014a71e4fae26f5a79b226915d5c2dba26c21ddf880116349f414f663c1692ca

General

Target

2024-02-23_0da967c548749fb7fc017f5a0b9e53fa_mafia.exe
Size

292KB
MD5

0da967c548749fb7fc017f5a0b9e53fa
SHA1

041a0200cee68cedd215d18f1abc7d04bd5c15bf
SHA256

014a71e4fae26f5a79b226915d5c2dba26c21ddf880116349f414f663c1692ca
SHA512

00f12e1ae36c7bcd79ede722e2a6359f9d1838149005d89cf1c25b7693d96042e5a431cce7dc26c6a334dc94462693565c0072c5b1b2ff71e80a36923c0710e1
SSDEEP

6144:LanPst8v78IwA7I97x4fg+8t9d5Z0DRUIH0xsNJEe:LoPstEPwA7I9750Nz0ONJEe

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1352	s9684.exe

Loads dropped DLL 4 IoCs

pid	Process
1336	2024-02-23_0da967c548749fb7fc017f5a0b9e53fa_mafia.exe
1336	2024-02-23_0da967c548749fb7fc017f5a0b9e53fa_mafia.exe
1336	2024-02-23_0da967c548749fb7fc017f5a0b9e53fa_mafia.exe
1336	2024-02-23_0da967c548749fb7fc017f5a0b9e53fa_mafia.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1336	2024-02-23_0da967c548749fb7fc017f5a0b9e53fa_mafia.exe
1352	s9684.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1352	s9684.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1352	s9684.exe
1352	s9684.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 1352	1336	2024-02-23_0da967c548749fb7fc017f5a0b9e53fa_mafia.exe	28
PID 1336 wrote to memory of 1352	1336	2024-02-23_0da967c548749fb7fc017f5a0b9e53fa_mafia.exe	28
PID 1336 wrote to memory of 1352	1336	2024-02-23_0da967c548749fb7fc017f5a0b9e53fa_mafia.exe	28
PID 1336 wrote to memory of 1352	1336	2024-02-23_0da967c548749fb7fc017f5a0b9e53fa_mafia.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-23_0da967c548749fb7fc017f5a0b9e53fa_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_0da967c548749fb7fc017f5a0b9e53fa_mafia.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Users\Admin\AppData\Local\Temp\n9684\s9684.exe
  "C:\Users\Admin\AppData\Local\Temp\n9684\s9684.exe" ins.exe /e11709017 /u5256af57-a14c-4fa9-bca9-79340a000013
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1352

Network

DNS

api.socdn.com

s9684.exe

Remote address:

8.8.8.8:53

Request

api.socdn.com

IN A

Response

api.socdn.com

IN CNAME

615321.parkingcrew.net

615321.parkingcrew.net

IN A

13.248.148.254

615321.parkingcrew.net

IN A

76.223.26.96
GET

http://api.socdn.com/installer/5256af57-a14c-4fa9-bca9-79340a000013/11709017/config

s9684.exe

Remote address:

13.248.148.254:80

Request

GET /installer/5256af57-a14c-4fa9-bca9-79340a000013/11709017/config HTTP/1.1
User-Agent: DownloadMR/3.1.2 (MSIE 9.11;Windows NT 6.1.7601 SP1;WOW64;.NET CLR 2.0.50727 SP2; .NET CLR 3.0 SP2; .NET CLR 3.5 SP1; .NET CLR 4; .NET CLR 4.0;DB IE11;m=X9SRE/X9SRE-3F/X9SRi/X9SRi-3F;northstar)
Accept-Language: en-US
Host: api.socdn.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Fri, 23 Feb 2024 10:26:54 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: nginx
Vary: Accept-Encoding
Vary: Accept-Encoding
X-Redirect: skenzo
X-Buckets: bucket011
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_MI69FvqpOoonCfa3p3U0TW4I1CQM1VRRwNU/3OtG7q45GPfUyR+BDlNvgv4FAuYVsIDm5Bj84nS/GzX2zr/RFA==
X-Template: tpl_CleanPeppermintBlack_twoclick
X-Language: english
Accept-CH: viewport-width
Accept-CH: dpr
Accept-CH: device-memory
Accept-CH: rtt
Accept-CH: downlink
Accept-CH: ect
Accept-CH: ua
Accept-CH: ua-full-version
Accept-CH: ua-platform
Accept-CH: ua-platform-version
Accept-CH: ua-arch
Accept-CH: ua-model
Accept-CH: ua-mobile
Accept-CH-Lifetime: 30
X-Domain: socdn.com
X-Subdomain: api
POST

http://api.socdn.com/installer/5256af57-a14c-4fa9-bca9-79340a000013/11709017/event

s9684.exe

Remote address:

13.248.148.254:80

Request

POST /installer/5256af57-a14c-4fa9-bca9-79340a000013/11709017/event HTTP/1.1
User-Agent: DownloadMR/3.1.2 (MSIE 9.11;Windows NT 6.1.7601 SP1;WOW64;.NET CLR 2.0.50727 SP2; .NET CLR 3.0 SP2; .NET CLR 3.5 SP1; .NET CLR 4; .NET CLR 4.0;DB IE11;m=X9SRE/X9SRE-3F/X9SRi/X9SRi-3F;northstar)
Accept-Language: en-US
Content-Type: application/x-www-form-urlencoded
Host: api.socdn.com
Content-Length: 3394
Expect: 100-continue

Response

HTTP/1.1 403 Forbidden

Server: awselb/2.0
Date: Fri, 23 Feb 2024 10:26:55 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 138
Connection: keep-alive

13.248.148.254:80

http://api.socdn.com/installer/5256af57-a14c-4fa9-bca9-79340a000013/11709017/event

http

s9684.exe

4.8kB
4.8kB
13
13

HTTP Request

GET http://api.socdn.com/installer/5256af57-a14c-4fa9-bca9-79340a000013/11709017/config

HTTP Response

200

HTTP Request

POST http://api.socdn.com/installer/5256af57-a14c-4fa9-bca9-79340a000013/11709017/event

HTTP Response

403

8.8.8.8:53

api.socdn.com

dns

s9684.exe

59 B
127 B
1
1

DNS Request

api.socdn.com

DNS Response

13.248.148.254

76.223.26.96

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\n9684\s9684.exe

Filesize
269KB

MD5
5bedbca9b50f0374b405eb0c79ec0195

SHA1
1a0646caa442f30d86f5ba79c35de34a4ab235fe

SHA256
0355e5e23f4f5d2c129c6d5aa680c782898b332a38c02a0b7ef4d0f50b0ea64d

SHA512
007fd12814a7a7e8d4182d69a86a2f06350521aa9daf684e2516bf7f22add1f687940a06430b5169f38e41c99ae8cbcc8d1f7c3218c68a127a8c6fe68c36ee6b

Download Submit
memory/1352-14-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download
memory/1352-15-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

Filesize
9.6MB

Download
memory/1352-16-0x0000000000C40000-0x0000000000CC0000-memory.dmp

Filesize
512KB

Download
memory/1352-17-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

Filesize
9.6MB

Download
memory/1352-18-0x0000000000C40000-0x0000000000CC0000-memory.dmp

Filesize
512KB

Download
memory/1352-19-0x0000000000C40000-0x0000000000CC0000-memory.dmp

Filesize
512KB

Download
memory/1352-20-0x0000000000C40000-0x0000000000CC0000-memory.dmp

Filesize
512KB

Download
memory/1352-21-0x0000000000C40000-0x0000000000CC0000-memory.dmp

Filesize
512KB

Download
memory/1352-22-0x0000000000C40000-0x0000000000CC0000-memory.dmp

Filesize
512KB

Download
memory/1352-23-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

Filesize
9.6MB

Download
memory/1352-24-0x0000000000C40000-0x0000000000CC0000-memory.dmp

Filesize
512KB

Download
memory/1352-25-0x0000000000C40000-0x0000000000CC0000-memory.dmp

Filesize
512KB

Download
memory/1352-26-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

Filesize
9.6MB

Download
memory/1352-27-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.