Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-03-2024 02:55
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-10_f8b130c7b60cb44e128053f45bfd9c37_mafia.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2024-03-10_f8b130c7b60cb44e128053f45bfd9c37_mafia.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-10_f8b130c7b60cb44e128053f45bfd9c37_mafia.exe
-
Size
444KB
-
MD5
f8b130c7b60cb44e128053f45bfd9c37
-
SHA1
96992f4da282a6a8cf18313369e18013db615c52
-
SHA256
0c89a4aea693868d3f04d4389c5aa735b86d26e97fe2504433baad45ef1e8a6c
-
SHA512
f2dd801764027b2c1a7a0ecc2edc665598cd99de49a8bb5d3958699c2720f8470e831804a7f1d6da86c51087146a3cd9494a7fdb3fb6bbcdeddf84b886e7e11e
-
SSDEEP
12288:Nb4bZudi79LJoJfcGqYr8Rn+pXx8Z6iYQVJxA:Nb4bcdkLJotcxYr2mXxrM
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3680 447B.tmp -
Executes dropped EXE 1 IoCs
pid Process 3680 447B.tmp -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1656 wrote to memory of 3680 1656 2024-03-10_f8b130c7b60cb44e128053f45bfd9c37_mafia.exe 88 PID 1656 wrote to memory of 3680 1656 2024-03-10_f8b130c7b60cb44e128053f45bfd9c37_mafia.exe 88 PID 1656 wrote to memory of 3680 1656 2024-03-10_f8b130c7b60cb44e128053f45bfd9c37_mafia.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-10_f8b130c7b60cb44e128053f45bfd9c37_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-10_f8b130c7b60cb44e128053f45bfd9c37_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Users\Admin\AppData\Local\Temp\447B.tmp"C:\Users\Admin\AppData\Local\Temp\447B.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-03-10_f8b130c7b60cb44e128053f45bfd9c37_mafia.exe 61264C92D57B1B02981C23AA821AD50973EE80117D17FFC73078D9950514A01A634A3C05B78AFDE10688A717C48474428E9294A1CDFE3870A5F957B58A81CA482⤵
- Deletes itself
- Executes dropped EXE
PID:3680
-
Network
-
Remote address:8.8.8.8:53Request22.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.154.82.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.35.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request209.178.17.96.in-addr.arpaIN PTRResponse209.178.17.96.in-addr.arpaIN PTRa96-17-178-209deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request41.110.16.96.in-addr.arpaIN PTRResponse41.110.16.96.in-addr.arpaIN PTRa96-16-110-41deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request157.123.68.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request104.241.123.92.in-addr.arpaIN PTRResponse104.241.123.92.in-addr.arpaIN PTRa92-123-241-104deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request119.110.54.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request217.135.221.88.in-addr.arpaIN PTRResponse217.135.221.88.in-addr.arpaIN PTRa88-221-135-217deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request211.135.221.88.in-addr.arpaIN PTRResponse211.135.221.88.in-addr.arpaIN PTRa88-221-135-211deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request173.178.17.96.in-addr.arpaIN PTRResponse173.178.17.96.in-addr.arpaIN PTRa96-17-178-173deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request205.47.74.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request205.47.74.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request174.178.17.96.in-addr.arpaIN PTRResponse174.178.17.96.in-addr.arpaIN PTRa96-17-178-174deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request174.178.17.96.in-addr.arpaIN PTRResponse174.178.17.96.in-addr.arpaIN PTRa96-17-178-174deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN A
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239339388159_1NBF8GOWJ5DM8FFCH&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239339388159_1NBF8GOWJ5DM8FFCH&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 533662
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 15BD74E53BEE420FABAF69270A69203C Ref B: LON04EDGE0909 Ref C: 2024-03-10T02:57:29Z
date: Sun, 10 Mar 2024 02:57:28 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360264545_1QMDV0ZFDT4MYHVM6&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239360264545_1QMDV0ZFDT4MYHVM6&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 415130
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 394FCCD40A7341CF9A0966AF3BCA4027 Ref B: LON04EDGE0909 Ref C: 2024-03-10T02:57:29Z
date: Sun, 10 Mar 2024 02:57:28 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301146_1A6Y190CSARJQINGA&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301146_1A6Y190CSARJQINGA&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 477205
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 5757460C1407429C900142A32D3C2482 Ref B: LON04EDGE0909 Ref C: 2024-03-10T02:57:29Z
date: Sun, 10 Mar 2024 02:57:29 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301555_15WHULHLEWM8YZRKT&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301555_15WHULHLEWM8YZRKT&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 428833
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0A82D2FD14284734887B021656BD5668 Ref B: LON04EDGE0909 Ref C: 2024-03-10T02:57:29Z
date: Sun, 10 Mar 2024 02:57:29 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360264546_1VIJ7TSH89LPKUMDM&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239360264546_1VIJ7TSH89LPKUMDM&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 429154
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 63DBE602DF514769976C75235ADFCC80 Ref B: LON04EDGE0909 Ref C: 2024-03-10T02:57:30Z
date: Sun, 10 Mar 2024 02:57:29 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239339388160_16ZRTS9JM6TCD49ZM&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239339388160_16ZRTS9JM6TCD49ZM&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 395357
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6982DFD9F61A47DBA2726BA86C638101 Ref B: LON04EDGE0909 Ref C: 2024-03-10T02:57:30Z
date: Sun, 10 Mar 2024 02:57:29 GMT
-
Remote address:8.8.8.8:53Request88.156.103.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request88.156.103.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request0.204.248.87.in-addr.arpaIN PTRResponse0.204.248.87.in-addr.arpaIN PTRhttps-87-248-204-0lhrllnwnet
-
Remote address:8.8.8.8:53Request0.204.248.87.in-addr.arpaIN PTRResponse0.204.248.87.in-addr.arpaIN PTRhttps-87-248-204-0lhrllnwnet
-
Remote address:8.8.8.8:53Request176.178.17.96.in-addr.arpaIN PTRResponse176.178.17.96.in-addr.arpaIN PTRa96-17-178-176deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request176.178.17.96.in-addr.arpaIN PTRResponse176.178.17.96.in-addr.arpaIN PTRa96-17-178-176deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request18.134.221.88.in-addr.arpaIN PTRResponse18.134.221.88.in-addr.arpaIN PTRa88-221-134-18deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request18.134.221.88.in-addr.arpaIN PTRResponse18.134.221.88.in-addr.arpaIN PTRa88-221-134-18deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request200.197.79.204.in-addr.arpaIN PTRResponse200.197.79.204.in-addr.arpaIN PTRa-0001a-msedgenet
-
Remote address:8.8.8.8:53Request200.197.79.204.in-addr.arpaIN PTRResponse200.197.79.204.in-addr.arpaIN PTRa-0001a-msedgenet
-
Remote address:8.8.8.8:53Request58.189.79.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request58.189.79.40.in-addr.arpaIN PTRResponse
-
1.3kB 8.5kB 17 14
-
204.79.197.200:443https://tse1.mm.bing.net/th?id=OADD2.10239339388160_16ZRTS9JM6TCD49ZM&pid=21.2&w=1080&h=1920&c=4tls, http299.7kB 2.8MB 2028 2023
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239339388159_1NBF8GOWJ5DM8FFCH&pid=21.2&w=1920&h=1080&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360264545_1QMDV0ZFDT4MYHVM6&pid=21.2&w=1920&h=1080&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301146_1A6Y190CSARJQINGA&pid=21.2&w=1920&h=1080&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301555_15WHULHLEWM8YZRKT&pid=21.2&w=1080&h=1920&c=4HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360264546_1VIJ7TSH89LPKUMDM&pid=21.2&w=1080&h=1920&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239339388160_16ZRTS9JM6TCD49ZM&pid=21.2&w=1080&h=1920&c=4HTTP Response
200HTTP Response
200 -
1.3kB 8.5kB 17 14
-
1.3kB 8.2kB 17 15
-
1.2kB 587 B 12 7
-
-
72 B 158 B 1 1
DNS Request
22.160.190.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.154.82.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
26.35.223.20.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
209.178.17.96.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
41.110.16.96.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
157.123.68.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
104.241.123.92.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
119.110.54.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
133.211.185.52.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
217.135.221.88.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
211.135.221.88.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
173.178.17.96.in-addr.arpa
-
142 B 157 B 2 1
DNS Request
205.47.74.20.in-addr.arpa
DNS Request
205.47.74.20.in-addr.arpa
-
144 B 274 B 2 2
DNS Request
174.178.17.96.in-addr.arpa
DNS Request
174.178.17.96.in-addr.arpa
-
144 B 316 B 2 2
DNS Request
11.227.111.52.in-addr.arpa
DNS Request
11.227.111.52.in-addr.arpa
-
213 B 145 B 3 1
DNS Request
206.23.85.13.in-addr.arpa
DNS Request
206.23.85.13.in-addr.arpa
DNS Request
206.23.85.13.in-addr.arpa
-
124 B 173 B 2 1
DNS Request
tse1.mm.bing.net
DNS Request
tse1.mm.bing.net
DNS Response
204.79.197.20013.107.21.200
-
144 B 316 B 2 2
DNS Request
88.156.103.20.in-addr.arpa
DNS Request
88.156.103.20.in-addr.arpa
-
142 B 232 B 2 2
DNS Request
0.204.248.87.in-addr.arpa
DNS Request
0.204.248.87.in-addr.arpa
-
144 B 274 B 2 2
DNS Request
176.178.17.96.in-addr.arpa
DNS Request
176.178.17.96.in-addr.arpa
-
144 B 274 B 2 2
DNS Request
18.134.221.88.in-addr.arpa
DNS Request
18.134.221.88.in-addr.arpa
-
146 B 212 B 2 2
DNS Request
200.197.79.204.in-addr.arpa
DNS Request
200.197.79.204.in-addr.arpa
-
142 B 290 B 2 2
DNS Request
58.189.79.40.in-addr.arpa
DNS Request
58.189.79.40.in-addr.arpa
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
444KB
MD5d2e6619dbecce967111d717059cc1a04
SHA1ce37798b2b9b0d892f111c28804f38fa26b42685
SHA25672e811516b000b63569a7d08c952b579bb492c45fa862a23a503df37c73e13b8
SHA512bd39941e7ec310aea11d90df0b43bf530d68cb1cc31b0b4f9342b0cb7279121b264732e590ada4742f39f2208e1b9b6c0cbfa1a26f647918a5652738e570a1a5