec34e39371dadf52d32960bb7748d68fdc4e5e6cf0c8785e73ac3

SHA512
0c8c5832cb155eb5738b4c0b7da94a7a56979dcb0ad78de3c0c7adf3403f602fb349d96ad307d21dc61a559400f55b46d5436085ec763abeb77cf935982ffa47

Download Submit