Analysis
-
max time kernel
144s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23/02/2024, 01:49
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-23_9f3c2d0e1ebd6ae5c54432f91c04cd1a_mafia.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-02-23_9f3c2d0e1ebd6ae5c54432f91c04cd1a_mafia.exe
Resource
win10v2004-20240221-en
General
-
Target
2024-02-23_9f3c2d0e1ebd6ae5c54432f91c04cd1a_mafia.exe
-
Size
462KB
-
MD5
9f3c2d0e1ebd6ae5c54432f91c04cd1a
-
SHA1
0c753df7f1cf451dde408e69504cb9677270e9b2
-
SHA256
ceb9245605dfd5868d90cb3beac75c16fbc3d156a1d48d6a2e3b605daab5cf69
-
SHA512
453f6b669b1c922abc86866b503746246162673fdbe4f61d333a6a4b636ca56b2fd80e07ae334bc75782c8d3daa9f048a2148cdfdc3712564ce301c30282bc38
-
SSDEEP
6144:0A4psmawWIrFUJe5X8bbUChtHaYPwzC8WR7EmByiREz49rg3mhwAHNsHZi:0oJe5X8bxUzC8WR7zyiV9rg3mhwOC5i
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3052 1D7F.tmp -
Loads dropped DLL 1 IoCs
pid Process 2972 2024-02-23_9f3c2d0e1ebd6ae5c54432f91c04cd1a_mafia.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1652 WINWORD.EXE -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3052 1D7F.tmp -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1652 WINWORD.EXE 1652 WINWORD.EXE 1652 WINWORD.EXE 1652 WINWORD.EXE 1652 WINWORD.EXE 1652 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2972 wrote to memory of 3052 2972 2024-02-23_9f3c2d0e1ebd6ae5c54432f91c04cd1a_mafia.exe 28 PID 2972 wrote to memory of 3052 2972 2024-02-23_9f3c2d0e1ebd6ae5c54432f91c04cd1a_mafia.exe 28 PID 2972 wrote to memory of 3052 2972 2024-02-23_9f3c2d0e1ebd6ae5c54432f91c04cd1a_mafia.exe 28 PID 2972 wrote to memory of 3052 2972 2024-02-23_9f3c2d0e1ebd6ae5c54432f91c04cd1a_mafia.exe 28 PID 3052 wrote to memory of 1652 3052 1D7F.tmp 29 PID 3052 wrote to memory of 1652 3052 1D7F.tmp 29 PID 3052 wrote to memory of 1652 3052 1D7F.tmp 29 PID 3052 wrote to memory of 1652 3052 1D7F.tmp 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-23_9f3c2d0e1ebd6ae5c54432f91c04cd1a_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-23_9f3c2d0e1ebd6ae5c54432f91c04cd1a_mafia.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\1D7F.tmp"C:\Users\Admin\AppData\Local\Temp\1D7F.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-02-23_9f3c2d0e1ebd6ae5c54432f91c04cd1a_mafia.exe 6614EFD8D1E130505FCB9A9208FB6E0DA5124813BE89DEF4D73D2D9C7F55F2C33826AEE16178E3AEC85039D0B9A71E2788B15E728440E944916E6B755B5BFC192⤵
- Executes dropped EXE
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2024-02-23_9f3c2d0e1ebd6ae5c54432f91c04cd1a_mafia.docx"3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1652
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD57079891932a64f097abafd233055a1e9
SHA1246d95feafe67689d49a5a4cadba18d3ac1914e5
SHA256c97189b50e5e92be09966d4732b6d61a2e435b2935d60c09989e555ae442e7a1
SHA5126e9ee6427d7cc2474dc634b088cf3f35d06dfb734d2b63fbbc794f4083b4b5754379daff4804bf5024b1b430aa5e50fa6d839d3473ceeed3043d373c85e9862a
-
Filesize
462KB
MD59f652447f95ae10462cbb2d9bd64e4f0
SHA13982a66eb5416054e51fe10ebf3c487f00ae1baa
SHA256591f700d42238e8ab94d273087f34379e2fbc0720b83d53ba80fab2638ef9c5b
SHA51214ff1adde1bd3185600806881d237241f7b3efb1e0f16e32dd846d3ccc47401790e2a62de2428394838eaa90425642b859e6bc83d99f844b25bde76270c29f19