20247bfe70d62f7e27991c63a8052c21495b0df384fb118097c54a5ff117d6b8

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2024 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-13_c67a1f278d9f670e0f8355044471df05_mafia.exe
Size

872KB
MD5

c67a1f278d9f670e0f8355044471df05
SHA1

df49d02bd36b9dadec2e9f0e8d14a994e6b75fb6
SHA256

20247bfe70d62f7e27991c63a8052c21495b0df384fb118097c54a5ff117d6b8
SHA512

e8daed3f75440d713506aeb77d6a71c21c9f6c5c6757baf299a88b70fb5ab8c988f51e4b23870cfc8d2e22248cd5ab1b85d30ae7e3764e7b0aebd0d6ef11a86a
SSDEEP

24576:lX47adsX3WgCI21wf+FV6gh8yOZ0blPRXRlC9jJXJv:lX4WdsXmgCl1qq8gB5ZPRXRlC9dB

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	5237.tmp

Executes dropped EXE 2 IoCs

pid	Process
1916	5237.tmp
3680	2024-02-13_c67a1f278d9f670e0f8355044471df05_mafia.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1916	5237.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3680	2024-02-13_c67a1f278d9f670e0f8355044471df05_mafia.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 1916	4416	2024-02-13_c67a1f278d9f670e0f8355044471df05_mafia.exe	84
PID 4416 wrote to memory of 1916	4416	2024-02-13_c67a1f278d9f670e0f8355044471df05_mafia.exe	84
PID 4416 wrote to memory of 1916	4416	2024-02-13_c67a1f278d9f670e0f8355044471df05_mafia.exe	84
PID 1916 wrote to memory of 3680	1916	5237.tmp	85
PID 1916 wrote to memory of 3680	1916	5237.tmp	85
PID 1916 wrote to memory of 3680	1916	5237.tmp	85

C:\Users\Admin\AppData\Local\Temp\2024-02-13_c67a1f278d9f670e0f8355044471df05_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_c67a1f278d9f670e0f8355044471df05_mafia.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Users\Admin\AppData\Local\Temp\5237.tmp
  "C:\Users\Admin\AppData\Local\Temp\5237.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-02-13_c67a1f278d9f670e0f8355044471df05_mafia.exe 1DA54BC7F4C1FFB7F99B9161D406A7E6E23B0FD7E00098DCBC607FD8B422A2A8598E72C29903BE6229F54C22684BDD55495B331DB9663BF5D00C8B16724C27C2
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Users\Admin\AppData\Local\Temp\2024-02-13_c67a1f278d9f670e0f8355044471df05_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-13_c67a1f278d9f670e0f8355044471df05_mafia.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024-02-13_c67a1f278d9f670e0f8355044471df05_mafia.exe

Filesize
395KB

MD5
a540d62254f68c896adb5576f7ae6663

SHA1
b8f7b11e0ec93e468912e4bf921928a7b2a10561

SHA256
b17a386407de08ac6202d61e06832a133652efd6108557a94a384cbbe241204a

SHA512
0ff36593131c0c8702f228e0e485dacbd6d5a59916ac76f4e13c5f040e2f1d3d52234c93112c38469eaffdd127d83e50223e1cbac3514dae23d04ac90d3e5b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\5237.tmp

Filesize
872KB

MD5
97ed0b1d1e0c2faae214b3d27e9d98e6

SHA1
784ba3cf5c1bc5f074cdf8199a4261b5b23f81b6

SHA256
caa1ceceb44720113f44b1b959d180d9b9b343bbcf15ce9da48f6a78eb225154

SHA512
a73f70bb5aea2b27a8e1cf58b7bcfc72cec8d9826bd811d28cad8f78a80d4b5014e731147b9c6083f5047ccadd677b117b677ea3bab3171c84f4ac8767e79a9b

Download Submit
memory/3680-15-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3680-16-0x0000000000660000-0x0000000000662000-memory.dmp

Filesize
8KB

Download
memory/3680-17-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/3680-18-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3680-20-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download