acdff66e712390664b9c200d79e4a094beeaa3d1007ee4a11ebe40210b1fad34

General

Target

2024-01-25_b2fed9d168606136fc188c0ae132d375_mafia.exe
Size

462KB
MD5

b2fed9d168606136fc188c0ae132d375
SHA1

9fc286b3e07577c952d991aeb31cfbc4cf1dd08c
SHA256

acdff66e712390664b9c200d79e4a094beeaa3d1007ee4a11ebe40210b1fad34
SHA512

5bffe8fb6d73d3ff5e36f034e7bdbbf6a6c19f06d4bd261c74769d12fc6258bb2ec7aa0e1e664c3af4fc1c04ed9edbf803eedf30ecbdaaac95c34dd1a18c1e4d
SSDEEP

6144:lA4psmawWIrFUJe5X8bbU4ycQ8XzhlfTS5ysBrOI0FIQNReUn64tDWjWsHOj:loJe5X8bjQ8XzXrS5HBrO9eYfrFqnuj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1384	31F9.tmp

Loads dropped DLL 1 IoCs

pid	Process
1764	2024-01-25_b2fed9d168606136fc188c0ae132d375_mafia.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2356	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1384	31F9.tmp

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2356	WINWORD.EXE
2356	WINWORD.EXE
2356	WINWORD.EXE
2356	WINWORD.EXE
2356	WINWORD.EXE
2356	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 1384	1764	2024-01-25_b2fed9d168606136fc188c0ae132d375_mafia.exe	28
PID 1764 wrote to memory of 1384	1764	2024-01-25_b2fed9d168606136fc188c0ae132d375_mafia.exe	28
PID 1764 wrote to memory of 1384	1764	2024-01-25_b2fed9d168606136fc188c0ae132d375_mafia.exe	28
PID 1764 wrote to memory of 1384	1764	2024-01-25_b2fed9d168606136fc188c0ae132d375_mafia.exe	28
PID 1384 wrote to memory of 2356	1384	31F9.tmp	29
PID 1384 wrote to memory of 2356	1384	31F9.tmp	29
PID 1384 wrote to memory of 2356	1384	31F9.tmp	29
PID 1384 wrote to memory of 2356	1384	31F9.tmp	29

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b2fed9d168606136fc188c0ae132d375_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_b2fed9d168606136fc188c0ae132d375_mafia.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Users\Admin\AppData\Local\Temp\31F9.tmp
  "C:\Users\Admin\AppData\Local\Temp\31F9.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-01-25_b2fed9d168606136fc188c0ae132d375_mafia.exe 608790401700A7AECC1316A40C1B4BB2A5E71AF96DFB4C14CE40EF1E8363CE0B22A4814A05245EC097A24C8E9929B2874CA4CB1BCB3DA1B80C97A83D0B46CF5E
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b2fed9d168606136fc188c0ae132d375_mafia.docx"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b2fed9d168606136fc188c0ae132d375_mafia.docx

Filesize
140KB

MD5
e90e498009a13ae957dcde4e01065e7d

SHA1
dcb4cc9b7d1ed3becc625597422d60aaf068a759

SHA256
ca91bbd477e2a516997c48dde3da1a5eae4cad86ca664fea54f0103739073c94

SHA512
4d0868f653e6c57d4011430ab81688f4f039550a9a0b5b1ce5ab1a695cb1dca7d7cdfb1d7c3920c35bbd3a8b441c820f00ae4e71f749650545ddd6894d597766

Download Submit
C:\Users\Admin\AppData\Local\Temp\31F9.tmp

Filesize
462KB

MD5
168035d86ff61b0d75df271bb9631d4f

SHA1
ae767e82171f6b4f1ee9d64f74f97d06948235df

SHA256
7766c858fee1632614516520d89bbb5e08ac67ee775f93fc3551be23a5d7405d

SHA512
a5070d297701584538054cacdde4073090cc2d4c122d6c7434ea98d022cc890419f32f1f5b980918e69550de8537c1ba2371df3f82946f3cbb497c6997c22a00

Download Submit
memory/2356-7-0x000000002F961000-0x000000002F962000-memory.dmp

Filesize
4KB

Download
memory/2356-8-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2356-9-0x0000000070C2D000-0x0000000070C38000-memory.dmp

Filesize
44KB

Download
memory/2356-13-0x0000000070C2D000-0x0000000070C38000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing