86211b1efe265d6cf39c86d8af98dd99fc0a927dd4465362b0cfc24aa23e86ac

General

Target

2024-03-11_e9700ee19d13bc5d0bff829cfd9335df_mafia.exe
Size

4.0MB
MD5

e9700ee19d13bc5d0bff829cfd9335df
SHA1

67d67d24e0d0c5bf3e0f9d54a219caf2245fd092
SHA256

86211b1efe265d6cf39c86d8af98dd99fc0a927dd4465362b0cfc24aa23e86ac
SHA512

c8aad6429933b30fc74a61a7cad7226c55e04f8cd4436bd4581decf5bbaaea1eee74ca7a09262e12b9f512337e37c9d2e7e86f732c8e18cfc674b92d82086da0
SSDEEP

49152:e1aJm5TYkvCkXUfHR/SuF5QZuTtS0rQMYOQ+q8CEM3YHcY0W3luNaeae7nHzc9KG:0U0SfHxSuFWsM0r1QnbAO5zvc0FeZ

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2840 created 3132	2840	2024-03-11_e9700ee19d13bc5d0bff829cfd9335df_mafia.exe	54

Detects executables packed with VMProtect. 3 IoCs

resource	yara_rule
behavioral2/memory/2840-0-0x0000000000950000-0x0000000000A52000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral2/memory/2840-1-0x0000000000950000-0x0000000000A52000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral2/memory/2840-4-0x0000000000950000-0x0000000000A52000-memory.dmp	INDICATOR_EXE_Packed_VMProtect

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/files/0x00080000000233cf-8.dat	UPX
behavioral2/memory/2896-9-0x0000000000880000-0x000000000092C000-memory.dmp	UPX
behavioral2/memory/2896-35-0x0000000000880000-0x000000000092C000-memory.dmp	UPX
behavioral2/memory/2896-36-0x0000000000880000-0x000000000092C000-memory.dmp	UPX

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	rBdGh.exe

Executes dropped EXE 2 IoCs

pid	Process
2896	rBdGh.exe
5092	pin.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00080000000233cf-8.dat	upx
behavioral2/memory/2896-9-0x0000000000880000-0x000000000092C000-memory.dmp	upx
behavioral2/memory/2896-35-0x0000000000880000-0x000000000092C000-memory.dmp	upx
behavioral2/memory/2896-36-0x0000000000880000-0x000000000092C000-memory.dmp	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/2840-0-0x0000000000950000-0x0000000000A52000-memory.dmp	vmprotect
behavioral2/memory/2840-1-0x0000000000950000-0x0000000000A52000-memory.dmp	vmprotect
behavioral2/memory/2840-4-0x0000000000950000-0x0000000000A52000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2840	2024-03-11_e9700ee19d13bc5d0bff829cfd9335df_mafia.exe
2840	2024-03-11_e9700ee19d13bc5d0bff829cfd9335df_mafia.exe
2840	2024-03-11_e9700ee19d13bc5d0bff829cfd9335df_mafia.exe
2840	2024-03-11_e9700ee19d13bc5d0bff829cfd9335df_mafia.exe
2840	2024-03-11_e9700ee19d13bc5d0bff829cfd9335df_mafia.exe
2840	2024-03-11_e9700ee19d13bc5d0bff829cfd9335df_mafia.exe
2840	2024-03-11_e9700ee19d13bc5d0bff829cfd9335df_mafia.exe
2840	2024-03-11_e9700ee19d13bc5d0bff829cfd9335df_mafia.exe
2840	2024-03-11_e9700ee19d13bc5d0bff829cfd9335df_mafia.exe
2840	2024-03-11_e9700ee19d13bc5d0bff829cfd9335df_mafia.exe
2840	2024-03-11_e9700ee19d13bc5d0bff829cfd9335df_mafia.exe
2840	2024-03-11_e9700ee19d13bc5d0bff829cfd9335df_mafia.exe
2840	2024-03-11_e9700ee19d13bc5d0bff829cfd9335df_mafia.exe
2840	2024-03-11_e9700ee19d13bc5d0bff829cfd9335df_mafia.exe
2896	rBdGh.exe
2896	rBdGh.exe
2896	rBdGh.exe
2896	rBdGh.exe
2896	rBdGh.exe
2896	rBdGh.exe
2896	rBdGh.exe
2896	rBdGh.exe
2896	rBdGh.exe
2896	rBdGh.exe
2896	rBdGh.exe
2896	rBdGh.exe
2896	rBdGh.exe
2896	rBdGh.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2840	2024-03-11_e9700ee19d13bc5d0bff829cfd9335df_mafia.exe
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3448	Explorer.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2896	2840	2024-03-11_e9700ee19d13bc5d0bff829cfd9335df_mafia.exe	105
PID 2840 wrote to memory of 2896	2840	2024-03-11_e9700ee19d13bc5d0bff829cfd9335df_mafia.exe	105
PID 2840 wrote to memory of 2896	2840	2024-03-11_e9700ee19d13bc5d0bff829cfd9335df_mafia.exe	105
PID 2896 wrote to memory of 5092	2896	rBdGh.exe	106
PID 2896 wrote to memory of 5092	2896	rBdGh.exe	106
PID 5092 wrote to memory of 3448	5092	pin.exe	56
PID 5092 wrote to memory of 3448	5092	pin.exe	56

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3132
- C:\Users\Admin\AppData\Local\Temp\rBdGh.exe
  C:\Users\Admin\AppData\Local\Temp\rBdGh.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Users\Admin\AppData\Local\Temp\pin.exe
    "C:\Users\Admin\AppData\Local\Temp\pin.exe" "C:\Users\Admin\AppData\Local\Temp\rBdGh.exe" 5386
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5092

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3448
- C:\Users\Admin\AppData\Local\Temp\2024-03-11_e9700ee19d13bc5d0bff829cfd9335df_mafia.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-03-11_e9700ee19d13bc5d0bff829cfd9335df_mafia.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pin.exe

Filesize
19KB

MD5
44b878919f79e365120f1c960434870b

SHA1
c8131976421b07782a1c913eb5996581a277e047

SHA256
a6967e7a3c2251812dd6b3fa0265fb7b61aadc568f562a98c50c345908c6e827

SHA512
e9fd65eb9e01ec40d67b558e3a4be4ae24766436ed8f60b62e75cef07f2f983b3df4d7963f23d23007acee12f151359d7d3861663348ef2b360e14a84bf3d2ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\rBdGh.exe

Filesize
283KB

MD5
9e5d4e79587ccda6f9e9a841e82b2dcf

SHA1
6b58e7472b2d78bda97f67953c6bd944a5c1d118

SHA256
415046cb084c72a418472d24047e3e4d4da36f8f156813fa12a7f88c3f50daa0

SHA512
4e43a635a6bb1f737f98286f4d63affc0cd61808c9c5abac2ae06902c07a9bdba9ffe7d04f4578f1f9df13b46fade37da3d37020ac751479089bfe06fc27615f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\rBdGh.lnk

Filesize
1KB

MD5
b2a0687c29736ae2a3c150b65048df21

SHA1
aa7b283a2e18942ee5a78e70b6a9302b571bd9fa

SHA256
0238ef9517b95fa1dcdf419128ce4eee77a5c41a36d965cad2cdcdd2fc4b2cf4

SHA512
6836a44fbca43828f441e97ff2e5e6cbc3d50710dfd1497fa0e7c874387601cc4ad5969dc880560f21f2de5bc68c7f5d691a134875006caa4903654be1950928

Download Submit
memory/2840-0-0x0000000000950000-0x0000000000A52000-memory.dmp

Filesize
1.0MB

Download
memory/2840-1-0x0000000000950000-0x0000000000A52000-memory.dmp

Filesize
1.0MB

Download
memory/2840-4-0x0000000000950000-0x0000000000A52000-memory.dmp

Filesize
1.0MB

Download
memory/2896-9-0x0000000000880000-0x000000000092C000-memory.dmp

Filesize
688KB

Download
memory/2896-35-0x0000000000880000-0x000000000092C000-memory.dmp

Filesize
688KB

Download
memory/2896-36-0x0000000000880000-0x000000000092C000-memory.dmp

Filesize
688KB

Download
memory/3448-22-0x0000000000EF0000-0x0000000000EFA000-memory.dmp

Filesize
40KB

Download
memory/3448-21-0x0000000000EF0000-0x0000000000EFA000-memory.dmp

Filesize
40KB

Download
memory/3448-29-0x0000000000EF0000-0x0000000000EFA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing