fb3aeb9e02d7891699b2bb1bcbacfdf30e04e9f3973f12a521427cb0f3338f1e

General

Target

2024-03-26_90ec495290096cdc6d5402b4a167ab66_mafia.exe
Size

462KB
MD5

90ec495290096cdc6d5402b4a167ab66
SHA1

caadd6ae495dc2ec88849ca782439fb9b4d4bb42
SHA256

fb3aeb9e02d7891699b2bb1bcbacfdf30e04e9f3973f12a521427cb0f3338f1e
SHA512

ae12aa6624af4915144174cc72b75f2be96bcc27feb68f924850950ab8084274d14fe0a936cf544aa14c0f6f0086ed5f39017777f5abb372fa9949c3519742b2
SSDEEP

6144:lA4psmawWIrFUJe5X8bbUXfDYCKCENMpY25H0C1HoUpLhyWsHOj:loJe5X8baTP66Y250C1Ho+dynuj

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	86C4.tmp

Executes dropped EXE 1 IoCs

pid	Process
1008	86C4.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings	86C4.tmp

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2204	WINWORD.EXE
2204	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1008	86C4.tmp

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2204	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 1008	4592	2024-03-26_90ec495290096cdc6d5402b4a167ab66_mafia.exe	93
PID 4592 wrote to memory of 1008	4592	2024-03-26_90ec495290096cdc6d5402b4a167ab66_mafia.exe	93
PID 4592 wrote to memory of 1008	4592	2024-03-26_90ec495290096cdc6d5402b4a167ab66_mafia.exe	93
PID 1008 wrote to memory of 2204	1008	86C4.tmp	97
PID 1008 wrote to memory of 2204	1008	86C4.tmp	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-03-26_90ec495290096cdc6d5402b4a167ab66_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-26_90ec495290096cdc6d5402b4a167ab66_mafia.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Users\Admin\AppData\Local\Temp\86C4.tmp
  "C:\Users\Admin\AppData\Local\Temp\86C4.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-03-26_90ec495290096cdc6d5402b4a167ab66_mafia.exe 0CC16990325F67D0164D3226D16C79BCC9A0DB841062481B35B6AA04CD9C5AF6FD7671EA0770A8BBA633A62F8511CF55A1CFC51FDAE3F6CD91F0BF7C1C73C3FB
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2024-03-26_90ec495290096cdc6d5402b4a167ab66_mafia.docx" /o ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3840 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:8
1⤵
PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024-03-26_90ec495290096cdc6d5402b4a167ab66_mafia.docx

Filesize
140KB

MD5
e90e498009a13ae957dcde4e01065e7d

SHA1
dcb4cc9b7d1ed3becc625597422d60aaf068a759

SHA256
ca91bbd477e2a516997c48dde3da1a5eae4cad86ca664fea54f0103739073c94

SHA512
4d0868f653e6c57d4011430ab81688f4f039550a9a0b5b1ce5ab1a695cb1dca7d7cdfb1d7c3920c35bbd3a8b441c820f00ae4e71f749650545ddd6894d597766

Download Submit
C:\Users\Admin\AppData\Local\Temp\86C4.tmp

Filesize
462KB

MD5
0a8b00516f47e103035596f7b96076f5

SHA1
118da4658b827fe091d991abcb0b1fb6b54777ae

SHA256
f6dcf4384c6db51c7d6a9e849109bd4b8a0c3d668e4e74c625d3a41ddb9384da

SHA512
f0bf72462a72130c803534d803666c0714a60e9f604e5e6e59e74893259911029da667ee2ab8282d72d7642aeac2e35cc9d7957f7bf308809ed1b03c89d1fdaf

Download Submit
memory/2204-19-0x00007FFBBBB30000-0x00007FFBBBD25000-memory.dmp

Filesize
2.0MB

Download
memory/2204-15-0x00007FFBBBB30000-0x00007FFBBBD25000-memory.dmp

Filesize
2.0MB

Download
memory/2204-11-0x00007FFB7BBB0000-0x00007FFB7BBC0000-memory.dmp

Filesize
64KB

Download
memory/2204-12-0x00007FFBBBB30000-0x00007FFBBBD25000-memory.dmp

Filesize
2.0MB

Download
memory/2204-13-0x00007FFB7BBB0000-0x00007FFB7BBC0000-memory.dmp

Filesize
64KB

Download
memory/2204-14-0x00007FFB7BBB0000-0x00007FFB7BBC0000-memory.dmp

Filesize
64KB

Download
memory/2204-20-0x00007FFBBBB30000-0x00007FFBBBD25000-memory.dmp

Filesize
2.0MB

Download
memory/2204-16-0x00007FFBBBB30000-0x00007FFBBBD25000-memory.dmp

Filesize
2.0MB

Download
memory/2204-17-0x00007FFBBBB30000-0x00007FFBBBD25000-memory.dmp

Filesize
2.0MB

Download
memory/2204-18-0x00007FFBBBB30000-0x00007FFBBBD25000-memory.dmp

Filesize
2.0MB

Download
memory/2204-10-0x00007FFB7BBB0000-0x00007FFB7BBC0000-memory.dmp

Filesize
64KB

Download
memory/2204-9-0x00007FFB7BBB0000-0x00007FFB7BBC0000-memory.dmp

Filesize
64KB

Download
memory/2204-25-0x00007FFBBBB30000-0x00007FFBBBD25000-memory.dmp

Filesize
2.0MB

Download
memory/2204-21-0x00007FFB79720000-0x00007FFB79730000-memory.dmp

Filesize
64KB

Download
memory/2204-23-0x00007FFBBBB30000-0x00007FFBBBD25000-memory.dmp

Filesize
2.0MB

Download
memory/2204-24-0x00007FFBBBB30000-0x00007FFBBBD25000-memory.dmp

Filesize
2.0MB

Download
memory/2204-22-0x00007FFBBBB30000-0x00007FFBBBD25000-memory.dmp

Filesize
2.0MB

Download
memory/2204-26-0x00007FFBBBB30000-0x00007FFBBBD25000-memory.dmp

Filesize
2.0MB

Download
memory/2204-27-0x00007FFBBBB30000-0x00007FFBBBD25000-memory.dmp

Filesize
2.0MB

Download
memory/2204-28-0x00007FFBBBB30000-0x00007FFBBBD25000-memory.dmp

Filesize
2.0MB

Download
memory/2204-29-0x00007FFB79720000-0x00007FFB79730000-memory.dmp

Filesize
64KB

Download
memory/2204-45-0x00007FFBBBB30000-0x00007FFBBBD25000-memory.dmp

Filesize
2.0MB

Download
memory/2204-46-0x00007FFBBBB30000-0x00007FFBBBD25000-memory.dmp

Filesize
2.0MB

Download
memory/2204-47-0x00007FFBBBB30000-0x00007FFBBBD25000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads