bbbc208cfcb228d2ba74c781fa09e1fc87863f6ba9484cb9f18bf6fc50082434

Analysis

max time kernel
2s
max time network
29s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2024 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-15_b929accd41cdb4c798fc762c2024aecb_mafia.exe
Size

467KB
MD5

b929accd41cdb4c798fc762c2024aecb
SHA1

309018dc66d00030f903e7ecb52bc9b4bc860f93
SHA256

bbbc208cfcb228d2ba74c781fa09e1fc87863f6ba9484cb9f18bf6fc50082434
SHA512

4bfb0999ddc3695f9c4c8238ccd053ba5a9f18d50df0f48e27b9ccb70bc1af1a633576f66e87be3e9426c0acf106baaea8643f1d3050d0dcd8e81aede23b6444
SSDEEP

12288:Bb4bZudi79LPukJl5JxPfyLQoxq44mj7HGWAk:Bb4bcdkLPukl5PCL04/DGs

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
468	37D9.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
468	37D9.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 468	3984	2024-03-15_b929accd41cdb4c798fc762c2024aecb_mafia.exe	88
PID 3984 wrote to memory of 468	3984	2024-03-15_b929accd41cdb4c798fc762c2024aecb_mafia.exe	88
PID 3984 wrote to memory of 468	3984	2024-03-15_b929accd41cdb4c798fc762c2024aecb_mafia.exe	88

C:\Users\Admin\AppData\Local\Temp\2024-03-15_b929accd41cdb4c798fc762c2024aecb_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-15_b929accd41cdb4c798fc762c2024aecb_mafia.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Users\Admin\AppData\Local\Temp\37D9.tmp
  "C:\Users\Admin\AppData\Local\Temp\37D9.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-03-15_b929accd41cdb4c798fc762c2024aecb_mafia.exe F1E6DD47E4929952E99458FDB3D9062E362EBD486553750C695DB7690189E825370EB791FFB859C49A572072735DA527464343A780AF983019344839D99AFD9E
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  PID:468
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2024-03-15_b929accd41cdb4c798fc762c2024aecb_mafia.doc" /o ""
    3⤵
    PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024-03-15_b929accd41cdb4c798fc762c2024aecb_mafia.doc

Filesize
35KB

MD5
a6b03fc9e5439b7504ba08010a960962

SHA1
e93a74f35ac1ed020158642eb1f2087fd31fc7c6

SHA256
b3b306a9618a08a003443e00e8ce2fcb14040775c3aeadc11cf120668e98dff1

SHA512
decbe4fa7eec0833a27acbde8b4de099124aa42e551f710fb615e6fc5aa0056ce9e44fc282e4930b1a669a1e012700b2c79cebc8a7b8ee4c66cfc29c800cddd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\37D9.tmp

Filesize
467KB

MD5
74dee17ee53a5774200dfb26afc3c5e4

SHA1
d9793b280d7a7cac6b1afbf1dbbc9c0f9d054417

SHA256
6efa769ef23daca4d63fcda083e1120f9993603b2b5454219508d97634eab4f3

SHA512
d7e481ed2a20c133295597fa5a65c35215523691d5d4615042a7de39c4c9b78bb0b346b034ebc6e2156c46e9db0b43ca7350e19f520057a28e3bfe8951b872a8

Download Submit