f67aaaeec9d14c5c506985036270c87d33b87f86aef327da906d792adbe62d71

General

Target

2024-03-14_58068c22b226c39cdafb30fdec5eda84_mafia.exe
Size

462KB
MD5

58068c22b226c39cdafb30fdec5eda84
SHA1

edc13fc824592fbb5b36b27a4f5d75cf48fe1fc0
SHA256

f67aaaeec9d14c5c506985036270c87d33b87f86aef327da906d792adbe62d71
SHA512

dee478b8c0c888403b8b0e7bc50c82092b9967ead60fc77ab14c596efcc4417247d95fe9751d8ca29886f5edbf0ced5a650c900abe88a456f52b8b2491501fa5
SSDEEP

6144:lA4psmawWIrFUJe5X8bbU6KNUnRWvOfUYUuGnVXMUAq/c+8SuEYYn1gsHOj:loJe5X8bFKmnRWvXYXxnq0+kVYn3uj

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	37E8.tmp

Executes dropped EXE 1 IoCs

pid	Process
3276	37E8.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	37E8.tmp

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3588	WINWORD.EXE
3588	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3276	37E8.tmp

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3588	WINWORD.EXE
3588	WINWORD.EXE
3588	WINWORD.EXE
3588	WINWORD.EXE
3588	WINWORD.EXE
3588	WINWORD.EXE
3588	WINWORD.EXE
3588	WINWORD.EXE
3588	WINWORD.EXE
3588	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 3276	2412	2024-03-14_58068c22b226c39cdafb30fdec5eda84_mafia.exe	90
PID 2412 wrote to memory of 3276	2412	2024-03-14_58068c22b226c39cdafb30fdec5eda84_mafia.exe	90
PID 2412 wrote to memory of 3276	2412	2024-03-14_58068c22b226c39cdafb30fdec5eda84_mafia.exe	90
PID 3276 wrote to memory of 3588	3276	37E8.tmp	94
PID 3276 wrote to memory of 3588	3276	37E8.tmp	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-03-14_58068c22b226c39cdafb30fdec5eda84_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-14_58068c22b226c39cdafb30fdec5eda84_mafia.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Users\Admin\AppData\Local\Temp\37E8.tmp
  "C:\Users\Admin\AppData\Local\Temp\37E8.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-03-14_58068c22b226c39cdafb30fdec5eda84_mafia.exe 64A05B1C0C8A1CF82F360C669F06F7D0A25787B757113CC1A5E8BB0843104752B671063F0E19AD8FE3E5C02A5CCE4736801B21030A08D561446EB68F96FAFF21
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:3276
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2024-03-14_58068c22b226c39cdafb30fdec5eda84_mafia.docx" /o ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024-03-14_58068c22b226c39cdafb30fdec5eda84_mafia.docx

Filesize
140KB

MD5
e90e498009a13ae957dcde4e01065e7d

SHA1
dcb4cc9b7d1ed3becc625597422d60aaf068a759

SHA256
ca91bbd477e2a516997c48dde3da1a5eae4cad86ca664fea54f0103739073c94

SHA512
4d0868f653e6c57d4011430ab81688f4f039550a9a0b5b1ce5ab1a695cb1dca7d7cdfb1d7c3920c35bbd3a8b441c820f00ae4e71f749650545ddd6894d597766

Download Submit
C:\Users\Admin\AppData\Local\Temp\37E8.tmp

Filesize
462KB

MD5
a5bf0e6685d4ecc2f6187a5078154f47

SHA1
13213229f502e2510d9f81195bae3c59f4c65251

SHA256
33ae30ee6e28f7afd3b009c9848f8a4dc5715b0f00ad39f930cd566901186c3e

SHA512
08e87cd482511ffbee865567d839f5e8ea695be86aacd270437ddac5acaea285a2499719d1d8f33e65d7bfff8db04f9a75fcd9ec76f1448a020baa2008380f82

Download Submit
memory/3588-15-0x00007FFD484B0000-0x00007FFD484C0000-memory.dmp

Filesize
64KB

Download
memory/3588-16-0x00007FFD88430000-0x00007FFD88625000-memory.dmp

Filesize
2.0MB

Download
memory/3588-11-0x00007FFD484B0000-0x00007FFD484C0000-memory.dmp

Filesize
64KB

Download
memory/3588-14-0x00007FFD88430000-0x00007FFD88625000-memory.dmp

Filesize
2.0MB

Download
memory/3588-13-0x00007FFD88430000-0x00007FFD88625000-memory.dmp

Filesize
2.0MB

Download
memory/3588-12-0x00007FFD484B0000-0x00007FFD484C0000-memory.dmp

Filesize
64KB

Download
memory/3588-9-0x00007FFD484B0000-0x00007FFD484C0000-memory.dmp

Filesize
64KB

Download
memory/3588-10-0x00007FFD484B0000-0x00007FFD484C0000-memory.dmp

Filesize
64KB

Download
memory/3588-17-0x00007FFD88430000-0x00007FFD88625000-memory.dmp

Filesize
2.0MB

Download
memory/3588-18-0x00007FFD88430000-0x00007FFD88625000-memory.dmp

Filesize
2.0MB

Download
memory/3588-20-0x00007FFD88430000-0x00007FFD88625000-memory.dmp

Filesize
2.0MB

Download
memory/3588-19-0x00007FFD88430000-0x00007FFD88625000-memory.dmp

Filesize
2.0MB

Download
memory/3588-21-0x00007FFD88430000-0x00007FFD88625000-memory.dmp

Filesize
2.0MB

Download
memory/3588-22-0x00007FFD46340000-0x00007FFD46350000-memory.dmp

Filesize
64KB

Download
memory/3588-23-0x00007FFD46340000-0x00007FFD46350000-memory.dmp

Filesize
64KB

Download
memory/3588-36-0x00007FFD88430000-0x00007FFD88625000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads