Overview

overview

7

Static

static

3

2024-03-07...ll.exe

windows7-x64

7

2024-03-07...ll.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-03-2024 05:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-03-07_fa96a7c1c05185f062d1c6bef8e3635b_mafia_stonedrill.exe

  • Size

    387KB

  • MD5

    fa96a7c1c05185f062d1c6bef8e3635b

  • SHA1

    f65c61064983317748f1fa10e489918c42b50a5f

  • SHA256

    68e467a157e68f55ee95455ff7a9dc5915788c404d3dfa74034fcec8c17eb08e

  • SHA512

    b628bb90f8459072d8db4d3425740883ebb4937b82234467d8541e1eeb74205e931a253766c8a891278e02f081ec7ce45fae52337d22f45582e7609ca6c0c6fc

  • SSDEEP

    12288:BqYXje0DF9k64/QSywqP0T8oIN1AHDFhY25fC2WF9se204P:BqYDF9k64/Q9j28okAHDHY25fC2WF9sf

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-07_fa96a7c1c05185f062d1c6bef8e3635b_mafia_stonedrill.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-07_fa96a7c1c05185f062d1c6bef8e3635b_mafia_stonedrill.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4036
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v RESTART_STICKY_NOTESS /f /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\StikyNote.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2488
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v RESTART_STICKY_NOTESS /f /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\StikyNote.exe"
          4⤵
          • Adds Run key to start application
          • Modifies registry key
          PID:1156
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\2024-03-07_fa96a7c1c05185f062d1c6bef8e3635b_mafia_stonedrill.exe" "C:\Users\Admin\AppData\Local\Temp\StikyNote.exe"
      2⤵
        PID:2792
      • C:\Users\Admin\AppData\Local\Temp\StikyNote.exe
        "C:\Users\Admin\AppData\Local\Temp\StikyNote.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4108
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:420

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\StikyNote.exe
      Filesize

      64KB

      MD5

      1ed88645be3af6ae6077866447a0f063

      SHA1

      b757f9dbbb7e59ea8324a9f855ec85ad4b770745

      SHA256

      c442f8f40fcc8181103195a4ac038a5c45cf82397db537b584196ee8bbfe34f8

      SHA512

      3ac1b1fe3a7827aea3cc9aad1bcb7a285fed9748cc84af7802f38d989437bc3e1fdc52349b9fce74b211a079fcb0ba40a07329222010c1151e1ae2f01af2f8fc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\StikyNote.exe
      Filesize

      387KB

      MD5

      fa96a7c1c05185f062d1c6bef8e3635b

      SHA1

      f65c61064983317748f1fa10e489918c42b50a5f

      SHA256

      68e467a157e68f55ee95455ff7a9dc5915788c404d3dfa74034fcec8c17eb08e

      SHA512

      b628bb90f8459072d8db4d3425740883ebb4937b82234467d8541e1eeb74205e931a253766c8a891278e02f081ec7ce45fae52337d22f45582e7609ca6c0c6fc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\StikyNote.tmp
      Filesize

      387KB

      MD5

      dcfadc21ed1fa319447f6e56627dbb51

      SHA1

      d877856b6dd436bd1e74d14d7e8ab67c29048601

      SHA256

      5c1946a18cda4570feb4a9c6fb858024ad1322b8d068d8f196324ee0eee85974

      SHA512

      a322ec803b3019bcf137f3fd1700d4ec2bc00f6c5acae4fa55e232ad518534d9791ad24ed9cf60e5802d05df9fc0c0a43c8894a75e00d7358cccf9ee7c44c319

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\setup.tmp
      Filesize

      47B

      MD5

      72a392628d7f368bb9bc9689a694f55a

      SHA1

      feacee9c66028a333446f2c968bcb3d567a4033d

      SHA256

      afa60141aee93d7e3f3d8d296e36de9956f588a6cad99f8e79ce36ab88e828dd

      SHA512

      76f40be7d3e0de960c7bc199fd094c64588841e5b6a1b99bd7fd2e3b53f9e381ded992ee6d67848dd4fda755416792ff6e29bf0acf1a348796dcf7e9bf96229e

      Download Submit

    • memory/420-13-0x0000000000400000-0x0000000000469000-memory.dmp

      Filesize

      420KB

      Download

    • memory/4036-2-0x0000000000A60000-0x0000000000A63000-memory.dmp

      Filesize

      12KB

      Download

    • memory/4108-12-0x0000000076D60000-0x0000000076E50000-memory.dmp

      Filesize

      960KB

      Download

    • memory/4108-14-0x0000000076D60000-0x0000000076E50000-memory.dmp

      Filesize

      960KB

      Download