Analysis

  • max time kernel
    143s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-02-2024 18:01

General

  • Target

    2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe

  • Size

    6.3MB

  • MD5

    6c850ead2c8948bb6cf6bcfad01749a0

  • SHA1

    448ad5835946e3e223e2aaf4ecdcc6fabd129ebb

  • SHA256

    7277aff9923bc160fc591dfb30ea8b3a8ef51c322cd9182c00713bd932753526

  • SHA512

    51376cf612ed38be4f3a3069bd46c7c0025139f808f77ae9c57c93fa8a415588126f6494cd44681647c60085e145d2a5e6b2a699fe931007e60fa66f0b6812b2

  • SSDEEP

    98304:9uoMZZfZg0uiLsfD+gFd8J/NfLSkTIoW5FPEpBR2QiQgtmT6J5DxltVfWQQpoQx/:9uoMHBue0dWVukTu5ntFtmTqZOQQUA

Malware Config

Signatures

  • Banload

    Banload variants download malicious files, then install and execute the files.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Modifies registry class 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:376
    • C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-02-19_6c850ead2c8948bb6cf6bcfad01749a0_mafia.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:5056

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/376-1-0x0000000000400000-0x0000000001566000-memory.dmp

    Filesize

    17.4MB

  • memory/376-27-0x0000000000400000-0x0000000001566000-memory.dmp

    Filesize

    17.4MB

  • memory/5056-20-0x0000000000400000-0x0000000001566000-memory.dmp

    Filesize

    17.4MB

  • memory/5056-21-0x0000000000400000-0x0000000001566000-memory.dmp

    Filesize

    17.4MB

  • memory/5056-14-0x0000000000400000-0x0000000001566000-memory.dmp

    Filesize

    17.4MB

  • memory/5056-15-0x0000000000400000-0x0000000001566000-memory.dmp

    Filesize

    17.4MB

  • memory/5056-17-0x0000000000400000-0x0000000001566000-memory.dmp

    Filesize

    17.4MB

  • memory/5056-19-0x0000000000400000-0x0000000001566000-memory.dmp

    Filesize

    17.4MB

  • memory/5056-5-0x0000000000400000-0x0000000001566000-memory.dmp

    Filesize

    17.4MB

  • memory/5056-11-0x0000000003980000-0x0000000003B5F000-memory.dmp

    Filesize

    1.9MB

  • memory/5056-22-0x0000000000400000-0x0000000001566000-memory.dmp

    Filesize

    17.4MB

  • memory/5056-23-0x0000000000400000-0x0000000001566000-memory.dmp

    Filesize

    17.4MB

  • memory/5056-24-0x0000000003980000-0x0000000003B5F000-memory.dmp

    Filesize

    1.9MB

  • memory/5056-25-0x0000000003980000-0x0000000003B5F000-memory.dmp

    Filesize

    1.9MB

  • memory/5056-26-0x0000000003980000-0x0000000003B5F000-memory.dmp

    Filesize

    1.9MB

  • memory/5056-3-0x0000000003980000-0x0000000003B5F000-memory.dmp

    Filesize

    1.9MB

  • memory/5056-29-0x0000000000400000-0x0000000001566000-memory.dmp

    Filesize

    17.4MB

  • memory/5056-30-0x0000000003980000-0x0000000003B5F000-memory.dmp

    Filesize

    1.9MB