Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23/02/2024, 01:49

General

  • Target

    2024-02-23_9f3c2d0e1ebd6ae5c54432f91c04cd1a_mafia.exe

  • Size

    462KB

  • MD5

    9f3c2d0e1ebd6ae5c54432f91c04cd1a

  • SHA1

    0c753df7f1cf451dde408e69504cb9677270e9b2

  • SHA256

    ceb9245605dfd5868d90cb3beac75c16fbc3d156a1d48d6a2e3b605daab5cf69

  • SHA512

    453f6b669b1c922abc86866b503746246162673fdbe4f61d333a6a4b636ca56b2fd80e07ae334bc75782c8d3daa9f048a2148cdfdc3712564ce301c30282bc38

  • SSDEEP

    6144:0A4psmawWIrFUJe5X8bbUChtHaYPwzC8WR7EmByiREz49rg3mhwAHNsHZi:0oJe5X8bxUzC8WR7zyiV9rg3mhwOC5i

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-23_9f3c2d0e1ebd6ae5c54432f91c04cd1a_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-23_9f3c2d0e1ebd6ae5c54432f91c04cd1a_mafia.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Users\Admin\AppData\Local\Temp\1D7F.tmp
      "C:\Users\Admin\AppData\Local\Temp\1D7F.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-02-23_9f3c2d0e1ebd6ae5c54432f91c04cd1a_mafia.exe 6614EFD8D1E130505FCB9A9208FB6E0DA5124813BE89DEF4D73D2D9C7F55F2C33826AEE16178E3AEC85039D0B9A71E2788B15E728440E944916E6B755B5BFC19
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2024-02-23_9f3c2d0e1ebd6ae5c54432f91c04cd1a_mafia.docx"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:1652

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\2024-02-23_9f3c2d0e1ebd6ae5c54432f91c04cd1a_mafia.docx

          Filesize

          21KB

          MD5

          7079891932a64f097abafd233055a1e9

          SHA1

          246d95feafe67689d49a5a4cadba18d3ac1914e5

          SHA256

          c97189b50e5e92be09966d4732b6d61a2e435b2935d60c09989e555ae442e7a1

          SHA512

          6e9ee6427d7cc2474dc634b088cf3f35d06dfb734d2b63fbbc794f4083b4b5754379daff4804bf5024b1b430aa5e50fa6d839d3473ceeed3043d373c85e9862a

        • \Users\Admin\AppData\Local\Temp\1D7F.tmp

          Filesize

          462KB

          MD5

          9f652447f95ae10462cbb2d9bd64e4f0

          SHA1

          3982a66eb5416054e51fe10ebf3c487f00ae1baa

          SHA256

          591f700d42238e8ab94d273087f34379e2fbc0720b83d53ba80fab2638ef9c5b

          SHA512

          14ff1adde1bd3185600806881d237241f7b3efb1e0f16e32dd846d3ccc47401790e2a62de2428394838eaa90425642b859e6bc83d99f844b25bde76270c29f19

        • memory/1652-7-0x000000002F221000-0x000000002F222000-memory.dmp

          Filesize

          4KB

        • memory/1652-8-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

        • memory/1652-9-0x0000000070CED000-0x0000000070CF8000-memory.dmp

          Filesize

          44KB

        • memory/1652-13-0x0000000070CED000-0x0000000070CF8000-memory.dmp

          Filesize

          44KB