f28bb8629a24bf383ddb5c765221d7539f97afce82d60a4131f8ae342ec37fbc

General

Target

2024-03-26_5dc0335d13d0e3684e68f4126f3d713d_mafia.exe
Size

462KB
MD5

5dc0335d13d0e3684e68f4126f3d713d
SHA1

a1b07702976f8a9b45e681bcd914079d77e99460
SHA256

f28bb8629a24bf383ddb5c765221d7539f97afce82d60a4131f8ae342ec37fbc
SHA512

c851cdb11594575362a0b9acdc00bbcaa552925a2a42c082c80064949a57e14911affc58db8e75d32811d22a06d3f48d0429e6346ee45f9b86cbd897bb623265
SSDEEP

6144:lA4psmawWIrFUJe5X8bbUnskLa833y45woFnn3DnhnIRT5jcIpM/3nsHOj:loJe5X8bJkLaoWOnn3DnZIRVjxS/cuj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2580	10D2.tmp

Loads dropped DLL 1 IoCs

pid	Process
2092	2024-03-26_5dc0335d13d0e3684e68f4126f3d713d_mafia.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2528	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2580	10D2.tmp

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2528	WINWORD.EXE
2528	WINWORD.EXE
2528	WINWORD.EXE
2528	WINWORD.EXE
2528	WINWORD.EXE
2528	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2580	2092	2024-03-26_5dc0335d13d0e3684e68f4126f3d713d_mafia.exe	28
PID 2092 wrote to memory of 2580	2092	2024-03-26_5dc0335d13d0e3684e68f4126f3d713d_mafia.exe	28
PID 2092 wrote to memory of 2580	2092	2024-03-26_5dc0335d13d0e3684e68f4126f3d713d_mafia.exe	28
PID 2092 wrote to memory of 2580	2092	2024-03-26_5dc0335d13d0e3684e68f4126f3d713d_mafia.exe	28
PID 2580 wrote to memory of 2528	2580	10D2.tmp	29
PID 2580 wrote to memory of 2528	2580	10D2.tmp	29
PID 2580 wrote to memory of 2528	2580	10D2.tmp	29
PID 2580 wrote to memory of 2528	2580	10D2.tmp	29

C:\Users\Admin\AppData\Local\Temp\2024-03-26_5dc0335d13d0e3684e68f4126f3d713d_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-26_5dc0335d13d0e3684e68f4126f3d713d_mafia.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\10D2.tmp
  "C:\Users\Admin\AppData\Local\Temp\10D2.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-03-26_5dc0335d13d0e3684e68f4126f3d713d_mafia.exe A5149166F8C6A405B005BB0EBCF3DDFA9899941CDBD96E49588F166674C9557912E075815B68F36E0A57F9566FA21B4E7671CE1F51D602049F3227B8FD4C87A2
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2024-03-26_5dc0335d13d0e3684e68f4126f3d713d_mafia.docx"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\10D2.tmp

Filesize
462KB

MD5
64fed27644a49efaf40f2acbfb9f8c01

SHA1
30cfdde2106e5cda65a249b7bfd91de776ee5c90

SHA256
cd09754c1052b8a6a016d2f6f9db0ea93797129f2b350d2c81b493290832a2e2

SHA512
6f6057edb3652fc68e3139a1be29942d436ef81a27a10596bda6cfd012ed4e43cdd4f3a3602bcc8a55b0ae3ebd6c6543cc9d8c494476c784b761139537b66e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-03-26_5dc0335d13d0e3684e68f4126f3d713d_mafia.docx

Filesize
140KB

MD5
e90e498009a13ae957dcde4e01065e7d

SHA1
dcb4cc9b7d1ed3becc625597422d60aaf068a759

SHA256
ca91bbd477e2a516997c48dde3da1a5eae4cad86ca664fea54f0103739073c94

SHA512
4d0868f653e6c57d4011430ab81688f4f039550a9a0b5b1ce5ab1a695cb1dca7d7cdfb1d7c3920c35bbd3a8b441c820f00ae4e71f749650545ddd6894d597766

Download Submit
memory/2528-7-0x000000002F721000-0x000000002F722000-memory.dmp

Filesize
4KB

Download
memory/2528-8-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2528-9-0x00000000710AD000-0x00000000710B8000-memory.dmp

Filesize
44KB

Download
memory/2528-13-0x00000000710AD000-0x00000000710B8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing