edb7da251efa8280840fcc77e49719fa64611069aaba1500973c790828af00b6

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-01-2024 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-26_926c8774ad2aaed8c1a8aa11d7961c2a_mafia.exe
Size

535KB
MD5

926c8774ad2aaed8c1a8aa11d7961c2a
SHA1

dba8d62190973aef89fad9adab733f6da5ae0881
SHA256

edb7da251efa8280840fcc77e49719fa64611069aaba1500973c790828af00b6
SHA512

15e017465402ee3726a73f58a91a7ba02d706105cda708852d7cb89f101575ca835f459ef40f473f416e475102930755e363cbd64aadaa4feab1549d85a326ce
SSDEEP

12288:si4g+yU+0pAiv+DhaMFIvXPua6emoWvxUlvjosTdcG93Dn:si4gXn0pD+DhaMFkPt6edlvjRhFJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2968	3C74.tmp
2124	2024-01-26_926c8774ad2aaed8c1a8aa11d7961c2a_mafia.exe

Loads dropped DLL 2 IoCs

pid	Process
2212	2024-01-26_926c8774ad2aaed8c1a8aa11d7961c2a_mafia.exe
2968	3C74.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2968	3C74.tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2968	2212	2024-01-26_926c8774ad2aaed8c1a8aa11d7961c2a_mafia.exe	28
PID 2212 wrote to memory of 2968	2212	2024-01-26_926c8774ad2aaed8c1a8aa11d7961c2a_mafia.exe	28
PID 2212 wrote to memory of 2968	2212	2024-01-26_926c8774ad2aaed8c1a8aa11d7961c2a_mafia.exe	28
PID 2212 wrote to memory of 2968	2212	2024-01-26_926c8774ad2aaed8c1a8aa11d7961c2a_mafia.exe	28
PID 2968 wrote to memory of 2124	2968	3C74.tmp	29
PID 2968 wrote to memory of 2124	2968	3C74.tmp	29
PID 2968 wrote to memory of 2124	2968	3C74.tmp	29
PID 2968 wrote to memory of 2124	2968	3C74.tmp	29

C:\Users\Admin\AppData\Local\Temp\2024-01-26_926c8774ad2aaed8c1a8aa11d7961c2a_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-26_926c8774ad2aaed8c1a8aa11d7961c2a_mafia.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\3C74.tmp
  "C:\Users\Admin\AppData\Local\Temp\3C74.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-01-26_926c8774ad2aaed8c1a8aa11d7961c2a_mafia.exe 02A608F03CE6EC3A10B46EB1ECBCBDC3F72F5C6F614CC075BD3A0E2DFF9A3CE416DA06EE0484891BE8C1DFFA4F3DD5CE02ECA687551258D3AE088A3927D7BA06
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Users\Admin\AppData\Local\Temp\2024-01-26_926c8774ad2aaed8c1a8aa11d7961c2a_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-26_926c8774ad2aaed8c1a8aa11d7961c2a_mafia.exe"
    3⤵
    - Executes dropped EXE
    PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\2024-01-26_926c8774ad2aaed8c1a8aa11d7961c2a_mafia.exe

Filesize
255KB

MD5
b7fd76103054f562a11ce616d50a0611

SHA1
7473656e5a33b9ecc401985f917f65054bcbd16c

SHA256
aba5c0bff0442597ff8743b4fe7d28de945b78be01eb88fc4a95cadd1fbee409

SHA512
2a2996476dbfdcd50c39c08dc91a179eff4f016013707c9c0972c6e7a0e179b9da4fcff5e2d4d4883a31312bfefdb9a88d1490e1baaa4728a516c5c7f7bdfbd2

Download Submit
\Users\Admin\AppData\Local\Temp\3C74.tmp

Filesize
535KB

MD5
f17b66d4401aad552fa3ef284617fedb

SHA1
88aae301718f8a0963b94e385ee82ff9964ba702

SHA256
18ade2d65f13852c527f7b991da74198eca4530f039597345531d5a806e83481

SHA512
477109fd77351a6657fea82e1de20be9a1b86c947d07f4475c0f0d738320353f4ef20802c982f6c90bcd4cd2cd7638258344bcde31179375c604759821e46c6b

Download Submit