23b25c4e8fe3a70a8f17bc0a0f75991f499b3e5ef23613857146cc319be01acf

General

Target

2024-03-26_2ded95ae2ccb8a4bf22d6c937285e485_mafia.exe
Size

462KB
MD5

2ded95ae2ccb8a4bf22d6c937285e485
SHA1

9dd45ea92a71ed88497d8b21aba865faf00b8d6e
SHA256

23b25c4e8fe3a70a8f17bc0a0f75991f499b3e5ef23613857146cc319be01acf
SHA512

d1a38bbebb153b85760965efde721587d3a1ec85983a80f6af6f02a5d3f0165bef5292f4f33f1a9404bc25391858323557f7ac546f819f22813731b3a078fa76
SSDEEP

12288:loJe5X8b7d9KCMLyqfblmDH9+cQIaMIuj:loJw8b7d5qDl+cu

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2016	1F53.tmp

Loads dropped DLL 1 IoCs

pid	Process
2904	2024-03-26_2ded95ae2ccb8a4bf22d6c937285e485_mafia.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2436	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2016	1F53.tmp

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2436	WINWORD.EXE
2436	WINWORD.EXE
2436	WINWORD.EXE
2436	WINWORD.EXE
2436	WINWORD.EXE
2436	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2016	2904	2024-03-26_2ded95ae2ccb8a4bf22d6c937285e485_mafia.exe	28
PID 2904 wrote to memory of 2016	2904	2024-03-26_2ded95ae2ccb8a4bf22d6c937285e485_mafia.exe	28
PID 2904 wrote to memory of 2016	2904	2024-03-26_2ded95ae2ccb8a4bf22d6c937285e485_mafia.exe	28
PID 2904 wrote to memory of 2016	2904	2024-03-26_2ded95ae2ccb8a4bf22d6c937285e485_mafia.exe	28
PID 2016 wrote to memory of 2436	2016	1F53.tmp	29
PID 2016 wrote to memory of 2436	2016	1F53.tmp	29
PID 2016 wrote to memory of 2436	2016	1F53.tmp	29
PID 2016 wrote to memory of 2436	2016	1F53.tmp	29

C:\Users\Admin\AppData\Local\Temp\2024-03-26_2ded95ae2ccb8a4bf22d6c937285e485_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-26_2ded95ae2ccb8a4bf22d6c937285e485_mafia.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\1F53.tmp
  "C:\Users\Admin\AppData\Local\Temp\1F53.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-03-26_2ded95ae2ccb8a4bf22d6c937285e485_mafia.exe 1972F7F905FB560B4BC96E9C1572F777D5099C31BC468A0DFD49D2620A837A07F06A9B8362ECC0EF0FC7C968FF6B1DF23B5F8EC714509C37F92419AE6C07F15E
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2024-03-26_2ded95ae2ccb8a4bf22d6c937285e485_mafia.docx"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024-03-26_2ded95ae2ccb8a4bf22d6c937285e485_mafia.docx

Filesize
140KB

MD5
e90e498009a13ae957dcde4e01065e7d

SHA1
dcb4cc9b7d1ed3becc625597422d60aaf068a759

SHA256
ca91bbd477e2a516997c48dde3da1a5eae4cad86ca664fea54f0103739073c94

SHA512
4d0868f653e6c57d4011430ab81688f4f039550a9a0b5b1ce5ab1a695cb1dca7d7cdfb1d7c3920c35bbd3a8b441c820f00ae4e71f749650545ddd6894d597766

Download Submit
\Users\Admin\AppData\Local\Temp\1F53.tmp

Filesize
462KB

MD5
e5a9ddedbb1fb997f0c43cb9b737f241

SHA1
d7bff7c136b2a30367ecfeb6da092bbfb371a9bc

SHA256
b6071c3131a808f699dd751bcb68499081c5485ebc9f805182a89693287b7f36

SHA512
d08cafd7a12e93acd46e084272aca5458a75374b8c94fd9cfbc64602eeba91778301e3f8d003370cd7abc0ca096dff92a15213c78e0264e4db15e782b29c1d65

Download Submit
memory/2436-7-0x000000002F701000-0x000000002F702000-memory.dmp

Filesize
4KB

Download
memory/2436-8-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2436-9-0x00000000718ED000-0x00000000718F8000-memory.dmp

Filesize
44KB

Download
memory/2436-13-0x00000000718ED000-0x00000000718F8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing