Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
12-02-2024 17:46
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-12_aa35ae2289ccf38fc606473029ea046b_mafia.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-02-12_aa35ae2289ccf38fc606473029ea046b_mafia.exe
Resource
win10v2004-20231222-en
General
-
Target
2024-02-12_aa35ae2289ccf38fc606473029ea046b_mafia.exe
-
Size
414KB
-
MD5
aa35ae2289ccf38fc606473029ea046b
-
SHA1
55960c07d2c47c0351165dd433737236d2a29c20
-
SHA256
cd51c70210ae0b34667ca577f883eb6af1a84f20b4a178711852ab0c3c00a106
-
SHA512
3bfaf4fa7bc94310720c7a694511c8aa00755cb3840a29f95372d0f796f080667bf275cf1b3fcdb02f77f86e1fcb777e08b95af02520c6879c54178d8234079d
-
SSDEEP
6144:Wucyz4obQmKkWb6ekie+ogU6BYpFlERttS2TqzOrY/TdhKn9iKjyqWgGuys81l:Wq4w/ekieZgU6gE82SO8yUg0Hu61l
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
51F.tmppid process 1028 51F.tmp -
Executes dropped EXE 1 IoCs
Processes:
51F.tmppid process 1028 51F.tmp -
Loads dropped DLL 1 IoCs
Processes:
2024-02-12_aa35ae2289ccf38fc606473029ea046b_mafia.exepid process 2348 2024-02-12_aa35ae2289ccf38fc606473029ea046b_mafia.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-02-12_aa35ae2289ccf38fc606473029ea046b_mafia.exedescription pid process target process PID 2348 wrote to memory of 1028 2348 2024-02-12_aa35ae2289ccf38fc606473029ea046b_mafia.exe 51F.tmp PID 2348 wrote to memory of 1028 2348 2024-02-12_aa35ae2289ccf38fc606473029ea046b_mafia.exe 51F.tmp PID 2348 wrote to memory of 1028 2348 2024-02-12_aa35ae2289ccf38fc606473029ea046b_mafia.exe 51F.tmp PID 2348 wrote to memory of 1028 2348 2024-02-12_aa35ae2289ccf38fc606473029ea046b_mafia.exe 51F.tmp
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-12_aa35ae2289ccf38fc606473029ea046b_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-12_aa35ae2289ccf38fc606473029ea046b_mafia.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\51F.tmp"C:\Users\Admin\AppData\Local\Temp\51F.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-02-12_aa35ae2289ccf38fc606473029ea046b_mafia.exe 6DFA94A2A884690E8646C3404DE101B0A193B91BC1869237824ADB3C98067D17CFA7EA68B2845F0A1F8761F2DAFF72739B0848C7CCEBED8F309093A7959C23212⤵
- Deletes itself
- Executes dropped EXE
PID:1028
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
414KB
MD5f90745c480a602a341159b1934f720b7
SHA1995873db1a101d86a8ee911ae1368a4e02e8b9d9
SHA25628d32a7fb58cf55ae1c90244fca336e158bbd1efff92d727c655a47bedc5b792
SHA51289ef59c35cdf99a2ec8bee8f1c42cc089175a9a7c1bbce3a6484d3c1ffd43e64e33e7e6e47e4065c016cd5b0f8b0b4af4f94d04181b909760ad8a82f96abc3ff