Overview

overview

7

Static

static

3

2024-03-28...ia.exe

windows7-x64

7

2024-03-28...ia.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2024, 17:33

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-03-28_5b9d47e78146e531252a0828526bde55_mafia.exe

  • Size

    464KB

  • MD5

    5b9d47e78146e531252a0828526bde55

  • SHA1

    9e57efc3ee67aaa2d546808f5698d97b7f550a84

  • SHA256

    75a9f9ddbf84328967dff99b8fd7cac5dfeffc9c63237d0caf780776bf19ce2f

  • SHA512

    053570a82e68e87bb8d32c76709c3d3e64777f8679a1bf6c731b0752ae4434f4bef34ee89ba5aa5bb8cfc3dce42ed0f5217b377d49078f75fac5a67fd8e84059

  • SSDEEP

    6144:zRPu8zwNAZYCZrIik3tHcXkBpqMbsqrQeMq9pvbZMKkCsjA7f9leLsH5f:zJrIik3ikB4MbtRTHNs0/l9

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-28_5b9d47e78146e531252a0828526bde55_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-28_5b9d47e78146e531252a0828526bde55_mafia.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4688
    • C:\Users\Admin\AppData\Local\Temp\3F6A.tmp
      "C:\Users\Admin\AppData\Local\Temp\3F6A.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-03-28_5b9d47e78146e531252a0828526bde55_mafia.exe E415854154525C270D0C07D8A3AC9F51A1C8019E6FC890664EE66338C5B9D873E6AE1DE491CB2BD7D50F21E3198D873BF833C21CED099770C38F0636253E0221
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1428
      • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2024-03-28_5b9d47e78146e531252a0828526bde55_mafia.docx" /o ""
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:4324

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\2024-03-28_5b9d47e78146e531252a0828526bde55_mafia.docx
          Filesize

          21KB

          MD5

          7079891932a64f097abafd233055a1e9

          SHA1

          246d95feafe67689d49a5a4cadba18d3ac1914e5

          SHA256

          c97189b50e5e92be09966d4732b6d61a2e435b2935d60c09989e555ae442e7a1

          SHA512

          6e9ee6427d7cc2474dc634b088cf3f35d06dfb734d2b63fbbc794f4083b4b5754379daff4804bf5024b1b430aa5e50fa6d839d3473ceeed3043d373c85e9862a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\3F6A.tmp
          Filesize

          464KB

          MD5

          a761293e09b00e8de282a0fb43dff005

          SHA1

          d3d22829e6fb785eaf6ac9839576f4b0f55a674c

          SHA256

          216c2d40f6d00f1f56ee18a293a1b1bd73c15dcbc86a68d7285e467e504705d7

          SHA512

          146daedf7334d0cb39025fabe42f107197d0834a2f202ca4a36354198c0d3fbe08a74cfde7e6b043f24755967e48365bd96bbd2df69d14b5c8bcb5dcd2b245d9

          Download Submit

        • memory/4324-16-0x00007FFACCA70000-0x00007FFACCC65000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4324-19-0x00007FFACCA70000-0x00007FFACCC65000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4324-11-0x00007FFA8CAF0000-0x00007FFA8CB00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4324-13-0x00007FFACCA70000-0x00007FFACCC65000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4324-12-0x00007FFA8CAF0000-0x00007FFA8CB00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4324-14-0x00007FFACCA70000-0x00007FFACCC65000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4324-15-0x00007FFA8CAF0000-0x00007FFA8CB00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4324-17-0x00007FFACCA70000-0x00007FFACCC65000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4324-9-0x00007FFA8CAF0000-0x00007FFA8CB00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4324-10-0x00007FFA8CAF0000-0x00007FFA8CB00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4324-18-0x00007FFACCA70000-0x00007FFACCC65000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4324-21-0x00007FFACCA70000-0x00007FFACCC65000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4324-20-0x00007FFA8A2F0000-0x00007FFA8A300000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4324-22-0x00007FFACCA70000-0x00007FFACCC65000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4324-23-0x00007FFACCA70000-0x00007FFACCC65000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4324-24-0x00007FFA8A2F0000-0x00007FFA8A300000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4324-25-0x00007FFACCA70000-0x00007FFACCC65000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4324-38-0x00007FFACCA70000-0x00007FFACCC65000-memory.dmp

          Filesize

          2.0MB

          Download